S/MIME Configuration

  • Article

June 25, 2014

S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. With S/MIME, users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.

Procedure Overview

  1. Install Active Directory Certificate Services (AD CS) to issue certificates.

  2. Enable S/MIME in Exchange ActiveSync mailbox policy.

  3. Request the user certificate.

  4. Export the certificate to install on mobile device.

  5. Install the certificate on mobile device.

  6. Enable S/MIME on mobile device.

Prerequisites

  • Install the Client Access and Mailbox servers in your organization.

  • Determine the required permissions for Exchange 2013. For more information, see Feature Permissions.

  • Install Active Directory Certificate Services (AD CS) so that you can issue user certificates for S/MIME.

  • Determine the permissions that you need for managing ECP. For more information, see the "Exchange Administration Center connectivity" entry in the Exchange and Shell Infrastructure Permissions topic.

  • Only the Shell can be used to perform some procedures. For more information about how to open the Shell in your on-premises Exchange organization, see Open the Shell.

Configuring S/MIME

Install Active Directory Certificate Service (AD CS) to issue certificates

Active Directory Certificate Services (AD CS) in Windows Server 2012 R2. AD CS is the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization. AD CS provides customizable services for issuing and managing digital certificates used in software security systems that employ public key technologies. These digital certificates can be used for authentication of computer, user, or device accounts on a network. For an overview of AD CS, see the TechNet article Active Directory Certificate Services (AD CS).

Install AD CS

  1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.

  2. In Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.

  3. In Before You Begin, click Next.

  4. In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.

  5. In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click .

  6. In Select Server Roles, in Roles, select Active Directory Certificate Services. When you are prompted to add required features, click Add Features, and then click Next.

  7. In Select features, click Next.

  8. In Active Directory Certificate Services, read the provided information, and then click Next.

  9. In Confirm installation selections, click Install. Do not close the wizard during the installation process. When installation is complete, click Configure Active Directory Certificate Services on the destination server. The AD CS Configuration wizard opens. Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. Click Next.

  10. In Role Services, click Certification Authority, and then click Next.

  11. On the Setup Type page, verify that Enterprise CA is selected, and then click Next.

  12. On the Specify the type of the CA page, verify that Root CA is selected, and then click Next.

  13. On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next.

  14. On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (SHA1), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next.

  15. On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that you are certain that the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. Click Next.

  16. On the Validity Period page, in Specify the validity period, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next.

  17. On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next.

  18. In Confirmation, click Configure to apply your selections, and then click Close.

Enable S/MIME in Exchange ActiveSync mailbox policy

Exchange ActiveSync mailbox policies let you apply a common set of policy or security settings to a user or group of users.

Enable S/MIME for Exchange ActiveSync following these steps:

  1. Open the Exchange Management Shell

  2. Run the command Get-Mobile

  3. Verify that the policy settings in the following table are configured:

    Setting

    Type

    Description

    AllowSMIMEEncryptionAlgorithmNegotiation

    Microsoft.Exchange.Data.Directory.SystemConfiguration.SMIMEEncryptionAlgorithmNegotiationType

    The AllowSMIMEEncryptionAlgorithmNegotiation parameter specifies whether the messaging application on the mobile phone can negotiate the encryption algorithm if a recipient's certificate doesn't support the specified encryption algorithm.

    AllowSMIMESoftCerts

    System.Boolean

    The AllowSMIMESoftCerts parameter specifies whether S/MIME software certificates are allowed. The default value is $true.

    RequireEncryptedSMIMEMessages

    System.Boolean

    The RequireEncryptedSMIMEMessages parameter specifies whether you must encrypt S/MIME messages. The default value is $false.

    RequireEncryptionSMIMEAlgorithm

    Microsoft.Exchange.Data.Directory.SystemConfiguration.EncryptionSMIMEAlgorithmType

    The RequireEncryptionSMIMEAlgorithm parameter specifies what required algorithm must be used when encrypting a message.

    RequireSignedSMIMEAlgorithm

    Microsoft.Exchange.Data.Directory.SystemConfiguration.SignedSMIMEAlgorithmType

    The RequireSignedSMIMEAlgorithm parameter specifies what required algorithm must be used when signing a message.

    RequireSignedSMIMEMessages

    System.Boolean

    The RequireSignedSMIMEMessages parameter specifies whether the mobile phone must send signed S/MIME messages.

Deploy Trust Root CA certificate

Deploy the root certificate authority certificate to devices following these steps:

  1. Open the System Center 2012 R2 Configuration Manager Console.

  2. Select Assets and Compliance.

  3. Expand Overview, Compliance Settings, and Company Resource Access.

  4. Right-click on Certificate Profiles and select Create Certificate Profile.

  5. On the General page, Enter a Name and Description for the certificate and select Trusted CA certificate and click Next.

  6. On the Trusted CA Certificate page, click Import and browse to the location of the certificate.

  7. Select Computer certificate store - Root under Destination store and click Next.

  8. On the Summary page, review the details and click Next.

  9. On the Completion page, click Close.

Enable user certificate deployment

Follow the steps below to deploy user certificates to devices in SCCM:

  1. Open the System Center 2012 R2 Configuration Manager Console.

  2. Select Assets and Compliance.

  3. Expand Overview, Compliance Settings, and Company Resource Access.

  4. Right-click on Certificate Profiles and select Create Certificate Profile.

  5. On the General page, Enter a Name and Description for the certificate and select Simple Certificate Enrollment Protocol (SCEP) settings and click Next.

  6. On the SCEP Enrollment page, select the appropriate settings for your environment and click Next.

  7. On the Certificate Properties page, click Browse for the Certificate template name.

  8. In the Certificate Template window, select the Issuing certification authority from the drop-down list and the Certificate template name from the drop-down list (this is typically the User template) and click OK.

  9. On the Certificate Properties page, check Include email address in subject name, Email address, User principal name (UPN), and the SHA-1 hash algorithm.

  10. On the Certificate Properties page, click Select for the Root CA certificate.

  11. On the Select Root Certificates window, select the Root certificate created in previous step (Step 3) and click OK.

  12. On the Certificate Properties page, click Next.

  13. On the Supported Platforms page, select the checkbox for each platform that will request a certificate and click Next.

  14. On the Completion page, click Close.

Deploy the certificate profiles to the device

Deploy certificate profiles to devices following these steps:

  1. Open the System Center 2012 R2 Configuration Manager Console.

  2. Select Assets and Compliance.

  3. Expand Overview, Compliance Settings, and Company Resource Access.

  4. Select Certificate Profiles.

  5. Right-click on the certificate profile and select Deploy.

  6. Click Browse to select the Collection.

  7. Select the Collection to deploy the certificate profile to and click OK.

Enable S/MIME on the device

From the Windows Phone device perform the following steps:

  1. Open the company email account.

  2. Tap the to open the menu window.

  3. Tap settings.

  4. Tap sync settings.

  5. To sign messages with S/MIME, slide the Sign with S/MIME bar to the On position.

  6. To encrypt messages with S/MIME, slide the Encrypt with S/MIME bar to the On position.

  7. Tap the Check mark to save the sync settings.

  8. Tap the Check mark to save the settings.

Request user certificate manually

Follow these steps to acquire a user certificate for S/MIME:

  1. Open the Exchange Management Console.

  2. Go to the File menu and select Add/Remove Snap-in.

  3. Select Certificates and click the Add > button to add the selected snap-in and click OK.

  4. If prompted to select which certificates to manage, select My user account and click Finish.

  5. Expand Certificates – Current User.

  6. Right-click on the Personal container and select All Tasks > Request New Certificate.

  7. On the Before You Begin page, click Next.

  8. On the Select Certificate Enrollment Policy page, select Active Directory Enrollment Policy and click Next.

  9. On the Request Certificates page, select User and click Enroll.

  10. On the Certificate Installation Results page, click Finish.

Export the certificate to install on Windows Phone 8.1 device

Follow the steps below to export the certificate for installation on a Windows Phone 8.1 device:

  1. Open the MMC.

  2. Go to the File menu and select Add/Remove Snap-in.

  3. Select Certificates and click the Add > button to add the selected snap-in and click OK.

  4. If prompted to select which certificates to manage, select My user account and click Finish.

  5. Expand Certificates – Current User, then expand Personal, and select Certificates.

  6. Locate the certificate issued to the user that includes Secure Email under Intended Purposes.

  7. Right-click on the user certificate and select All Tasks > Export.

  8. On the Welcome to the Certificate Export Wizard page, click Next.

  9. On the Export Private Key page, select Yes, export the private key and click Next.

  10. On the Export File Format page, leave the default settings and click Next.

  11. On the Password page, enter a password to protect the private key and click Next.

  12. On the File to Export page, enter the file name and location for the certificate (ex. C:\Temp\usercert.pfx) and click Next.

  13. On the Completing the Certificate Export Wizard page, click Finish.

Install certificate on the device

Follow the steps listed for installing a certificate on Windows Phone 8.1 device in the article Installing digital certificates.