posted 18/01/10

Outlook, PowerShell, certmgr.msc and S/MIME certificates

By Fredrik "DXter" Jonsson
, ,

Since last year, I have been using a VeriSign S/MIME certificate to be able to digitally sign all my outgoing e-mail messages to be able to prove my identity to other people and make it possible for others to easily e-mail me sensitive data by encrypting the e-mail messages (and attachments).

 

If you are using an internal ADCS PKI for S/MIME certificates in your Active Directory environment, your public key for your certificate is automatically populated as an attribute for your user object in the global address list, which is very sweet since everything is done automatically! If you use external S/MIME certificates, these can be imported to the users published certificates by using certificate mappings on a per user level. It’ works just fine, but it needs more administration. ;) The cool thing is that as soon as Outlook recognize that a specified recipient that your are mailing with has a S/MIME certificate, the certificate of that recipient is automatically copied into a container in your users certificate store called “Other People” in certmgr.msc. (The container is called AddressBook if you are browsing the certificate store with PowerShell.)

 

 

If we take a look at my “Other People” container, I see two other certificates that are used by my dear friend Jonas and my boss Mats. However, I have NOT imported them into that container! Outlook has done that for me automatically! :)

image

 

 

If we query our container in our certificate store with PowerShell, using “Get-ChildItem cert:\CurrentUser\AddressBook”, we get the same output in our PowerShell prompt.

image

 

 

Now what is the point of this? Well, since the S/MIME certificates are stored in our certificate store, Outlook will always be able to send encrypted messages to those recipients by encrypting the message with the public key in their S/MIME certificate (which is decoded by themselves later using their associated private key). The cool thing is that if you choose to change your e-mail client, the S/MIME certificate store will be available to that client as well. The only thing that e-mail client needs to do is to query the “Other People” container in your certificate store to get a list of all S/MIME enabled recipients. ;)

 

 

// Fredrik “DXter” Jonsson

Related posts:

  1. My self signed certificate wizard
  2. How to distribute root certificates as exe files
  3. Creating your own code signing certificate on a smartcard without an internal PKI
  4. The BitLocker certificate EKU and Windows Server 2008 R2
  5. Code signing using PowerShell


Comments
Fredrik Wall WordPress v1.1.3 January 18th, 2010 (10:15 pm)
comment

[Blog] Outlook, PowerShell, certmgr.msc and S/MIME certificates:
Since last year, I have been using a Ve.. http://bit.ly/5VZhUy

MSFT Scripting Guys WordPress v1.1.3 January 18th, 2010 (10:35 pm)
comment

RT @walle75: [Blog] Outlook, PowerShell, certmgr.msc and S/MIME certificates http://bit.ly/5VZhUy

Hire Containers WordPress v1.1.3 January 19th, 2010 (5:12 am)
comment

Outlook, PowerShell, certmgr.msc and S/MIME certificates | Dalle … http://bit.ly/6HLijF

Hire Containers WordPress v1.2.7 January 19th, 2010 (6:12 am)
comment

Outlook, PowerShell, certmgr.msc and S/MIME certificates | Dalle … http://bit.ly/6HLijF

Add Comment

Name (Required)

E-mail (Required)

Website

Comment (Required)