Import SST to Exchange Online with Set-SmimeConfig -SMIMECertificateIssuingCA

Question

Import SST to Exchange Online with Set-SmimeConfig -SMIMECertificateIssuingCA

Jana Darsa 0

Hello, I would like to know, if its possible to use PowerShell to import CA trusth chaint to tenant. HERICA seems not to be in the trust cert list.
I would like to digital sign emails in new Outlook.

Do you have a an experience?

3 answers

Your answer

Answer 1

Hi @Jana Darsa

Thank you for posting your question in Microsoft Q&A.

Just to clarify, are you referring to HARICA - the Hellenic Academic & Research Institutions CA?

Based on my research, you can add a CA trust chain to your Microsoft 365 (Exchange Online) tenant using PowerShell to ensure that S/MIME certificates issued by that CA are trusted in the new Outlook and Outlook on the web.

HARICA (or HERICA) is a public, third‑party Certificate Authority that participates in major global Root CA trust programs, including Microsoft, Apple, Mozilla, Adobe, and Google. This means HARICA’s root certificates are widely recognized and trusted across common operating systems and browsers.

Because HARICA is a trusted public CA, its certificates, such as S/MIME, electronic signature, SSL/TLS, and code‑signing certificates, are already included in the trusted root stores of Windows, macOS, iOS, Android, and others.

However, in Microsoft 365 and Exchange Online, S/MIME does not automatically trust any CA, even well‑known public CAs like HARICA. This is by design for security reasons. Administrators must manually upload the trusted CA chain (SST file) into the organization’s Exchange Online S/MIME configuration.

User's image

You can refer via:

Configure S/MIME in Exchange Online | Microsoft Learn

How do trust S/MIME certificate in Office 365?

Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

Therefore, you can refer to the AI suggestion. You can obtain an SST file by running the following command:

Get-ChildItem -Path cert:\CurrentUser\my | Export-Certificate -FilePath C:\certs\allcerts.sst -Type SST

Then use the Set-SmimeConfig cmdlet with the -SMIMECertificateIssuingCA parameter in PowerShell to import the CA.

I hope this helps.

Please feel free to correct me if I misunderstood your request. If you have any additional concerns, feel free to comment below. I would be more than happy to assist.

Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread.

Jana Darsa 0 Reputation points

2026-02-05T10:28:56.9266667+00:00

Hi @Hin-V

sorry, my mistake - its HARICA the Hellenic Academic etc.

I did add the .sst file using the PowerShell and its been an over an hour and Im still not able to use digital signature at new Outlook.

Thak you for your reply, I appreciate it!
Hin-V 12,755 Reputation points Microsoft External Staff Moderator

2026-02-06T07:48:56.5466667+00:00

Hi @Jana Darsa

Are you able to use digital signatures (S/MIME) in the new Outlook yet?

If not, please let us know here, we can troubleshoot together and get you set up.

If you have any questions or run into errors, drop a comment below and I’ll be happy to help.

Answer 2

Jana Darsa 0

Hi @Hin-V

thank you for a navigation.
I did all the steps you descripbe and when Im trying to import certificate to new Outlook I get error msg: Certificate is already imported.
When I ask Copilot if its possible to digital sign a mail in new Outlook I get a resolut: No.
Becouse new Outlook has its own inner CA list and its inpossible to extend.

And Im starting to believe it :)

What do you think?

[Moderator note: personal info removed]

Hin-V 12,755 Reputation points Microsoft External Staff Moderator

2026-02-09T10:26:55.4+00:00

Hi @Jana Darsa

Sorry for my delayed respond.

Please note that our forum is a public platform, and we will modify your question to hide your personal information in the answer. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.

As documented,the new Outlook for Windows now supports S/MIME for signing and encrypting emails.

You can also upload your CA trust chain to Exchange Online via PowerShell, so Outlook and Outlook on the web will properly trust signatures issued by that CA.

Regarding the error message “Certificate is already imported”:

This means the certificate has already been successfully imported into your New Outlook, so Outlook prevents duplicate imports.

You can use the digital signing function right away without re‑importing the certificate.

Have you had a chance to test the signing/encryption feature yet?

If you encounter any issue or need further assistance, feel free to comment below. I’ll be more than happy to help.

Warm thanks.
Jana Darsa 0 Reputation points

2026-02-10T09:51:01.47+00:00

Hi again,

problem solved .) Thank you for your help! Have a nice day!

[Moderator note: personal info removed]
Hin-V 12,755 Reputation points Microsoft External Staff Moderator

2026-02-10T10:01:10.61+00:00

Hi @Jana Darsa

I'm really glad to hear that your concern has been resolved.

It would be great if you could share the steps or method you used so the rest of the community can benefit from your solution as well.

Additionally, if any part of my response was helpful, you could consider to kindly upvote it. This not only supports other members who may encounter similar issues, but also helps strengthen our community by improving shared knowledge and guidance.

If you have any further questions or need additional assistance, feel free to leave a comment below. I’m always happy to help.

Warm thanks and have a nice day.

Answer 3

Yes, you can use PowerShell to import a CA trust chain into Exchange Online using the Set-SmimeConfig cmdlet with the -SMIMECertificateIssuingCA parameter. This allows you to specify the SST file that contains the root and intermediate certificates necessary for validating S/MIME certificates. Here’s how you can do it:

First, ensure that you have created an SST file containing the required certificates. You can create this file by exporting certificates from a trusted machine using the Export-Certificate cmdlet.
Once you have the SST file, you can import it into Exchange Online by running the following command in Exchange Online PowerShell:
```
   Set-SmimeConfig -SMIMECertificateIssuingCA ([System.IO.File]::ReadAllBytes('C:\My Documents\Exported Certificate Store.sst'))
```
Make sure to replace the path with the actual path to your SST file.

This process will help ensure that the necessary certificates are trusted for digital signing of emails in the new Outlook. If HERICA is not in the trust certificate list, you may need to include its certificates in the SST file before importing.

References:

Share via

Import SST to Exchange Online with Set-SmimeConfig -SMIMECertificateIssuingCA

3 answers

Your answer