Skip to main content
Version: 4.42

How to sign emails with a certificate using Outlook

Overview

This guide explains how to digitally sign email messages using an S/MIME certificate managed through Redtrust.

Redtrust provides secure access to the user’s private key through the Redtrust agent. Once the agent is connected and the certificate is allowed by policy, Outlook can use the certificate to sign outgoing messages.

Background

A digital signature allows recipients to verify the authenticity and integrity of an email message. It proves that the message was signed using the private key associated with the sender’s certificate and that the message content has not been modified in transit.

In email systems, digital signatures are implemented using S/MIME certificates, digital certificates issued specifically for email protection. Unlike other certificates (for example authentication certificates), it contains an email address and the key usage extensions required to sign and encrypt email messages.

The configuration steps depend on the Outlook client you use:

  • New Outlook use the same S/MIME settings page (and can be tenant-policy controlled).
  • Classic Outlook is configured in the Trust Center.
info

S/MIME in Outlook for the web requires a browser extension and some tenant configuration, refer to the official documentation on S/MIME configuration for updates.

Before you start

To follow this how-to you will need the following:

  • A S/MIME certificate available in Redtrust.
  • A Redtrust policy that allows Outlook to use the certificate.
    • olkexthost.exe for the new Outlook.
    • Outlook.exe for Classic Outlook.

Organization requirements (administrators)

Generally, S/MIME is deployed to organizations using Active Directory. Deploying it in environments where certificates are managed outside of Active Directory (for example through external certificate services) is not as straight forward. In those scenarios, administrators need to manually publish the user’s public certificate to Exchange Online.

You can publish a user’s public certificate (.cer) in Exchange Online using PowerShell by connecting with credentials that have permission to run Set-Mailbox.

  1. Install the module (if it is not already installed).

    Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

  2. Connect to Exchange Online.

    Connect-ExchangeOnline -UserPrincipalName ADMIN_UPN

  3. Load the public certificate and publish it to the mailbox.

    $certPath = "C:\path\to\user.cer"
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath)
    $certArray = New-Object System.Collections.ArrayList
    [void]$certArray.Insert(0, $cert.GetRawCertData())

    Set-Mailbox -Identity USER_EMAIL -UserSMimeCertificate $certArray

    In some environments, -UserCertificate is also used, but -UserSMimeCertificate is usually the relevant attribute for S/MIME.

  4. Verify that the certificate is associated with the mailbox.

    Get-Mailbox -Identity USER_EMAIL | Select-Object UserSMimeCertificate,UserCertificate | Format-List

Sign emails

  1. Connect the Redtrust agent.

  1. In the Outlook home, select New > Email.

  2. While composing an email, open Message options and enable Digitally sign this message (S/MIME).

info

If your organization has set up S/MIME, you can configure that all emails send use S/MIME. See the

  • Go to Settings (gear icon) > Mail > S/MIME.
  • Enable Add a digital signature to all messages I send.

Verify the signature

  1. After sending the email, open the message in Outlook. Signed messages display a signature indicator in the message header. You can open the signature details to verify the certificate used to sign the message.

  2. In the admin console, go to Events. If the signature has been processed correctly, it will show it as an Allowed certificate use.