S/MIME support for Exchange Active Sync (EAS) version 2.5 was introduced in Exchange 2003 Service Pack 2 (SP2) and Windows Mobile 5 (WM5) device. In Exchange 2007 SP1, we are adding S/MIME support for EAS version 2.5, 12.0 and 12.1. While working on EAS S/MIME implementation, I was asked how users could enable their devices work with S/MIME. Below I have provided some simple end-to-end steps to exemplify using S/MIME on a Windows Mobile device.
1. Where can I get an email certificate?
There are several services issuing email certificates (ex. Comodo, VeriSign). The choice of certificate authority is up to the user though Comodo currently provides a free email certificate without a trial period expiration.
· Comodo : http://www.comodo.com/products/certificate_services/email_certificate.html
· VeriSign: https://digitalid.verisign.com/cgi-bin/OEenroll.exe?name=&email=
2. Export the certificate with a private key
Once you have requested an email certificate from a certificate authority (e.g. Comodo), you will receive an email informing you how to get, and install, the certificate on your local machine. After the installation, you can export the certificate with its private key and put it onto your device. This is required for viewing the encrypted message and signing outgoing messages from the mobile device.
Here are the steps:
a. Open the certificate management console snap-in on your local machine
For Vista:
1. Press the Windows logo button on your start bar
2. Type MMC in the Start Search box and press enter
- You may be prompted for permissions to run the Microsoft Management Console (MMC). If so, select Continue
3. Select File from the menu bar of the management console that appears
4. Select Add/Remove Snap-in from the drop down list
5. Select Certificate
6. Press the Add > button
7. Make sure the radio button “My user account” is selected and press the Finish button
8. Press the OK Button on the Add or Remove Snap-Ins window
For Win 2K, Win XP, Win 2K3:
1. Press Start
2. Click on Run…
3. Type MMC in the run dialog that appears and press enter
4. Select File from the menu bar of the Management Console that appears
5. Select Add/Remove Snap-in from the drop down list
6. Select Certificate
7. Press the Add >button
8. Make sure the radio button “My user account” is selected and press the Finish button
9. Press the OK button on the Add or Remove Snap-Ins window
b. Export your private key
1. In the MMC console (which you opened in section a) Left click Certificate under Console Root > Certificates à Current User à Personal
2. Right click the certificate you acquired from your certificate authority
3. Select All task à Export…
4. An export wizard will appear, select the radio button that says “Yes, export the private key” and press the Next > button
5. Do not check any items on the next screen (only the “Personal Information Exchange “ radio button should be selected) and press the Next > button
6. Type in a password in the Password field and confirm it by retyping the same password in the Type and confirm password (mandatory) field and press the Next > button
7. Enter a file name for your .pfx in the File Name: field and press the Next > button
8. Press the Finish button on the final screen of the wizard
9. Press OK on the confirmation dialog that your certificate was exported successfully
3. Import the .pfx certificate on your Windows Mobile device
Below is a simple way to take your exported certificate and install it on your Windows Mobile device.
a. If you are using a Windows Mobile 6 (WM6) device
1. Send yourself an email with the .pfx certificate as an attachment
2. When you receive the email with the attached certificate, open it
3. select the certificate attachment and it will import the certificate automatically (you will prompted to type in the password you used to export the certificate)
b. If you are using a Windows Mobile 5 (WM5) device
1. You need a tool to import the certificate. For this document we will use a tool called pfximport. This tool is available at http://www.jacco2.dds.nl/networking/pfximprt.html
2. Send yourself an email with the pfximport tool and your .pfx file attached
3. Sync down the email
4. Save the .pfx file and the tool to a location on your device
5. Navigate on your device (using your file explorer) to the directory where you saved pfximport and the .pfx file.
6. Run the pfximport tool and import the cert (you need to type in the password)
On the other hand, you can also cradle your device and drop the certificate onto your device from your local machine. But it requires the desktop Microsoft ActiveSync.
4. Verify the certificate has been imported properly
On Windows Mobile 5 and 6 Standard (usually non-touchscreen) devices select Start à Settings à Security à Certificates à Personal à <select the certificate you just exported and view its details>
On Windows Mobile 5 and 6 Professional (usually touchscreen) devices, go to Settings à System à Certificates à <click the cert and look at the details>
5. Sync S/MIME encrypted email
After installing the certificate on your device, you can start to sync, and view, encrypted messages. If you use a Windows Mobile 6 device, there is a small chance that your device won’t support S/MIME (all WM5 devices can use S/MIME). Below are the steps to check if you can use S/MIME on your device:
1. Press Start
2. Select Settings
3. Select About (this may not be on the first screen of options)
4. Look at the build number. if the build number is above 17740 (ex. Build 17742.0.2.1) then you can use S/MIME on your WM6 device
6. Validate a certificate on an email
1. Open a signed email
2. Select the “View signature status” link to open the Signature Information page
3. Check the certificate by pressing Menu and selecting “Check Certificate” (This will let the device validate the certificate against the server. The result of this check will be displayed in the Signature Status field)
7. Sending an S/MIME encrypted email
To send an S/MIME signed/encrypted email, you will need to turn email encryption on for your device.
Windows Mobile 5 & 6 Standard (usually non-touchscreen devices)
1. Press Start
2. Select ActiveSync
3. Press Menu
4. Select Options (note: This will be grayed out if your device is connected to your desktop via a USB cable)
5. Highlight Email
6. Press Settings
7. Press Menu
8. Select Advanced
9. Check the Encrypt messages and/or Sign messages checkboxes
10. Press Done
Windows Mobile 5 & 6 Professional (usually touchscreen devices)
1. Select Start
2. Select ActiveSync
3. Press Menu
4. Select Options…
5. Select Email
6. Press Settings…
7. Select Advanced…
8. Check Encrypt all outgoing e-mail messages and/or Sign all outgoing e-mail messages
9. Press OK
All the messages sent from this device will now be signed and/or encrypted.
Note: to send an encrypted message, the recipient’s public certificate needs to be available. It can be acquired in two ways:
1. After receiving a signed message from the recipient, add him/her to your contacts with his/her certificate using Outlook.
2. The recipient publishes his/her certificate to the Global Address List (GAL) on the Exchange Server that you sync with. You can publish your certificate to the GAL through Outlook 2007 by doing the following:
1) Open Outlook 2007
2) Select Tools
3) Select Trust Center…
4) Click on Email Security
5) Push the Publish to GAL… button
- James Chen, Adam Glick