How do trust S/MIME certificate in Office 365?
Unlike OWA running on Exchange, Office 365 does not trust any root
certificates by default. This causes validation problems when opening
digitally signed email using S/MIME. In order to fix this, the Office
365 administrators for your organization must manually import the root
certificates your organisation chooses to trust using Microsoft Serialized
Certificate Files (*.SST). This article describes this process.
Obtaining an SST File
There are two ways to obtain an SST file.
You can obtain an SST file by running the following command:
PS C:\> Get-ChildItem -Path cert:\CurrentUser\my |
Export-Certificate –FilePath c:\certs\allcerts.sst -Type SST
Alternatively, you can obtain an SST file from your computer using the
Certificate Export Wizard.
- Open up Internet Explorer.
- Click on Settings and go to Internet Options in the drop
- Click on the Content tab.
- Click on the certificates button.
- Select the Trusted Root Certification Authorities tab.
- Press 'Q' to fast track to QuoVadis certificates.
- Highlight all of the QuoVadis Root certificate using the 'Ctrl' key
on your keyboard.
- With all QuoVadis Root certificates highlighted, click on the
Export button. You may wish to include other Root CAs if
desired. You must ensure that 2 or more certificates are
- Click Next on the Welcome screen of the Certificate Export
- Select the Microsoft Serialized Certificate Store (.SST) radio
option at the bottom. Click on Next.
- Give the file a name and location. Click on Next.
- Click on the Finish button.
- The *.sst file will be saved in the location that you
specified. This file contains all of the Root certificates that
Trusting the SST File in Office 365
First you must connect to
Office 365 using PowerShell. Below describes how to do this:
On the local computer, open Windows PowerShell and run the following
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type in your
Exchange Online user name and password and the click on OK.
Run the following command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange
-ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic -AllowRedirection
Next run this command:
Import-PSSession $Session -AllowClobber
Connect-MsolService -Credential $UserCredential
The Exchange Online cmdlets should be imported into your local Windows
PowerShell session. If you don't receive an error, you can verify
this has worked by using the following command:
If the Get-Mailbox command works, then you are connected to Office 365
Importing the SST File
Once you are connected to Office 365 via
PowerShell, you will then need to import the SST using the following
Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content
<filename>.sst -Encoding Byte)
After the SST is installed, you will need to get Dirsync to synchronize
using the DirSyncConfigShell and then start-onlinecoexistencesync.
This process generally happens automatically after 30 mins.
When you are finished, it is important to close out the session. You
can do this by running the following command:
When the Dirsync hsa completed, any certificate issued out of a CA that you
have imported should chain up and be trusted.