Forum Discussion

theunknown's avatar
theunknown
Brass Contributor
Mar 28, 2023

Upload S/MIME user certificate with outlook to the GAL

Hi @all in the Exchange Hub,

 

I have some questions regarding the possibility to allow users uploading S/MIME certificates to the global adress list. We get the certificates from a third-party supplier (no self-generation via AD)

 

At the moment we are using an on-premise mail server (no Exchange) and want to migrate to Exchange Online. We built a test-environment with a local Active Directory and a Microsoft 365 Tenant.

 

I´ve done a test with my account in Outlook 365. All works. I was able to import the certificate and publish it in the GAL. A pop-up confirmed the successfull upload to the GAL

 

On another account we tried the same and got following message:

"There are no valid security settings to publish. Do you want to remove the previously published settings?" (sorry, translated it from german).

 

If I press no --> nothing happens
If I press yes --> following message appears:

"Your certificates were successfully removed" --> and nothing happens (no confirmation of successfull uploading)

 

Where is the error? What I have to configurate that it works?

 

And another essential question:

If I search in the microsoft docs how users can publish certificates I can only find the path:
Outlook --> local Active Directory --> AD Connect --> Exchange Online


Is this the only way of publishing?

 

Background of this question:

I mentioned above that the GAL publishing of my certificate worked. I can't find the certificate in the local Active Directory in the userCertificate attribute. But I can find a certificate (via PowerShell) in ExchangeOnline.

 

Hope you understand my questions.

 

Thanks in advance for answering 🙂

 

  • Andres-Bohren's avatar
    Andres-Bohren
    Steel Contributor
    Made some Tests in the Past. Maybe these Commands help you further

    ###############################################################################
    #Set UserCertificate in EXO
    ###############################################################################
    Connect-ExchangeOnline
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\temp\a.bohren@icewolf.ch_swisssign.cer")
    $certArray = New-Object System.Collections.ArrayList
    $certArray.Insert(0,$cert.GetRawCertData())
    Set-Mailbox -Identity email address removed for privacy reasons -UserCertificate $certArray

    $MBX = Get-RemoteMailbox -Identity email address removed for privacy reasons
    $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($mbx.UserCertificate)
    $Cert | fL

    ###############################################################################
    #AD
    ###############################################################################
    $ADUser = Get-ADUser -Identity "a.bohren" -Properties userCertificate
    $ADUser.userCertificate
    $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($ADUser.userCertificate)
    $Cert | fL
    Set-ADUser -Identity "a.bohren" -Clear "userCertificate"

    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\temp\a.bohren@icewolf.ch_swisssign.cer")
    Set-ADUser -Identity "a.bohren" -add @{"userCertificate"=$Cert.Rawdata}
  • Are all requires properties provisioned in the certificate, eg e-mail address?
    • theunknown's avatar
      theunknown
      Brass Contributor
      Yes, tested the certificate on another system. It´s working.
      My own certificate is from the same CA like the other one which is not working.

Resources