Below is the easiest way to exchange public certificates manually with a third party who is using Microsoft Outlook.
The Encryption Management Server administrator does the following:
- Create or import an Organization Certificate in the Encryption Management Server administration console from the Keys / Organization Keys page. The Organization Certificate will almost certainly be a self-signed certificate because of the difficulty of obtaining a trusted Root Signing Certificate (subCA) from an external certificate authority.
- Within 24 hours, Encryption Management Server will issue all Internal Users with personal S/MIME certificates. Note that it is not possible to prevent all users from being issued with a personal certificate.
- If the public issuing certificates of the third party's personal certificate are available, you should import them under Keys / Trusted Keys in the administration console and trust them for Mail and, optionally, TLS.
- Import the personal public certificate of the third party under Users / External Users in the administration console. This will create an external user account for the third party. Alternatively, if you are using Web Email Protection, configure Web Email Protection to allow the third party to upload their own public certificate.
Once the external user has an account with an S/MIME certificate in Encryption Management Server, you can send them an S/MIME signed and encrypted message.
The external user does the following:
- In Outlook, a status line like this will appear at the top of the S/MIME message from the internal user:
- The external user clicks on the signature button (the exclamation mark icon) to open the Message Security Properties page. This shows the security layers of the message.
- They click on the Signer layer:
- They click on the Trust Certificate Authority button. This will show information about the Encryption Management Server public Organization Certificate. They confirm that they wish to trust it by clicking the Trust button:
- They confirm that they wish to install the public Organization Certificate. This will add it to the Trusted Root Certification Authorities container in their Windows certificate store:
- They refresh their Outlook Inbox by clicking on Sent Items and then on Inbox again.
- The signature on the S/MIME message now appears as valid and trusted.
- They select the S/MIME message and click on the Reply button to reply to it.
- As soon as they click on the Reply button, Outlook automatically adds the internal user's personal public S/MIME certificate to the Other People container in the Windows certificate store. Even if the external user does not click the Send button, this certificate remains in the external user's Other People container indefinitely.
- The external user will now be able to exchange S/MIME encrypted messages with the internal user.