Set up virtual certificate collection in Exchange Online to validate S/MIME

As an admin, you will need to configure a virtual certificate collection in Exchange Online that will be used to validate S/MIME certificates. This virtual certificate collection is set up as a certificate store with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate.

Create and save an SST

You can create this SST certificate store file by exporting the certificates from a trusted machine using the Export-Certificate cmdlet in Windows PowerShell and specifying the Type value as SST. For instructions, see Export-Certificate.

Once you have the SST certificate store file, use the following syntax in Exchange Online PowerShell to save the SST file contents in the Exchange Online virtual certificate store. To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content <FileNameAndPath>.sst -Encoding Byte)

This example imports the SST file C:\My Documents\Exported Certificate Store.sst.

Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content "C:\My Documents\Exported Certificate Store.sst" -Encoding Byte)

For detailed syntax and parameter information, see Set-SmimeConfig.

Ensuring a certificate is valid

In Exchange Online, only the SST is used for certificate validation.

More Information

S/MIME for message signing and encryption

Get-SmimeConfig