When you send an email in Outlook, recipients cannot always verify that the message came from you and has not been altered. S/MIME (Secure/Multipurpose Internet Mail Extensions) solves this by letting you digitally sign your emails using a personal certificate. Without a properly installed certificate, Outlook cannot apply the signature. This article explains what an S/MIME certificate is, how to install it into the Windows certificate store, and how to configure Outlook to sign every outgoing message.
Key Takeaways: Installing and Using an S/MIME Certificate in Outlook
- Windows Certificate Store (certlm.msc or certmgr.msc): The certificate must be imported into the Personal store before Outlook can access it for signing.
- File > Options > Trust Center > Trust Center Settings > Email Security: This is where you assign the installed certificate to your email account and enable the default signature.
- Outlook Settings (gear icon) > Mail > S/MIME: In Outlook for Microsoft 365, this is the alternative path to select the signing certificate and turn on signing.
What Is an S/MIME Certificate and Why Do You Need It?
An S/MIME certificate is a digital identity file issued by a trusted Certificate Authority (CA). It binds your email address to a public-private key pair. When you sign an email, Outlook uses your private key to create a unique digital signature. The recipient uses your public key, which is embedded in the certificate, to verify that the message was not tampered with and that it truly came from you.
To use S/MIME signing, you need three things: a valid certificate issued to your email address, the certificate installed in the Windows certificate store, and Outlook configured to use that certificate. The certificate file typically comes in .pfx or .p12 format and includes the private key. You receive it from your organization’s IT department or purchase it from a CA such as DigiCert, GlobalSign, or Sectigo. The certificate expires after one to three years, after which you must renew it.
Prerequisites
Before you begin, confirm that you have the following:
- A certificate file (.pfx or .p12) with the private key. Without the private key, you cannot sign emails.
- The password for the certificate file if it is password-protected. Most .pfx files require one.
- Administrator rights on your Windows computer. Some certificate stores require elevation to modify.
- Outlook 2019, Outlook 2021, or Outlook for Microsoft 365. Earlier versions also support S/MIME but the menu paths may differ slightly.
Steps to Install the Certificate in the Windows Store
Outlook does not read a certificate file directly from your hard drive. You must import it into the Windows certificate store first. Follow these steps to complete the import.
- Open the Certificate Manager
Press Windows Key + R to open the Run dialog. Type certmgr.msc and press Enter. The Certificate Manager window opens, showing the current user’s certificate stores. - Navigate to the Personal Store
In the left pane, expand Certificates – Current User. Right-click the Personal folder and select All Tasks > Import. The Certificate Import Wizard starts. - Select the Certificate File
Click Next. Then click Browse and locate your .pfx or .p12 file. Select it and click Open. Click Next. - Enter the Private Key Password
If the certificate is password-protected, type the password in the Password field. Check Mark this key as exportable if you want to back up the certificate later. Leave the other options at their defaults. Click Next. - Choose the Certificate Store
Ensure Place all certificates in the following store is selected and the Personal store is shown. Click Next and then Finish. You see a confirmation message that the import succeeded.
After import, double-click the certificate in the Personal store to verify that its status says “This certificate is OK.” If you see a message about the certificate not being trusted, the issuing CA’s root certificate is missing. Contact your IT department to install the CA’s root certificate.
How to Configure Outlook to Use the Certificate for Signing
With the certificate installed, you must tell Outlook which certificate belongs to your email account and enable signing by default. The configuration method differs slightly between classic Outlook (ribbon version) and the new Outlook for Windows.
Classic Outlook (Outlook 2019, 2021, and Classic Microsoft 365)
- Open Outlook and Go to Trust Center
Click File > Options. In the Outlook Options dialog, click Trust Center and then click Trust Center Settings. - Open the Email Security Tab
In the Trust Center, select Email Security. Under the Encrypted email section, click Settings. - Choose the Signing Certificate
In the Change Security Settings dialog, click Choose next to the Signing Certificate field. A list of certificates from the Personal store appears. Select the certificate that matches your email address. Click OK. - Set the Signing Algorithm and Enable Default Signing
Leave the Hash algorithm set to SHA-256 unless your organization requires a different algorithm. Check Add this digital signature to all outgoing messages. Click OK twice to close both dialogs.
New Outlook for Windows
- Open Outlook Settings
Click the gear icon in the upper-right corner. In the Settings pane, click Mail and then click S/MIME. - Select the Signing Certificate
Under Signing certificate, click Select a certificate. Pick the correct certificate from the list. Click Save. - Enable Default Signing
Toggle Digitally sign all outgoing messages to On. Close the Settings pane.
To test the configuration, compose a new email to yourself or a colleague. Click the Sign button (ribbon icon with a red ribbon) if it is not already highlighted. Send the message. The recipient sees a digital signature icon in the message header if they have the sender’s certificate or the CA’s root certificate installed.
If Outlook Cannot Find the Certificate or Signing Fails
Even after following the steps above, you may encounter issues. Below are the most common problems and their fixes.
“No certificate could be found to sign this message” Error
This error means Outlook cannot locate a certificate with a private key in the Personal store that matches your sending email address. Verify that the certificate’s Subject or Subject Alternative Name (SAN) field contains your exact email address. Open certmgr.msc, double-click the certificate, and check the Details tab. If the email address is missing or incorrect, request a new certificate from your CA.
“The certificate is not valid for signing” Error
A certificate can have multiple intended purposes, such as client authentication and secure email. The certificate must include the Secure Email Extended Key Usage (EKU). In the certificate’s Details tab, look for Enhanced Key Usage. If “Secure Email” is not listed, the certificate cannot be used for S/MIME signing. Obtain a certificate that includes the Secure Email EKU.
Certificate Not Listed in Outlook’s Choose Certificate Dialog
If the certificate appears in certmgr.msc but not in Outlook, the private key may be missing or not accessible. Right-click the certificate in the Personal store, select All Tasks > Manage Private Keys, and ensure your user account has Read permission. If the key is marked as non-exportable, you cannot use it on another computer, but it should still work on the machine where it was installed.
Signed vs Unsigned Email: Key Differences
| Item | Signed Email | Unsigned Email |
|---|---|---|
| Sender verification | Recipient can verify the sender’s identity via the certificate | No identity verification; sender address can be spoofed |
| Message integrity | Any alteration breaks the signature, alerting the recipient | No tamper detection; content can be modified without notice |
| Certificate requirement | Sender must have an installed S/MIME certificate | No certificate needed |
| Recipient setup | Recipient needs the CA’s root certificate or the sender’s certificate to verify | No setup required |
| Email size | Slightly larger because the signature is attached | Normal size |
After installing your personal certificate and configuring Outlook, every outgoing message you send carries a digital signature that proves your identity and protects the message content from tampering. Recipients who have your certificate or trust your CA can verify the signature without any extra steps. As an advanced tip, you can also enable S/MIME encryption by selecting an encryption certificate in the same Email Security dialog, which ensures that only the intended recipient can read the message body.