How to Specify Key File in Set-Mailbox -UserSMimeCertificate

Question

I am trying to load an S/MIME signing certificate for a specific Outlook 365 user via PowerShell. The command I am supposed to use is:

Set-Mailbox <identity> -UserSMimeCertificate <MultiValuedProperty>

The problem is, I have the S/MIME certificate as a.pfx file. How do I convert the.pfx file to a <MultiValuedProperty> ?

Answer 1

A pfx file is a PKCS#12 file. userSMIMECertificate is designed to hold a PKCS#7 signed message which contains the public certificate, but can also hold any intermediate certificates as well information about the client's cipher capabilities (therefore multi-valued).

Because the contents of userSMIMECertificate is a signed message, the private key is required to sign.

Please see this question and its answers for details.

You can use openssl to create such a signed message. To create a signed message, include some additional certificates and read the private key from another file:

openssl smime -sign -in in.txt -text -out mail.msg  -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem

To convert pfx to pem:

openssl pkcs12 -in mykey.pfx -out mykey.pem

The Windows Certificate Manager (certmgr) may be able to perform the conversion as well if you import (check allow re-exporting private key), then export the private and the public key separately.

A PKCS#7 signed message may also be created using an email client. See above mentioned question and its answers for details.