Set up a virtual certificate collection in Exchange Server to validate S/MIME

Applies to: Exchange Server 2013

As an Exchange Server administrator, you need to configure a virtual certificate collection in Exchange that will be used to validate S/MIME certificates. This virtual certificate collection is set up as a certificate store with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate.

Create and save an SST

You can create this SST certificate store file by exporting the certificates from a trusted machine using the Export-Certificate cmdlet in Windows PowerShell and specifying the Type value as SST. For instructions, see Export-Certificate.

Once you have the SST certificate store file, use the following syntax in the Exchange Management Shell to save the SST file contents in the Exchange Online virtual certificate store. To open the Exchange Management Shell, see Open the Exchange Management Shell.

Set-SmimeConfig -SMIMECertificateIssuingCA ([System.IO.File]::ReadAllBytes('<FileNameAndPath>.sst'))

This example imports the SST file C:\My Documents\Exported Certificate Store.sst.

Set-SmimeConfig -SMIMECertificateIssuingCA ([System.IO.File]::ReadAllBytes('C:\My Documents\Exported Certificate Store.sst'))

For detailed syntax and parameter information, see Set-SmimeConfig.

Validating certificates

Exchange 2013 SP1 or later first checks for the SST file and validates the certificate. If the validation fails, it will look at the local machine certificate store to validate the certificate. This behavior is different from previous versions of Exchange.

More Information

S/MIME for message signing and encryption