Set up virtual certificate collection to validate S/MIME

As a tenant administrator you will need to configure a virtual certificate collection that will be used to validate S/MIME certificates. This virtual certificate collection is set up as a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate.

Create and save an SST

You can only use the Shell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Shell. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

As an administrator, you can create this SST file by exporting the certificates from a trusted machine using the Export-Certificate cmdlet and specifying the type as SST. For more information the Export-Certificate cmdlet, see the Export-Certificate reference topic.

Once the SST file is generated, use the Set-Smimeconfig cmdlet to save it in the virtual certificate store by using the -SMIMECertificateIssuingCA parameter. For example: Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content filename.sst -Encoding Byte)

Ensuring a certificate is valid

Exchange 2013 SP1 first checks for the SST file and validates the certificate. If the validation fails, it will look at the local machine certificate store to validate the certificate. This behavior is new for Exchange 2013 SP1 and different from prior versions of Exchange. In Exchange Online only the SST will be used for validation.

More Information

S/MIME for message signing and encryption

Get-SmimeConfig