How To Import SMG User's S/MIME Certificates into Microsoft Outlook

Introduction

The article describes how to manually trust and use GlobalCerts S/MIME certificates within Microsoft Outlook. It is useful for any 3rd parties that would like to use S/MIME to secure their email with a GlobalCerts user. It assumes you have already have installed your own S/MIME certificate on Outlook.

Once configured, S/MIME email signing and encryption is an easy, automated way to secure your sensitive email communications. It is the best way to ensure the integrity and confidentiality of sensitive emails with your business partners. However, it can be extremely frustrating because the sender not only needs their own certificates properly installed on each mail client they use, but must also have the each recipient's S/MIME certificates to send securely to them. 

Without a gateway-level solution like the SecureMail Gateway from GlobalCerts, you will not only have to load your S/MIME certificates onto every device used to send email, but also import all 3rd party certificates you of any recipients with which you want to send S/MIME email. This can quickly become a very time-consuming task even if you only have just a few partners to use and a couple devices. This guide will walk you through the process of importing an SMG user's S/MIME certificates after you have received an S/MIME signed or encrypted email from them.

Trusting and Importing the SMG User's Certificates

If you have received an S/MIME signed or encrypted email from a GlobalCerts customer, here are the steps you need to perform on your computer to trust and import their signing and encryption certificates:

1) Locate a signed email from the contact in your inbox and click to open it.

2) Click on the certificate warning icon on the right hand side of the header:

3) Trust and install the certificate authority (it should be named 'GlobalCerts Root Certificate Authority' if using our default issued certificates).

The fingerprint should be:

New SHA256 Certificate Authority: f0c351047bf93ab8a6c7ace741d5bc2f96a09a97

Older SHA1 Certificate Authority: f1a99926ca02a23700ae0d3345fbfa6cd3afb2f6:

4) Now when you reload the signed email, it will show a red ribbon icon indicating the message signature is valid and trusted. You can click on the ribbon to view the details:

5)You can now REPLY to this signed email using S/MIME encryption. Outlook will automatically utilize the SMG user's public key to encrypt the email with S/MIME. This will also add/import the user's S/MIME certificates to your local computer, usually under the 'Certificates - Current User'  -> 'Other People' certificate store. However, you will not be able to compose a new S/MIME email to this user until you 'import' their public encryption certificate into their Outlook Contact.

Importing S/MIME certificates from a signed email into an Outlook Contact

When you receive a signed email in Outlook, you can easily import the public certificates present in the signature and associate them with an Outlook 'Contact'. This will allow you to associate and use their public S/MIME certificate to send them new S/MIME secured emails from Outlook.

1) First make sure the certificate authority is trusted by following the above section.

2) Next, open a signed email from the person and right click on their email address (the 'From' at the top of the reading pane).

3) Then, click the ' Add to Outlook Contacts' in the popup. If you already have a contact associated with them, you will click 'Edit Contact'

4) Click the ' Certificates' at the top ribbon to confirm Outlook has associated their certificate with the contact:

5) Finally Click the ' Save & Close' button to save the contact:

 

Now you should be able to compose a NEW email in Outlook to this user and use S/MIME encryption to send to them.

All S/MIME certificates, including ones issued by GlobalCerts, only have a limited validity period. (usually 1 year). Once the certificate expires you will no longer be able to use it and must import the user's new S/MIME certificate.

Conclusion

Importing an SMG user's S/MIME certificate(s) into your Outlook client can be a somewhat involved process. Keep in mind that in most cases it is not absolutely necessary, and the only thing you may need to do to send S/MIME email to them is explicitly trust the Certificate Authority of the user's certificate (see  Trusting and Importing an SMG User's Certificates above) 

With a gateway-level solution like the GlobalCerts SecureMail Gateway, all of these steps are done automatically. External certificates are automatically harvested and can immediately be used by all senders in your organization. Furthermore, there is no need to perform these steps on each device; you can even use mobile devices and web clients that normally don't support S/MIME. For more information on the benefits of using a secure email solution, please contact GlobalCerts Sales.

• Related Articles

• How do I use an external person's certificate to send them S/MIME secure email?

  If you have external contact that has their own S/MIME certificate for email signatures and encryption, our solutions can very easily capture and use this to send secured emails to them. First, our system will need to capture or 'harvest' their ...

• Routing Mail From Microsoft 365 To Your SMG

  If you are using Microsoft 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow ...

• End User Training for the SMG

  The attached document contains detailed walkthroughs on how to send and receive secure emails using the SecureMail Gateway solution.

• DKIM Signatures

  Starting with version 5.1, you can now generate DKIM keys and sign outbound emails with the SecureMail Gateway. Introduction DomainKeys Identified Mail (DKIM) allows you to digitally sign the headers and body of outgoing emails. Receiving MTAs can ...

• How do I update the SMG's SSL Certificate?

  Please follow these instructions to update the SSL/TLS certificate on your SecureMail Gateway: Login to the web administration at https://smg.mydomain.com:444/ Click on Certificate -> Upload in the top menu. Copy/Paste your new certificate in PEM ...