You see an error that an S/MIME signature is invalid when sending or receiving emails in Outlook. This usually happens because the required digital certificate is missing, expired, or not trusted on your computer. The certificate is essential for verifying your identity and securing messages. This article explains how to locate and import the correct certificate to resolve the signature error.
Key Takeaways: Fixing Invalid S/MIME Signatures
- File > Options > Trust Center > Trust Center Settings > Email Security: The central hub in Outlook for managing digital IDs and S/MIME settings.
- Import/Export in Windows Certificate Manager: Use this tool to add a missing certificate file or remove a corrupted one from your personal store.
- Get a Digital ID from your organization: Contact your IT department or certificate authority to obtain a valid, non-expired S/MIME certificate file.
Why Outlook Reports an Invalid S/MIME Signature
Outlook uses S/MIME to digitally sign and encrypt emails. A digital signature proves the message came from you and was not altered. For this to work, your computer must have the correct private key and public certificate installed.
The “invalid signature” error appears when Outlook cannot find a valid certificate to verify the signature. This occurs for several technical reasons. The certificate file may be missing from your Windows certificate store. The certificate might have expired, as they have a set validity period. Sometimes, the certificate is issued by an authority that your computer does not trust. Another common cause is trying to use a certificate on a different computer where it was not originally installed.
The Role of Public and Private Keys
S/MIME relies on a pair of cryptographic keys. Your private key, which must stay secret on your device, creates the signature. The corresponding public certificate, which you share, allows others to verify it. If these two components are mismatched or incomplete, the signature check fails.
Steps to Import the Correct S/MIME Certificate
You need the certificate file from your IT department or certificate provider. It usually has a .pfx or .p12 file extension and is protected by a password. Follow these steps to import it into Windows, which will make it available to Outlook.
- Obtain your S/MIME certificate file
Contact your company’s IT helpdesk or the certificate authority that issued it. You will receive a file and an installation password. Save the file to a known location like your Downloads folder. - Open the Windows Certificate Manager
Press the Windows key + R, type “certmgr.msc”, and press Enter. This opens the management console for your user certificates. - Import the certificate into your Personal store
In the left pane, expand “Personal” and right-click on the “Certificates” folder. Select All Tasks > Import. This starts the Certificate Import Wizard. - Follow the import wizard steps
Click Next on the welcome screen. Browse to and select your .pfx or .p12 certificate file. Click Next. Enter the password provided with the certificate. On the next screen, ensure the option to automatically place certificates in the store based on type is selected. Click Next and then Finish. - Configure the certificate in Outlook
Open Outlook and go to File > Options > Trust Center. Click the Trust Center Settings button. Select the Email Security tab on the left. Under Digital IDs, click the Settings button. In the Security Settings dialog, your newly imported certificate should appear in the “Signing Certificate” dropdown. Select it and click OK to close all dialog boxes.
Common Mistakes and Things to Avoid
Importing the Certificate to the Wrong Store
If you import the certificate into the computer’s store instead of your user store, Outlook may not see it. Always use “certmgr.msc” for the current user, not “certlm.msc” for the local machine, unless instructed by IT.
Using an Expired or Revoked Certificate
Check the certificate’s validity period in the Certificate Manager. Double-click the certificate and view the Details tab. If it is expired, you must request a new one from the issuer. A revoked certificate will also fail and needs replacement.
Forgetting the Certificate Password
The import wizard requires the exact password issued with the certificate file. If you have lost it, you cannot import it. You must contact the issuer for a new certificate file with a new password.
Not Setting the Certificate as Default in Outlook
After importing, you must manually select the certificate in Outlook’s Email Security settings. If you skip the final configuration step, Outlook will not use it for signing.
S/MIME Certificate Statuses and Their Meanings
| Item | Valid Certificate | Invalid Certificate |
|---|---|---|
| Signature Status in Outlook | Shows a signed icon or ribbon with no warnings | Triggers an “invalid signature” error or warning message |
| Common Cause | Correctly installed in Personal store, not expired, trusted issuer | Missing private key, expired date, untrusted root authority |
| Required Action | No action needed for signing | Import correct certificate, renew, or adjust trust settings |
| Location in Windows | Present in Current User > Personal > Certificates | Missing, or found in a different store like Other People |
| Outlook Security Settings | Listed and selected in File > Options > Trust Center > Email Security > Settings | Not listed, or grayed out in the signing certificate dropdown |
You can now resolve the invalid S/MIME signature error by importing the correct digital certificate. Ensure the certificate is in your Personal store and selected in Outlook’s security settings. For further email security, explore setting up automatic encryption for specific recipients. A useful advanced tip is to export your certificate with the private key as a backup before a computer refresh, using the Export function in the Certificate Manager.