S/MIME and Office 365

Kelly

@Tim_G Not exactly. We have the trust chain working fine. The pain point is in having access to other internal users' public keys and the distribution thereof.

We generate user certs, install them and our internal root and intermediate certs on the individual's computer (mostly Macs running Outlook 2016). The user will then send out a signed email to all and everyone will reply back with a signed email in return. This gives everyone the digital signature of the new employee and distribute the new employee's digital signature to everyone else. Now users are able to encrypt messages to the new employee and the new employee can encrypt messages to anyone in the organization.

My goal is automate and centralize as many portions of this as I can.

Obsolesce

@Kelly Maybe the problem is your Global Address List (GAL), or you simply aren't waiting long enough.
Let me try a run-through here:

1. User joins the company.
2. O365 email account is set up for new user.
3. New user logs on to new Mac computer, sets up Outlook.
4. IT Admin sends new user his/her certificate via email (or by whatever means). Preferably a .PFX so it contains private key and whole CA chain.
5. New user or IT admin goes into new users Outlook trust center/email security settings to set signing/encryption certificate(s).
6. While still in Outlook Email Security settings, "Publish to GAL" button is clicked, success confirmation pops up.
7. After 24 hours, or via users manually updating their Address Book in Outlook, users are now able to send encrypted emails to new user.

Basically, when you publish to GAL, it's loading all certificate information to O365. Every else's address books will automatically update I think the default is once per day. So if users can't send the new user encrypted emails, they either need to update their address book in Outlook, or simply wait a day or so. As long as they are all part of the same organization in Office 365, they'll share the GAL and get the same one.

Kelly

@Tim_G said in S/MIME and Office 365:

@Kelly Maybe the problem is your Global Address List (GAL), or you simply aren't waiting long enough.
Let me try a run-through here:

1. User joins the company.
2. O365 email account is set up for new user.
3. New user logs on to new Mac computer, sets up Outlook.
4. IT Admin sends new user his/her certificate via email (or by whatever means). Preferably a .PFX so it contains private key and whole CA chain.
5. New user or IT admin goes into new users Outlook trust center/email security settings to set signing/encryption certificate(s).
6. While still in Outlook Email Security settings, "Publish to GAL" button is clicked, success confirmation pops up.
7. After 24 hours, or via users manually updating their Address Book in Outlook, users are now able to send encrypted emails to new user.

Basically, when you publish to GAL, it's loading all certificate information to O365. Every else's address books will automatically update I think the default is once per day. So if users can't send the new user encrypted emails, they either need to update their address book in Outlook, or simply wait a day or so. As long as they are all part of the same organization in Office 365, they'll share the GAL and get the same one.

No, we're not doing anything from 6 on. There is no "Publish to GAL" button in Outlook for Mac. This is why we're distributing the public keys manually.

Obsolesce

@Kelly said in S/MIME and Office 365:

@Tim_G said in S/MIME and Office 365:

@Kelly Maybe the problem is your Global Address List (GAL), or you simply aren't waiting long enough.
Let me try a run-through here:

1. User joins the company.
2. O365 email account is set up for new user.
3. New user logs on to new Mac computer, sets up Outlook.
4. IT Admin sends new user his/her certificate via email (or by whatever means). Preferably a .PFX so it contains private key and whole CA chain.
5. New user or IT admin goes into new users Outlook trust center/email security settings to set signing/encryption certificate(s).
6. While still in Outlook Email Security settings, "Publish to GAL" button is clicked, success confirmation pops up.
7. After 24 hours, or via users manually updating their Address Book in Outlook, users are now able to send encrypted emails to new user.

Basically, when you publish to GAL, it's loading all certificate information to O365. Every else's address books will automatically update I think the default is once per day. So if users can't send the new user encrypted emails, they either need to update their address book in Outlook, or simply wait a day or so. As long as they are all part of the same organization in Office 365, they'll share the GAL and get the same one.

No, we're not doing anything from 6 on. There is no "Publish to GAL" button in Outlook for Mac. This is why we're distributing the public keys manually.

I did not know that. I'm not as familiar with Outlook on Macs. What percentage of users use Outlook on a Mac?
When I get some more time, I'll take a look at some things and get back to you.

Dashrender

Could your mac users do a setup on a windows machine just to push this, then move to their mac?

Kelly

@Dashrender said in S/MIME and Office 365:

Could your mac users do a setup on a windows machine just to push this, then move to their mac?

It is possible, but I'm trying to simplify the process...

Dashrender

I don't know certs in Exchange at all - so don't crusify me for asking.

How are your certs created? a cert server on your local network? If yes, are they used for other domain level things? If no - does MS have any solution inside O365 that can create these certs and keep it all inside O365? I thought they had security stuff inside O365, but really know nothing about it.

Kelly

@Dashrender said in S/MIME and Office 365:

I don't know certs in Exchange at all - so don't crusify me for asking.

How are your certs created? a cert server on your local network? If yes, are they used for other domain level things? If no - does MS have any solution inside O365 that can create these certs and keep it all inside O365? I thought they had security stuff inside O365, but really know nothing about it.

They've been created using OpenSSL on a stand alone system. Due to regulatory requirements we cannot store private keys in O365, so even if those systems existed we couldn't make use of them.

Dashrender

@Kelly said in S/MIME and Office 365:

@Dashrender said in S/MIME and Office 365:

I don't know certs in Exchange at all - so don't crusify me for asking.

How are your certs created? a cert server on your local network? If yes, are they used for other domain level things? If no - does MS have any solution inside O365 that can create these certs and keep it all inside O365? I thought they had security stuff inside O365, but really know nothing about it.

They've been created using OpenSSL on a stand alone system. Due to regulatory requirements we cannot store private keys in O365, so even if those systems existed we couldn't make use of them.

aww.. ok.

JaredBusch

@Tim_G for your reference, here is what I see on my MacBook. I am not using Certificates.

Obsolesce

@JaredBusch Thank you