Export (0) Print
Expand All
Expand Minimize

Set-SmimeConfig

Exchange Online
 

Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2014-04-11

This cmdlet is available in on-premises Exchange Server 2013 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Set-SmimeConfig cmdlet to modify the S/MIME configuration for Microsoft Outlook Web App.

For information about the parameter sets in the Syntax section below, see Syntax.

Set-SmimeConfig [-Identity <OrganizationIdParameter>] [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-Name <String>] [-OWAAllowUserChoiceOfSigningCertificate <$true | $false>] [-OWAAlwaysEncrypt <$true | $false>] [-OWAAlwaysSign <$true | $false>] [-OWABCCEncryptedEmailForking <UInt32>] [-OWACheckCRLOnSend <$true | $false>] [-OWAClearSign <$true | $false>] [-OWACopyRecipientHeaders <$true | $false>] [-OWACRLConnectionTimeout <UInt32>] [-OWACRLRetrievalTimeout <UInt32>] [-OWADisableCRLCheck <$true | $false>] [-OWADLExpansionTimeout <UInt32>] [-OWAEncryptionAlgorithms <String>] [-OWAEncryptTemporaryBuffers <$true | $false>] [-OWAForceSMIMEClientUpgrade <$true | $false>] [-OWAIncludeCertificateChainAndRootCertificate <$true | $false>] [-OWAIncludeCertificateChainWithoutRootCertificate <$true | $false>] [-OWAIncludeSMIMECapabilitiesInMessage <$true | $false>] [-OWAOnlyUseSmartCard <$true | $false>] [-OWASenderCertificateAttributesToDisplay <String>] [-OWASignedEmailCertificateInclusion <$true | $false>] [-OWASigningAlgorithms <String>] [-OWATripleWrapSignedEncryptedMail <$true | $false>] [-OWAUseKeyIdentifier <$true | $false>] [-OWAUseSecondaryProxiesWhenFindingCertificates <$true | $false>] [-SMIMECertificateIssuingCA <Byte[]>] [-WhatIf [<SwitchParameter>]]

This example sets the S/MIME configuration to allow users the choice of signing the message, limits the Certificate Revocation List (CRL) retrieval time-out to 10 seconds, and specifies the 128 bit RC2 encryption algorithm.

Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true -OWACRLRetrievalTimeout 10000 -OWAEncryptionAlgorithms 6602:128

WarningWarning:
The Set-SmimeConfig cmdlet can change several important parameters than can reduce the overall level of message security. Review your organization's security policy before you make any changes.
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "S/MIME configuration" entry in the Clients and mobile devices permissions topic.

 

Parameter Required Type Description

Confirm

Optional

System.Management.Automation.SwitchParameter

This parameter is reserved for internal Microsoft use.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

This parameter is reserved for internal Microsoft use.

Identity

Optional

Microsoft.Exchange.Configuration.Tasks.OrganizationIdParameter

This parameter is reserved for internal Microsoft use.

Name

Optional

System.String

This parameter is reserved for internal Microsoft use.

OWAAllowUserChoiceOfSigningCertificate

Optional

System.Boolean

The OWAAllowUserChoiceOfSigningCertificate parameter specifies whether to allow users to select the certificate to use when they digitally sign email messages in Outlook Web App.

Valid input for this parameter is $true or $false. The default value is $false.

OWAAlwaysEncrypt

Optional

System.Boolean

The OWAAlwaysEncrypt parameter specifies whether all outgoing messages are automatically encrypted in Outlook Web App.

Valid input for this parameter is $true or $false. The default value is $false.

OWAAlwaysSign

Optional

System.Boolean

The OWAAlwaysSign parameter specifies whether all outgoing messages are automatically signed in Outlook Web App.

Valid input for this parameter is $true or $false. The default value is $false.

OWABCCEncryptedEmailForking

Optional

System.UInt32

The OWABCCEncryptedEmailForking parameter specifies how Bcc messages are encrypted in Outlook Web App. This parameter uses the following values:

  • 0 = One encrypted message per Bcc recipient.

  • 1 = One single encrypted message for all Bcc recipients.

  • 2 = One encrypted message without Bcc forking.

The default value is 0.

NoteNote:
This setting affects the security and privacy of Outlook Web App. Consult your organization's security policy before you change this setting.

OWACheckCRLOnSend

Optional

System.Boolean

The OWACheckCRLOnSend parameter specifies how the certificate revocation list (CRL) check is enforced when an email message is sent in Outlook Web App.

Valid input for this parameter is $true or $false. The default value is $false.

When this parameter is set to $false and the CRL distribution point is inaccessible, Outlook Web App allows signed or encrypted messages to be sent. When this parameter is set to $true, Outlook Web App displays a warning dialog box and prevents signed or encrypted messages from being sent.

OWAClearSign

Optional

System.Boolean

The OWAClearSign parameter specifies how email messages are signed in Outlook Web App.

Valid input for this parameter is $true or $false. The default is $true.

When this parameter is set to $true, digitally signed messages are clear-signed. When this parameter is set to $false, digitally signed messages are opaque-signed. Clear-signed messages are larger than opaque-signed messages, but clear-signed messages can be read in most email clients, including clients that don't support S/MIME.

OWACopyRecipientHeaders

Optional

System.Boolean

This parameter is reserved for internal Microsoft use.

OWACRLConnectionTimeout

Optional

System.UInt32

The OWACRLConnectionTimeout parameter specifies the time in milliseconds that Outlook Web App waits while connecting to retrieve a single CRL as part of a certificate validation operation.

Valid input for this parameter is an integer between 0 and 4294967295 (UInt32). The default value is 60000 (60 seconds).

When multiple CRLs in a certificate chain must be retrieved, the time limit that's specified by this parameter applies to each connection. For example, if a certificate requires the retrieval of three CRLs, and this parameter is set to 60000 (60 seconds), each individual CRL retrieval operation has a time limit of 60 seconds. If any one of the CRLs isn't retrieved before the time limit expires, the entire operation fails. The total time limit for all the retrievals is controlled by the OWACRLRetrievalTimeout parameter.

OWACRLRetrievalTimeout

Optional

System.UInt32

The OWACRLRetrievalTimeout parameter specifies the time in milliseconds that Outlook Web App waits to retrieve all CRLs when validating a certificate.

Valid input for this parameter is an integer between 0 and 4294967295 (UInt32). The default value is 10000 (10 seconds).

If all the required CRLs are not retrieved before the time limit expires, the operation fails. Suppose the retrieval of three CRLs is required, the OWACRLConnectionTimeout value is set to 60000 (60 seconds), and the OWACRLRetrievalTimeout is set to 120000 (2 minutes). In this example, if any individual CRL retrieval takes more than 60 seconds, the operation fails. Also, if all the CRL retrievals together take more than 120 seconds, the operation fails.

OWADisableCRLCheck

Optional

System.Boolean

The OWADisableCRLCheck parameter enables or disables CRL checking in Outlook Web App.

Valid input for this parameter is $true or $false. The default value is $false. When set to $true, this parameter disables CRL checks when validating certificates. Disabling CRL checking can decrease the time that's required to validate the signatures of signed email messages, but it also validates email messages signed with revoked certificates.

OWADLExpansionTimeout

Optional

System.UInt32

The OWADLExpansionTimeout parameter specifies the time in milliseconds that Outlook Web App waits when sending encrypted messages to members of a distribution group that requires expansion.

Valid input for this parameter is an integer between 0 and 4294967295 (UInt32). The default value is 60000 (60 seconds). If the operation doesn't complete in the time specified by this parameter, the operation fails and the message is not sent.

When sending an encrypted message to a distribution group, Exchange expands the distribution group to retrieve the encryption certificate of each recipient. While the distribution group is being expanded, the sender receives no response from Outlook Web App.

The timeout value that's specified by this parameter is applied to the expansion of each distribution group. For example, if an encrypted message is sent to three distribution group, and the value of this parameter is 60000 (60 seconds), the entire operation can take no more than 180 seconds.

OWAEncryptionAlgorithms

Optional

System.String

The OWAEncryptionAlgorithms parameter specifies a list of algorithms that are used by Outlook Web App to encrypt messages.

Valid input for this parameter is a semicolon-separated list of symmetric encryption algorithm identifiers. When you use an algorithm that supports multiple key lengths, you need to specify the key length. Note that RC2 is the only supported algorithm that that offers multiple key lengths.

You can specify the object identifier (OID) of the cryptographic service provider (CSP) when using third-party CSPs. An OID must be specified together with an algorithm ID. Outlook Web App needs an algorithm ID so that it can infer how the algorithm should be used. For example, to provide a custom replacement for the 3DES algorithm, you would specify the algorithm ID of 3DES (6603) and the custom OID of the replacement algorithm by using the value 6603,<OID>.

The encryption algorithms, key length values, and algorithm IDs that you can use with this parameter are described in the following list:

  • RC2 algorithm ID   6602 (supported key lengths are 40, 56, 64, and 128)

  • DES (56-bit) algorithm ID   6601

  • 3DES (168-bit) algorithm ID   6603

  • AES128 algorithm ID   660E

  • AES192 algorithm ID   660F

  • AES256 algorithm ID   6610

This parameter uses the following syntax:

{Algorithm ID} |; [Algorithm ID] | [,Custom replacement algorithm OID] |; [Algorithm ID[:key length]] ....

For example, to set the encryption algorithms to 3DES, RC2-128, RC2-64, DES, and RC2-56, use the following value: 6603;6602:128;6602:64;6601;6602:56.

The algorithm specified by OWAEncryptionAlgorithms is always used. If the parameter is not specified or is not formatted correctly, Outlook Web App uses the default value 6610 (AES256). If the encryption algorithm or minimum key length is not available on a client, Outlook Web App does not allow encryption.

OWAEncryptTemporaryBuffers

Optional

System.Boolean

The OWAEncryptTemporaryBuffers parameter specifies whether the Outlook Web App client-side temporary message storage buffers are encrypted.

Valid input for this parameter is $true or $false. The default value is $true.

By default, all client-side temporary buffers that store message data are encrypted using an ephemeral key and the 3DES algorithm. Setting this parameter to $false disables temporary buffer encryption.

NoteNote:
Disabling encryption of the buffers can increase performance of the Outlook Web App client but also leaves information unencrypted in the client's buffer. Consult your organization's security policy before you disable this feature.

OWAForceSMIMEClientUpgrade

Optional

System.Boolean

The OWAForceSMIMEClientUpgrade parameter specifies whether or not users are forced to upgrade an S/MIME control that's older than their current version in Outlook Web App.

Valid input for this parameter is $true or $false. The default is $true.

If the parameter is set to $true, users need to download and install the new control before they can use S/MIME. If this parameter is set to $false, users receive a warning if the S/MIME control on their computer is not current, but they can still use S/MIME without updating the control.

OWAIncludeCertificateChainAndRootCertificate

Optional

System.Boolean

The OWAIncludeCertificateChainAndRootCertificate parameter specifies whether the certificate chains and root certificates of the signing or encryption certificates are included in the message in Outlook Web App.

Valid input for this parameter is $true or $false. The default value is $false.

OWAIncludeCertificateChainWithoutRootCertificate

Optional

System.Boolean

The OWAIncludeCertificateChainWithoutRootCertificate parameter specifies whether the certificate chains of the signing or encryption certificates are included in messages in Outlook Web App.

Valid input for this parameter is $true or $false. The default is $false.

By default, Outlook Web App includes only the signing and encrypting certificates, not their corresponding certificate chains. When this parameter is set to $true, signed or encrypted messages include the full certificate chain, but not the root certificate.

OWAIncludeSMIMECapabilitiesInMessage

Optional

System.Boolean

The OWAIncludeSMIMECapabilitiesInMessage parameter specifies whether signed and encrypted messages in Outlook Web App include attributes that describe the supported encryption and signing algorithms.

Valid input for this parameter is $true or $false. The default is $false.

Enabling this option increases the size of messages, but may make it easier for some email clients to interact with encrypted messages in Outlook Web App.

OWAOnlyUseSmartCard

Optional

System.Boolean

The OWAOnlyUseSmartCard parameter specifies whether smartcard-based certificates are required for Outlook Web App message signing and decryption.

Valid input for this parameter is $true or $false. The default is $false

When this parameter is set to $true, the use of smartcard-based certificates for signing and decryption is required when you use Outlook Web App and the S/MIME control.

OWASenderCertificateAttributesToDisplay

Optional

System.String

The OWASenderCertificateAttributesToDisplay parameter controls which certificate attributes are displayed when signature verification proceeds despite a mismatch between the sender's email address and the email address in sender’s certificate.

The parameter accepts a comma-separated list of object identifiers (OIDs). This setting is blank ($null) by default.

OWASignedEmailCertificateInclusion

Optional

System.Boolean

The OWASignedEmailCertificateInclusion parameter specifies whether the sender's encryption certificate is excluded from a signed email message in Outlook Web App.

Valid input for this parameter is $true or $false. The default is $true.

By default, Outlook Web App and the S/MIME control include both signing and encrypting certificates with signed email messages. When this parameter is set to $false, the size of encrypted messages is reduced. However, recipients don't have access to the sender's encryption certificate in the message. Recipients need to retrieve the certificate from a directory, or from the sender.

OWASigningAlgorithms

Optional

System.String

The OWASigningAlgorithms parameter specifies the list of signing algorithms that are used by Outlook Web App to sign messages with the S/MIME control.

Valid input for this parameter is a semicolon-separated list of symmetric encryption algorithm identifiers.

You can specify the object identifier (OID) of the cryptographic service provider (CSP) when using third-party CSPs. An OID must be specified together with an algorithm ID. Outlook Web App needs an algorithm ID so that it can infer how the algorithm should be used. For example, to provide a custom replacement for the SHA1 algorithm, you would specify the algorithm ID of SHA1 (8804) and the custom OID of the replacement algorithm by using the value 8804,<OID>.

This parameter supports the following algorithms.

  • CALG_SHA_512   Type: 512 bit secure hashing algorithm (SHA). Algorithm ID: 800E.

  • CALG_SHA_384   Type: 384 bit SHA. Algorithm ID: 800D.

  • CALG_SHA_256   Type: 256 bit SHA. Algorithm ID: 800C.

  • SHA1   Type: SHA. Algorithm ID: 8004.

  • CALG_MD5   Type: MD5 hashing algorithm. Algorithm ID: 8003.

This parameter uses the following syntax:

{Algorithm ID} |; [Algorithm ID] | [,Custom replacement algorithm OID] |; [Algorithm ID[:key length]] ...

For example, to set the signing algorithms to CALG_SHA_512, SHA1, and CALG_MD5, use the value 800E;8004;8003.

The algorithm specified by OWASigningAlgorithms is always used. If this parameter is not specified or is not formatted correctly, Outlook Web App defaults to 8004 (SHA1).

OWATripleWrapSignedEncryptedMail

Optional

System.Boolean

The OWATripleWrapSignedEncryptedMail parameter specifies whether signed and encrypted email messages in Outlook Web App are triple-wrapped.

Valid input for this parameter is $true or $false. The default is $true.

A triple-wrapped message is a signed message that is encrypted, and then the encrypted message is signed (signed-encrypted-signed). When this parameter is set to $false, the signed message is encrypted only (there is no additional signing of the encrypted message). Triple-wrapped messages offer the highest level of security for messages under the S/MIME standard, but are larger in size.

OWAUseKeyIdentifier

Optional

System.Boolean

The OWAUseKeyIdentifier parameter specifies whether a certificate's key identifier is used to encode the asymmetrically encrypted token in Outlook Web App.

Valid input for this parameter is $true or $false. The default is $false.

By default, Outlook Web App encodes the asymmetrically encrypted token (sometimes called a lockbox) that's required to decrypt the rest of the message by indicating the issuer and serial number of each recipient's certificate. The issuer and serial number can then be used to locate the certificate and private key for decrypting the message.

This parameter causes the use of a certificate's key identifier when encoding the asymmetrically encrypted token. Because a key pair can be reused in new certificates, using the key identifier for encrypted email messages means that users need to keep only the most recent certificate and associated private key, rather than all old certificates. Because some email clients do not support finding certificates with a key identifier, Outlook Web App uses the issuer and serial number of each recipient's certificate by default.

OWAUseSecondaryProxiesWhenFindingCertificates

Optional

System.Boolean

The OWAUseSecondaryProxiesWhenFindingCertificates parameter specifies whether alternative proxies are used during the certificate search in Outlook Web App.

Valid input for this parameter is $true or $false. The default is $true.

Outlook Web App attempts to find the correct certificate for a recipient when sending encrypted messages. The certificate subject or subject alternative name values can each contain an email address. Because a recipient can have multiple proxy addresses, the certificate's subject or subject alternative name values may not match the recipient's primary SMTP address. When this parameter is set to $true, and the certificate subject or subject alternative name values do not match the recipient's primary SMTP address, Outlook Web App tries to match the certificate's subject to one of the recipient's proxy addresses.

SMIMECertificateIssuingCA

Optional

System.Byte[]

The SMIMECertificateIssuingCA parameter specifies the serialized certificate store (SST) that contains the Certificate Authority (CA) signing and intermediate certificate information.

You need to read the file to a byte-encoded object using the Get-Content cmdlet. For example: -SMIMECertificateIssuingCA $([byte[]](Get-Content -Encoding byte -Path "C:\Temp\CACertificateSerializedStore.sst" -ReadCount 0)

Each certificate is checked, and if any certificates are expired, the operation will fail.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft