Forum Discussion
Upload S/MIME user certificate with outlook to the GAL
Hi @all in the Exchange Hub,
I have some questions regarding the possibility to allow users uploading S/MIME certificates to the global adress list. We get the certificates from a third-party supplier (no self-generation via AD)
At the moment we are using an on-premise mail server (no Exchange) and want to migrate to Exchange Online. We built a test-environment with a local Active Directory and a Microsoft 365 Tenant.
I´ve done a test with my account in Outlook 365. All works. I was able to import the certificate and publish it in the GAL. A pop-up confirmed the successfull upload to the GAL
On another account we tried the same and got following message:
"There are no valid security settings to publish. Do you want to remove the previously published settings?" (sorry, translated it from german).
If I press no --> nothing happens
If I press yes --> following message appears:
"Your certificates were successfully removed" --> and nothing happens (no confirmation of successfull uploading)
Where is the error? What I have to configurate that it works?
And another essential question:
If I search in the microsoft docs how users can publish certificates I can only find the path:
Outlook --> local Active Directory --> AD Connect --> Exchange Online
Is this the only way of publishing?
Background of this question:
I mentioned above that the GAL publishing of my certificate worked. I can't find the certificate in the local Active Directory in the userCertificate attribute. But I can find a certificate (via PowerShell) in ExchangeOnline.
Hope you understand my questions.
Thanks in advance for answering 🙂
- Andres-BohrenSteel ContributorMade some Tests in the Past. Maybe these Commands help you further
###############################################################################
#Set UserCertificate in EXO
###############################################################################
Connect-ExchangeOnline
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\temp\a.bohren@icewolf.ch_swisssign.cer")
$certArray = New-Object System.Collections.ArrayList
$certArray.Insert(0,$cert.GetRawCertData())
Set-Mailbox -Identity email address removed for privacy reasons -UserCertificate $certArray
$MBX = Get-RemoteMailbox -Identity email address removed for privacy reasons
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($mbx.UserCertificate)
$Cert | fL
###############################################################################
#AD
###############################################################################
$ADUser = Get-ADUser -Identity "a.bohren" -Properties userCertificate
$ADUser.userCertificate
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($ADUser.userCertificate)
$Cert | fL
Set-ADUser -Identity "a.bohren" -Clear "userCertificate"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\temp\a.bohren@icewolf.ch_swisssign.cer")
Set-ADUser -Identity "a.bohren" -add @{"userCertificate"=$Cert.Rawdata} - Are all requires properties provisioned in the certificate, eg e-mail address?
- theunknownBrass ContributorYes, tested the certificate on another system. It´s working.
My own certificate is from the same CA like the other one which is not working.