locked
Automated public S/MIME certificate distribution and configuration to domain joined devices? RRS feed

  • Question

  • My team recently made the decision to enforce the use of digital email signing, and offering at least for internal purposes the option of email encryption.

    We will be purchasing S/MIME certificates from one of the top 3 globally trusted certificate service providers, whereby the CSR will be generated by my team, and therefor will end-up with roughly 150 PFX files, 1 for every mail address used and defined on our Office 365 environment. This way we can also support certificate and key-roll over as we as the IT team generated the CSR and not relying on the end-user (device) to create it.

    We make use of a local AD that syncs to AAD.

    Me and my team know how to manually install the certificate for a user, and we know how to manually configure Outlook for Windows (most commonly used). We also understand how to automatically get a certificate from ADCS to a domain joined end-point.


    My first question is:

    How do I import these 150 PFX files and their relevant passwords in such a way that these certificates and keys are automatically pushed to every relevant user who makes use of a domain joined (Windows) device?

    My second question is:

    Is there a way, that enables automated configuration of Outlook, so that Outlook by default always digitally signs new and reply emails, and optionally allows for encryption to target recipients, using the installed/pushed S/MIME certificate?

    Monday, March 23, 2020 3:07 PM

Answers

  • @mikeb-2020

    Given Microsoft's Daisy Zou answer that what you want is not possible using native DC/AD features, or apparently other Microsoft products, you may want to make use of a third party Certificate and Key Management Solution.

    KeyTalk CKMS can be hosted by you under your control on Azure , Hyper-V or other platform, and does allow you to securely upload any amount of end-user certificates in PEM or PFX and its needed passwords. The CKMS can also order them for you for your users with your chosen Certificate Service Provider.

    After the PFX files are available in the CKMS, the certificate and key are sent to your Windows end-user devices, where they get installed, and the CKMS agent will auto-configure Microsoft Outlook 2010-2019/O365 as well to make the certificate usable for digital signing and encryption.

    Additionally the CKMS will send the certificate to your AD and/or Azure AD for each individual user. 

    Lastly the CKMS can send the certificate and key also to your MDM such as Office 365 Intune, allowing your mobile devices to also use email signing/encryption

    • Marked as answer by MikeB-2020 Wednesday, April 1, 2020 9:18 PM
    Wednesday, April 1, 2020 9:50 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    For question one:
    A: Based on my knowledge, if we have our internal CA server, there are two emial certificate template(Exchange Signature Only and Exchange User), Exchange Signature Only certificates issued using Exchange Signature Only certificate template are used for email signature and Exchange User certificates issued using Exchange User certificate template are used for email encrytion. 

    The two type certificates above are user certificates.




    Are the S/MIME certificates from one of the top 3 globally trusted certificate service providers you purchased user certificates or computer certificates?

    Usually, if it is a user certificate (.pfx file), we logon the domain-joined client with domain user, and open certmgr.msc, navigate to Certificates - Current User\Pernonal\Certificates\All Tasks\Import and select the corresponding .pfx file.




    For question two:

    I think the question is related to Outlook, we mainly focus on the issues or questions about on-premise Active Directory. So we can post our question in Outlook forum.

    https://social.technet.microsoft.com/Forums/office/en-US/home?forum=outlook

    Thank you for your understanding and support.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 25, 2020 2:13 AM
  • @daisy Zhou

    Many thanks.

    Its indeed user certificates (PFX).

    You wrote: "Usually, if it is a user certificate (.pfx file), we logon the domain-joined client with domain user, and open certmgr.msc, navigate to Certificates - Current User\Pernonal\Certificates\All Tasks\Import and select the corresponding .pfx file."

    I understand how to manually install an individual PFX, however I'm looking for an automated way to mass upload all 150 PFX files into AD (Services) and have them auto-distributed to the users

    Is this at all possible?

    I was previously direct to the AD Services forum, when I posted on the Outlook forum, and my post was removed, as my question relates to automating the configuration of Outlook as a pushed policy. Is it possible to push a policy/DPO that auto configured Outlook on the end-user Windows device?

    Many thanks 


    • Edited by MikeB-2020 Wednesday, March 25, 2020 8:57 AM elaborate
    Wednesday, March 25, 2020 8:55 AM
  • Hi,
    Q: I understand how to manually install an individual PFX, however I'm looking for an automated way to mass upload all 150 PFX files into AD (Services) and have them auto-distributed to the users
    Is this at all possible?

    Based on my knowledge and experience, I can not find such auto distribution method.


    Q: I was previously direct to the AD Services forum, when I posted on the Outlook forum, and my post was removed, as my question relates to automating the configuration of Outlook as a pushed policy. Is it possible to push a policy/DPO that auto configured Outlook on the end-user Windows device?

    I am sorry, I can not find such existing GPO setting.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 31, 2020 6:23 AM
  • @mikeb-2020

    Given Microsoft's Daisy Zou answer that what you want is not possible using native DC/AD features, or apparently other Microsoft products, you may want to make use of a third party Certificate and Key Management Solution.

    KeyTalk CKMS can be hosted by you under your control on Azure , Hyper-V or other platform, and does allow you to securely upload any amount of end-user certificates in PEM or PFX and its needed passwords. The CKMS can also order them for you for your users with your chosen Certificate Service Provider.

    After the PFX files are available in the CKMS, the certificate and key are sent to your Windows end-user devices, where they get installed, and the CKMS agent will auto-configure Microsoft Outlook 2010-2019/O365 as well to make the certificate usable for digital signing and encryption.

    Additionally the CKMS will send the certificate to your AD and/or Azure AD for each individual user. 

    Lastly the CKMS can send the certificate and key also to your MDM such as Office 365 Intune, allowing your mobile devices to also use email signing/encryption

    • Marked as answer by MikeB-2020 Wednesday, April 1, 2020 9:18 PM
    Wednesday, April 1, 2020 9:50 AM