S/MIME certificates seem not trusted

S/MIME certificates seem not trusted
09 Mar ‘23

When sending or receiving S/MIME digitally signed and/or encrypted emails, these email will only be trusted when their CA trust-chains are trusted.

These CA trust-chain trusts must be present on the mail client side when using Windows, Mac or Linux.  When using MacMail or Outlook for windows or Mac this means that the CA trust-chain is trusted and present in the local certificate store or key-chain. When using Thunderbird, the CA trust-chain must be present in the mail-client itself (as it uses its own proprietary certificate store).

Publicly trust Certificate Service Providers, such as DigiCert, QuoVadis, GlobalSign, and Sectigo, will virtually always already be present as trusted on your device.

When issuing S/MIME certificates from a private corporate CA, your admin will have ensured that the trust-chain is trusted, however parties outside your company will rightfully not trust these privately issued S/MIME certificates.

There is 1 notable exception: Both public and private CA trust-chains must be present on the mailserver side, when using Outlook for mobile, or when using Outlook for the web (OWA) or Exchange Online (O365). While an on-prem Exchange server will have this trust present, Office 365 will not!!

Outlook for mobile will obtain the trust from the used Exchange server, and as such your admin must ensure the trust-chain is present, especially on Office 365.

To ensure Office 365 contains the proper CA trusts, follow this guide.