Looking up S/MIME certificates for users managed by Encryption Management Server using Outlook

book

Article ID: 171278

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

To send S/MIME encrypted email messages to a user managed by Encryption Management Server, you need to obtain the user's public S/MIME certificate.

If your organization also uses Encryption Management Server, the two Encryption Management Servers can perform key lookups on each other. Encryption Desktop Email can also be used to lookup keys on the remote Encryption Management Server.

If your organization does not use Encryption Management Server and you do not use Encryption Desktop Email then Microsoft Outlook can be used but some configuration is required.

Environment

  • Encryption Management Server 3.3 and above with the Keyserver service installed and accessible over the Internet using LDAP.
  • Microsoft Outlook 2007 and above.

Resolution

Microsoft Outlook can find and download S/MIME certificates for users managed by Encryption Management Server. This is possible by adding the remote Encryption Management Server as an LDAP Address Book in Microsoft Outlook.

The following requirements apply:

  1. The Encryption Management Server needs to have the Keyserver service enabled and accessible by remote hosts over the Internet using the LDAP port (389).
  2. Outlook needs to be able to connect over the Internet to the remote Encryption Management Server using the LDAP protocol.
  3. Your private S/MIME certificate needs to be installed in Outlook.
  4. You must have installed the remote Encryption Management Server's public Organization Certificate as a Trusted Root Certification Authority in the Windows certificate store. If you have a Web Email Protection or PDF Email Protection account on the Encryption Management Server, you can upload your public S/MIME certificate to the server by logging in, clicking on Settings and choosing Key or digital ID/certificate. Once you have uploaded your certificate, your are given the option of downloading the Encryption Management Server public Organization Certificate.

To add an LDAP address book in Microsoft Outlook 2013, please follow the following steps. Also please see the Microsoft article Add or remove an address book. The steps are almost identical in all versions of Outlook:

  1. In Outlook, click on File / Account Settings.
  2. Click on the Address Books tab.
  3. Click on New.
  4. Accept the default of Internet Directory Service (LDAP).
  5. In the Server Name field, enter the public FQDN of the Encryption Management Server key server. For example, keys.example.com.
  6. Click on the More Settings button.
  7. Click on the Search tab.
  8. In the Search Base section, click on the Custom radio button and enter the following search string:
    o=users
  9. Click the OK button to save the new address book.
  10. Close Outlook and open it again.

To use the new LDAP address book to send an S/MIME encrypted message, do the following:

  1. Compose a new message.
  2. Click on the To: button. This allows you to search address books.
  3. By default, the local Contacts address book is selected. 
  4. In the drop down list of address books, select the LDAP address book that points to Encryption Management Server. This will be called, for example, keys.example.com.
  5. In the Search text box, enter the full email address of the Encryption Management Server internal user, for example, [email protected] and click the Go button to search.
  6. Outlook will connect to the remote Encryption Management Server and search for the name matching the email address.
  7. Highlight the name and click on the To: button to add it as a recipient. You can also copy the name to the local Contacts address book at this point (see below).
  8. Click on the Options menu and then click on the Encrypt button and, optionally, the Sign button.
  9. Send the message.

Outlook will look in the local Contacts address book by default and the local Contacts address book can store far more information for each contact than just their name and email address. To copy an Encryption Management Server user from the LDAP address book to the local Contact address book, follow the above steps and after step 6 do the following:

  1. Double click on the name.of the Encryption Management Server user.
  2. Click on the Add to Contacts button to create a new local contact entry.
  3. Edit the fields in the contact record as desired and then click Save & Close.

Users managed by Encryption Management Server can only send S/MIME encrypted messages if the Outlook user is an External User and their public S/MIME certificate has been imported into Encryption Management Server. The easiest method of doing this is to configure the Outlook user as a Web Email Protection user. They can then upload their public S/MIME certificate themselves (see above).