Set up virtual certificate collection to validate S/MIME
As a tenant administrator you will need to configure a virtual certificate collection that will be used to validate S/MIME certificates. This virtual certificate collection is set up as a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate.
Create and save an SST
You can only use the Shell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Shell. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
As an administrator, you can create this SST file by exporting the certificates from a trusted machine using the
Export-Certificate cmdlet and specifying the type as SST. For more information the
Export-Certificate cmdlet, see the Export-Certificate reference topic.
Once the SST file is generated, use the
Set-Smimeconfig cmdlet to save it in the virtual certificate store by using the -SMIMECertificateIssuingCA parameter. For example:
Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content filename.sst -Encoding Byte)
Ensuring a certificate is valid
Exchange 2013 SP1 first checks for the SST file and validates the certificate. If the validation fails, it will look at the local machine certificate store to validate the certificate. This behavior is new for Exchange 2013 SP1 and different from prior versions of Exchange. In Exchange Online only the SST will be used for validation.