Outlook 2016: Multiple accounts, certificates only for one

certificatemicrosoft-outlookmicrosoft-outlook-2016office365smime

This question has ben asked before but yet never answered.
I have set up my Outlook 2016 with three different Mail accounts:

name@domain1.com (commertial, office365)
name@hotmail.com (personal, outlook.com account)
name@domain2.com (another company, office365)

The commertial account name@domain1.com now requires that the outgoing mails are signed with a S/MIME certificate.
So I set up a certificate from COMODO, imported that into the trust center in outlook and everything seems to work fine.

The problem now is that the other two accounts name@hotmail.com and name@domain2.com dont need to be signed. Since I ticked the option "add digital signature to outgoing mails" in the trust center, outlook thinks I want to add a digital signature to every mail of every account. So it pops up a prompt everytime I want to send a mail from one of those two unsigned accounts. Setting it up to send it unsigned will send the mail, altough it wil promt it again the next time.

One option would be to untick "add digital signature to outgoing mails" in the trusting center but then the signing-option is turned off for the signed account. Ticking it for every mail manually is very unhandy…

So is there a way to set up outlook to ignore the signature for the two unsigned accounts or to tick the signing for outgoing mail from one single account by default?

Best Answer

The short answer I believe is no. This is setting is a profile setting, so all mail accounts on the same profile will inherit it. You could setup different profiles for each account, but that will require you close and restart outlook to access those accounts.

Two other methods that may work:

VBA/Macros - Use these to create messages withs specific settings applied
Outlook custom message templates. I did look at the available fields but didn't notice any for SMIME. I don't really use custom template so may have overlooked it or it may need to be implemented or access in some other way.

Related Solutions

Windows – Creating a signing certificate for Outlook 2010 under Windows 7

I was using the Microsoft tool makecert for this.

First you need to create a CA (Certificate Authority) key:

makecert -pe -n "CN=My Root CA" -ss root -a sha512 -sky signature -len 2048 -h 1 -cy authority -r my_ca.cer
# -pe: Mark private key as exportable - useful for backup.
# -n "CN=My Root CA": The name of the certificate. Please use an individual name and replace the "My" with your full name.
# -ss root: The store where makecert shall place the certificate (Root certificates store).
# -a sha512: The signature algorithm to use. Right now SHA512 is the maximum available.
# -sky signature: The key type (signature, not exchange).
# -len 2048: Key length in bits. You might consider generating a longer key.
# -h 1: Maximum height of the tree below this certificate. I don't use sub-CAs, so I hope that 1 is the correct value.
# -cy authority: Certificate type is CA, not end-entity.
# -r: Create a self signed certificate.
#  my_ca.cer: Name of the file to which the generated public key will be written.

Now you need to create the certificate(s) for mail signing. In your case you will start with only one certificate for you:

makecert -pe -n "E=my.mail@addre.ss,CN=My eMail Signing" -a sha512 -sky exchange -cy end -ss my -eku 1.3.6.1.5.5.7.3.4 -in "My Root CA" -is root -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 my_email.cer 
# -pe:Mark private key as exportable - useful for backup.
# -n "E=my.mail@addre.ss,CN=My eMail Signing": Name of the certificate. This must contain your mail address in the E entry and your name in the CN entry. You should give a useful CN, so please replace My with your full name.
# -a sha512: The signature algorithm to use. Right now SHA512 is the maximum available.
# -sky exchange: The key type (exchange, not signature).
# -cy end: Certificate type is end-entity, not CA.
# -ss my: The store where makecert shall place the certificate (My certificates store).
# -eku 1.3.6.1.5.5.7.3.4: Enhanced key usage "E-mail protection"
# -in "My Root CA": Name of the CA used to sign the generated key. Must be the same as given in "-n" in the above call to makecert.
# -is root: Store where the CA key can be found.
# -sp "Microsoft RSA SChannel Cryptographic Provider": Name of the CryptoAPI provider to use.
# -sy 12: Type of the CryptoAPI provider.
# -len 2048: Key length in bits. You might consider generating a longer key.
# my_email.cer: Name of the file to which the generated public key will be written.

The private and public keys will be written to the user's certificate stores (in the registry) and can be used immediately. The public keys will be written to the given files.

On your computer you can immediately select the mail signing certificate in your mail program. To give your public keys to others you can give them a copy of your public keys. For full trust they might need to import your CA key into their certificate store.

Outlook 2013, multiple email accounts and encrypted email: Only last S/MIME settings used

I just found the answer for this:

File > Options > Trust Center > Trust Center Settings > E-mail Security > Settings

Create a new "Security Settings Name" for each of your certificates. When you send a signed or encrypted mail, just make sure the certificate selection is set on "automatic" in:

Properties > Security Settings

Best Answer

Related Solutions

Windows – Creating a signing certificate for Outlook 2010 under Windows 7

Outlook 2013, multiple email accounts and encrypted email: Only last S/MIME settings used

Related Question