How do trust S/MIME certificate in Office 365?


How do trust S/MIME certificate in Office 365?


Unlike OWA running on Exchange, Office 365 does not trust any root certificates by default.  This causes validation problems when opening digitally signed email using S/MIME.  In order to fix this, the Office 365 administrators for your organization must manually import the root certificates your organisation chooses to trust using Microsoft Serialized Certificate Files (*.SST).  This article describes this process.

Obtaining an SST File

There are two ways to obtain an SST file.

You can obtain an SST file by running the following command:

PS C:\> Get-ChildItem -Path cert:\CurrentUser\my | Export-Certificate –FilePath c:\certs\allcerts.sst -Type SST

Alternatively, you can obtain an SST file from your computer using the Certificate Export Wizard.
  1. Open up Internet Explorer.
  2. Click on Settings and go to Internet Options in the drop down.
  3. Click on the Content tab.
  4. Click on the certificates button.
  5. Select the Trusted Root Certification Authorities tab.
  6. Press 'Q' to fast track to QuoVadis certificates.
  7. Highlight all of the QuoVadis Root certificate using the 'Ctrl' key on your keyboard.
  8. With all QuoVadis Root certificates highlighted, click on the Export button.  You may wish to include other Root CAs if desired.  You must ensure that 2 or more certificates are selected.
  9. Click Next on the Welcome screen of the Certificate Export Wizard.
  10. Select the Microsoft Serialized Certificate Store (.SST) radio option at the bottom. Click on Next.
  11. Give the file a name and location.  Click on Next.
  12. Click on the Finish button.
  13. The *.sst file will be saved in the location that you specified.  This file contains all of the Root certificates that you highlighted.

Trusting the SST File in Office 365

First you must connect to Office 365 using PowerShell. Below describes how to do this:

On the local computer, open Windows PowerShell and run the following commands:

Import-Module MSOnline

$UserCredential = Get-Credential

In the Windows PowerShell Credential Request dialog box, type in your Exchange Online user name and password and the click on OK.

Run the following command:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Next run this command:

Import-PSSession $Session -AllowClobber

Connect-MsolService -Credential $UserCredential

The Exchange Online cmdlets should be imported into your local Windows PowerShell session.  If you don't receive an error, you can verify this has worked by using the following command:


If the Get-Mailbox command works, then you are connected to Office 365 successfully.

Importing the SST File

Once you are connected to Office 365 via PowerShell, you will then need to import the SST using the following command:

Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content <filename>.sst -Encoding Byte)

After the SST is installed, you will need to get Dirsync to synchronize using the DirSyncConfigShell and then start-onlinecoexistencesync.  This process generally happens automatically after 30 mins.

When you are finished, it is important to close out the session.  You can do this by running the following command:

Remove-PSSession $Session

When the Dirsync hsa completed, any certificate issued out of a CA that you have imported should chain up and be trusted.

Add Feedback