Exchange Server 2007: Publish S/MIME certificates for external contacts to AD

If you ever wished to use S/MIME for e-mail encryption with an external recipient, you would add the recipient to your Contacts folder. This was typically done by having the recipient send you a digitally signed item and then right click on the recipient in the From field and click "Save to Contacts". This solution […]

If you ever wished to use S/MIME for e-mail encryption with an external recipient, you would add the recipient to your Contacts folder. This was typically done by having the recipient send you a digitally signed item and then right click on the recipient in the From field and click "Save to Contacts".

This solution was difficult for Helpdesk and Administration personnel to manage, as only the mailbox user (or someone logged on as the user) could modify the Contacts. Rather than a warning that the certificate in the contact had expired, the user would see somewhat cryptic error messages when attempting to send a signed/encrypted message. Having seen a growing interest from customers regarding how to decrease administrative overhead associated with handling these issues (Helpdesk tickets, etc.), customers have requested information regarding how to save a remote recipient's public key to an AD Contact, so that it can be updated once, and addressed in Outlook via the Global Address List (GAL).

A quick look at an AD contact vs. an AD user in Active Directory Users and Computers (ADUC) shows a vastly different experience with respect to certificates - there is essentially nothing exposed in the UI for the contact (on the left), while the user object has a rich certificate interface (on the right):[…]

Full Article

Additional reading:

Exchange Server 2007, Exchange 2007, Active Directory, AD, Directory Serives, Outlook, Outlook Web Access, OWA, Client Access, Security, Tips and Tricks, Knowledgebase, Guide, Walkthrough