Upload S/MIME user certificate with outlook to the GAL

Copper Contributor

Hi @all in the Exchange Hub,

 

I have some questions regarding the possibility to allow users uploading S/MIME certificates to the global adress list. We get the certificates from a third-party supplier (no self-generation via AD)

 

At the moment we are using an on-premise mail server (no Exchange) and want to migrate to Exchange Online. We built a test-environment with a local Active Directory and a Microsoft 365 Tenant.

 

I´ve done a test with my account in Outlook 365. All works. I was able to import the certificate and publish it in the GAL. A pop-up confirmed the successfull upload to the GAL

 

On another account we tried the same and got following message:

"There are no valid security settings to publish. Do you want to remove the previously published settings?" (sorry, translated it from german).

 

If I press no --> nothing happens
If I press yes --> following message appears:

"Your certificates were successfully removed" --> and nothing happens (no confirmation of successfull uploading)

 

Where is the error? What I have to configurate that it works?

 

And another essential question:

If I search in the microsoft docs how users can publish certificates I can only find the path:
Outlook --> local Active Directory --> AD Connect --> Exchange Online


Is this the only way of publishing?

 

Background of this question:

I mentioned above that the GAL publishing of my certificate worked. I can't find the certificate in the local Active Directory in the userCertificate attribute. But I can find a certificate (via PowerShell) in ExchangeOnline.

 

Hope you understand my questions.

 

Thanks in advance for answering :)

 

3 Replies
Are all requires properties provisioned in the certificate, eg e-mail address?
Yes, tested the certificate on another system. It´s working.
My own certificate is from the same CA like the other one which is not working.
Made some Tests in the Past. Maybe these Commands help you further

###############################################################################
#Set UserCertificate in EXO
###############################################################################
Connect-ExchangeOnline
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\temp\a.bohren@icewolf.ch_swisssign.cer")
$certArray = New-Object System.Collections.ArrayList
$certArray.Insert(0,$cert.GetRawCertData())
Set-Mailbox -Identity email address removed for privacy reasons -UserCertificate $certArray

$MBX = Get-RemoteMailbox -Identity email address removed for privacy reasons
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($mbx.UserCertificate)
$Cert | fL

###############################################################################
#AD
###############################################################################
$ADUser = Get-ADUser -Identity "a.bohren" -Properties userCertificate
$ADUser.userCertificate
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($ADUser.userCertificate)
$Cert | fL
Set-ADUser -Identity "a.bohren" -Clear "userCertificate"

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\temp\a.bohren@icewolf.ch_swisssign.cer")
Set-ADUser -Identity "a.bohren" -add @{"userCertificate"=$Cert.Rawdata}