EN 
 
www.SAMURAJ-cz.com 
01.12.2025 Iva WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Šifrovaní emailů v MS Outlook a řešení problémů

Encrypting emails in MS Outlook and troubleshooting

| Petr Bouška - Samuraj |
Almost everyone uses email on a daily basis. The disadvantage of electronic messages is that in most cases they are spread over the Internet completely openly (in other words, legibly). The security solution is some form of encryption, either of traffic or of individual messages. We'll take a light look at encrypting selected messages as is common in a corporate environment. We will consider that each user has an encryption certificate stored on a smartcard. The main focus is on the most common problems and their solutions.
displayed: 35 208x (34 689 CZ, 519 EN) | Comments [2]

Asymmetric cryptography is used for encrypting emails, where a different key is used for encryption and decryption. We also choose the algorithm to be used for encryption, the most common being AES (256-bit) or the significantly weaker 3DES, RC2, etc.

To send an encrypted email to someone, we need to have their encryption certificate, more precisely their public key. The message is encrypted using this, and it can only be decrypted using the corresponding private key (which is stored on our smartcard). When the message is sent, it is also stored in the sent items, where it is encrypted with our own key.

Note: It is important to note that if we have encrypted messages and lose our private key, we cannot open them in any way. This means that when our certificate expires and we get a new one, we cannot open the old messages.

Setting Up Certificates in MS Outlook 2010

To use the email signing and encryption functionality, we need to create a Digital ID, i.e., set up the appropriate certificates in the mail client.

  • Launch Microsoft Outlook 2010
  • In the menu, choose File - Options
  • Select Trust Center on the left
  • Click the Trust Center Settings button on the right
  • Choose E-mail Security on the left
  • In the Encrypted e-mail section, click Settings...
  • In the Certificates and Algorithms section
  • Click Choose... for Signing Certificate and select the certificate for signing
  • Click Choose... for Encryption Certificate and select the certificate for encryption (can be the same as the signing certificate)
  • Click OK
Outlook - nastavení certifikátů

Publishing Certificates to the GAL in MS Outlook 2010

In a corporate environment, the Exchange server uses a shared directory, which can also contain users' encryption certificates, which is the easiest way to distribute them. The directory is called the Global Address List (GAL).
  • Launch Microsoft Outlook 2010
  • In the menu, choose File - Options
  • Select Trust Center on the left
  • Click the Trust Center Settings button on the right
  • Choose E-mail Security on the left
  • Click Publish to GAL ...
  • Insert the card, confirm OK, and enter your PIN
  • Get a message about successful certificate publication, click OK

How to Obtain a Certificate for the Recipient

To send an encrypted email to someone, we need their public key. In a corporate environment, there are two situations - for internal employees (using Active Directory, Exchange server, and a shared directory) and for external people.

Global Address List (GAL)

All employees should publish their certificates to the Active Directory (domain), which will make the certificate available in the Global Address List (GAL). The certificate is then automatically accessible to all other employees.

When we publish our certificate, it is stored in the user account in Active Directory. Subsequently, the Offline Address Book is generated at regular intervals (once an hour) on the Exchange server. This address book is then downloaded at certain intervals by MS Outlook. This means that after publishing the certificate, it is not immediately available to other users!

Personal Contacts

The standard method for using the recipient's certificate is through contacts. The recipient must send us a signed message, and the signature includes both the signing and encryption certificates (a single common certificate can also be used, with the public keys being sent). From the received email, we add the recipient to our contacts, and the certificate is automatically stored. We can view the certificate in the contact detail, on the Contact tab, using the Certificates button.

Outlook 2010 - certifikát u kontaktu

How to Send an Encrypted Message

First, we must have our Digital ID set up in Outlook, which means having the encryption and signing certificates configured. Then we have the buttons available when writing a new message. On the Options tab, the Encrypt and Sign buttons.

Outlook 2010 - šifrování zprávy

Problems Sending Encrypted Emails and Their Solutions

In practice, there are many problems that prevent sending encrypted messages. The error message is usually the same. The problem can be on the recipient's side (certificate publication) or the sender's side (non-functional Digital ID).

Outlook - chyba nelze šifrovat

Digital ID Not Created

Problem: I want to encrypt, but I don't have the encryption button for the message.

Solution: This means I don't have the certificates set up. I'll set them up according to the previous instructions.

Cannot Publish Certificate

Problem: I've set up the certificates, but I can't change the algorithms used (the items are grayed out) and/or I can't publish the certificate to the GAL (I get an error).

Solution: This is often caused by a problem with the application/framework that provides access to the certificate (smartcard). Try reinstalling or a new version, test the functionality in applications other than the mail client.

Testing My Configuration

To check that the problem is not with my Outlook setup, I can try publishing to the GAL (it doesn't matter if it's done repeatedly). If it doesn't work, I'll go back to the previous step.

Missing or Invalid Certificate

Problem: I want to encrypt, but I get an error when sending.

Solution: The most common problem is that the recipient doesn't have the certificate published in the GAL or an old version is stored there (the user has obtained a subsequent certificate and hasn't published it).

To verify the certificate, we can open the Address Book in Outlook. Right-click on the person we want to send a message to and choose Add to Contacts, which will open the detail of how it would look in the contacts. On the Contacts tab, click Certificates and we can see the certificate in the GAL. Then we can close the window without saving the contact.

If the certificate is missing or invalid, the recipient must publish it. Then it takes some time before we can use this certificate. If we want to use this certificate immediately, there is a solution where we directly access the server. For this, it's enough to delete the Offline Address Books.

Close Outlook, in Windows 7 open the folder c:\Users\{username}\AppData\Local\Microsoft\Outlook\, in Windows XP c:\Documents and Settings\{your username}\Local Settings\Application Data\Microsoft\Outlook\. Here is the file outlook.ost with our mail and the *.oab files or the Offline Address Books directory with the offline version of the corporate directory. Delete all directory files (oab and Offline Address Books) and start Outlook. It will take some time to download the directory from the server, and during that time, we use the online data.

Untrusted Certificate

Problem: I want to encrypt, but I get an error when sending.

Solution: To be able to encrypt an email, the certificate used must be trusted by us. This means that the certificate authority that issued the encryption certificate must be in the Trusted Root Certification Authorities (or a similar group).

Wrong Certificate in Contacts

Problem: I want to encrypt, but I get an error when sending.

Solution: A common situation is when we have a contact for a colleague stored in our personal contacts. When creating a message and typing the name, personal contacts are searched first, and then the GAL. Moreover, the address is stored in the nickname cache after the first use, and this is then used. If we have an old or no certificate in the personal contact, we won't be able to encrypt.

The solution is simple. When creating a message, we select the recipient from the GAL. This means clicking the To button and finding the person in the GAL directory. Then this correct contact will be used.

Author:

Related articles:

Outlook

Articles related to the mail client from Microsoft. Starting with Outlook 2003, through Outlook 2007, the current Outlook 2010 and certainly beyond in the future.

If you want write something about this article use comments.

Comments
  1. [1] Kadeřábková Zd.

    Jak odšifruji e-mailovou stránku?

    Friday, 11.04.2014 14:04 | answer
  2. [2] Karvaš J.

    Jak archivovat zašifrovanou odeslanou zprávu Outlooku ve formátu msg jako nešifrovanou (aby šla později otevřít bez nutnosti rozšifrování)?

    Wednesday, 02.02.2022 13:59 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)