Forum Discussion

JChristiansen's avatar
JChristiansen
Copper Contributor
Aug 14, 2025

SMIME not working in OWA

Help needed for S/MIME setup on M365 with Exchange Online and Windows/macOS

  • What was done:
    • Installed the .pfx key on Windows and macOS locally with the password
    • Deployed the root and intermediate certificate via Intune on the Windows and macOS devices
    • Exported the root and intermediate certificate via certmgr.msc and uploaded the .sst via

       

      Connect-ExchangeOnline

      Set-SmimeConfig -SMIMECertificateIssuingCA ([IO.File]::ReadAllBytes('C:\Temp\certificate_CA.sst'))

       

    • Published the public S/MIME signature via “Publish to GAL” in classic Outlook manually for each user (Windows users).

 

  • Current Status:
    • Working
      • Sending Encrypted email from a signed Reply (Old/classic Outlook)
      • Sending Encrypted email from new email (Old Outlook) (Works after publishing in GAL/saving the Signature to contact for External)
      • Sending Encrypted email from new email (Outlook for Mac) to windows user who published their certificate via GAL
    • NOT working
      • Sending Encrypted email from new email (New Outlook [Windows]) – Error message: Certificate is not trusted by this organization
      • Sending Encrypted email from new email (OWA on Edge [Windows]) – Error message: Certificate is not trusted by this organization
      • Sending Encrypted email from new email (Old Outlook Windows) to mac users, since certificate was not published
         

 

admin
exchange online
outlook

2 Replies

Sort By
  • Martin-Apps4Rent's avatar
    Martin-Apps4Rent
    Iron Contributor
    Sep 01, 2025

    S/MIME in Exchange Online can be tricky because support differs between old Outlook, new Outlook, and OWA. Based on your setup, the main reason you see the “certificate is not trusted by this organization” error is that the new Outlook and OWA only trust certificates if the full issuing chain (root + intermediate) is published correctly in Exchange Online via Set-SmimeConfig and distributed to all clients. Old Outlook works locally because it uses the Windows certificate store, while OWA and new Outlook validate only against what is configured in Exchange Online.

    To fix this, make sure the entire chain (root + intermediate CAs) is included in your .sst file and re-upload it with Set-SmimeConfig, then run Get-SmimeConfig to confirm. Also, every recipient’s certificate must be published to the GAL for cross-user encryption to work, including Mac users. At this point, OWA and new Outlook should recognize the certificates properly. If you still face issues, note that new Outlook has limited S/MIME support and Microsoft is gradually rolling it out, so in some cases old Outlook remains the only fully reliable client.

    • JChristiansen's avatar
      JChristiansen
      Copper Contributor
      Sep 02, 2025

      Hello Martin-Apps4Rent​ ,
      thanks for your reply. Based on what you wrote, my upload cmd should be correct right? 
      Can you provide by any chance a video/guide on how to get the right root + intermediate CA and in the right format?

Resources