Sending and receiving S/MIME encrypted email with third parties who do not use Encryption Management Server
Last Updated June 27, 2018
Encryption Management Server supports the exchange of S/MIME encrypted messages with external users. In order to exchange S/MIME email:
You need the third party's public S/MIME certificate.
You need to trust the third party's certificate so you also need to trust the certificates that issued the third party's certificate.
The third party needs your public S/MIME certificate.
The third party needs to trust your public Organization Certificate because it issues your personal certificate.
Some of this initial configuration can be automated:
If your Encryption Management Server has the Keyserver service enabled and it is reachable from the Internet then the third party may be able to search your key server for certificates.
If the third party has a Keyserver such as Encryption Management Server that is reachable from the Internet then your Encryption Management Server can search it for certificates.
If your Encryption Management Server has the Web Email Protection service enabled and third parties can logon to the Web Email Protection portal from the Internet, third parties can be permitted to upload their public certificates and download your public Organization Certificate.
However, in many cases it will not be possible to automate the initial exchange of public certificates.
Encryption Management Server 3.3 and above.
To exchange public certificates manually, you need to do the following:
Create or import an Organization Certificate in the Encryption Management Server administration console from the Keys / Organization Keys page. The Organization Certificate will almost certainly be a self-signed certificate because of the difficulty of obtaining a trusted Root Signing Certificate from an external certificate authority.
Within 24 hours, SEMS will provide all Internal Users with their own S/MIME certificates.
In order to send an Internal User an S/MIME encrypted message, you will need to provide third parties with (a) the public Organization Certificate and (b) the Internal User's S/MIME certificate.
To export the public Organization Certificate simply click on its name from the Organization Keys page and choose to export the public certificate as a *.pem file.
To export an Internal User's certificate, click on the user's name to access the Internal User Information page, scroll down to Managed Keys and click on the Key ID to enter the Managed Key Information page. Scroll down to Certificates and choose the correct certificate to export. For SKM key mode users there will be two certificates for each user. Export the certificate that contains dataEncipherment as one of its Usage attributes.
The public Organization Certificate and the user certificate will both be exported as *.pem files. For use with Windows and Outlook, rename them *.cer files and give them meaningful names, eg, company.cer and username.cer.
Send both certificates to the third party. Outlook may block *.cer attachments so the easiest way of sending them by email is either to rename them *.txt files or to open each *.cer file in a text editor and copying and pasting the text into the body of a message. The recipient can then copy and paste the certificates into *.cer files. Each certificate begins with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----".
The third party needs to trust the Organization Certificate. To do this, they need to double-click on the *.cer file and click on Install Certificate to launch the Certificate Import Wizard. Rather than let the wizard choose the certificate store in which to place the certificate, the third party needs to place the certificate in the Trusted Root Certification Authorities store.
The third party should then create or edit the Encryption Management Server user's record in Outlook Contacts and click on the Certificates toolbar icon. From there they can import the user's *.cer file and save the contact record.
The third party can then send the Encryption Management Server user an S/MIME encrypted message by clicking on the Encrypt toolbar icon when composing a message in Outlook.
In order for Encryption Management Server users to send S/MIME encrypted messages to a third party, the third party's certificate needs to be imported to Encryption Management Server as an External User.
All certificates in the the third party's certificate chain should be imported into Encryption Management Server from the Keys / Trusted Keys page in the administration console. The Trust key for verifying mail encryption keys option should be enabled. If this is not done, Encryption Management Server will still be able to encrypt mail for the third party but it will not be able to check whether the third party's certificate is revoked.
If Encryption Management Server has Web Email Protection enabled, Web Email Protection users can be permitted to upload their own public S/MIME certificate (or public PGP key) using the Web Email Protection portal. To enable this functionality, modify the policy associated with Web Email Protection users (usually the Default policy) and enable the option Import OpenPGP Key or digital ID/X.509 Certificate for S/MIME. When a third party uploads their certificate, they are prompted to download the public Organization Certificate.
If third parties use Microsoft Outlook they can add Encryption Management Server as an Internet Directory Service (LDAP) address book and search Encryption Management Server for certificates. Please see article TECH249774 for further details. The Encryption Management Server needs to have the Keyserver service running and be accessible from the Internet over LDAP (port 389).
Some organizations publish their Organization Certificate on their public web site so that third parties can download it rather than it having to be sent to them. Alternatively, it can be published to a third party web site that stores public certificates.
Imported Document ID: TECH208554
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe