https://www.soumu.go.jp/main_content/000715550.pdf
https://www.soumu.go.jp/main_content/000733512.pdf
cat << EOF > csr.conf [ req ] default_bits = 2048 prompt = no distinguished_name = dn string_mask = utf8only [ dn ] C = JP ST = Tokyo O = Company Name organizationIdentifier = NTRJP-1234-56-789012 CN = Your Name emailAddress = email@example.com EOF
#openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr -config csr.conf
## Country Name (2 letter code) [AU]: ## State or Province Name (full name) [Some-State]: ## Locality Name (eg, city) []: ## Organization Name (eg, company) [Internet Widgits Pty Ltd]: ## Organizational Unit Name (eg, section) []: ## Common Name (e.g. server FQDN or YOUR name) []: ## Email Address []:
openssl req -in request.csr -noout -text openssl req -in request.csr -noout -subject -nameopt oid
## subject=2.5.4.6=JP, 2.5.4.8=Tokyo, 2.5.4.10=Company Name, 2.5.4.97=NTRJP-1234-56-789012, 2.5.4.3=Your Name, 1.2.840.113549.1.9.1=email@example.com
Send the generated CSR to your Certificate Authority (CA) to receive the certificate (e.g., .crt or .p7b)
openssl pkcs7 -print_certs -in certificate.p7b -noout openssl pkcs7 -print_certs -in certificate.p7b -out certificates.pem
openssl x509 -in certificates.pem -text -noout
PEM PKCS#7 requires line breaks; a single-line file causes parse errors as shown below:
## unable to load PKCS7 object ## 4000EE99999F0000:error:0440004C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:792:Expecting: PKCS7
awk 'BEGIN{b="-----BEGIN PKCS7-----";e="-----END PKCS7-----"}
{i=index($0,b);j=index($0,e);s=substr($0,i+length(b),j-i-length(b));gsub(/[[:space:]]/,"",s)
print b;for(k=1;k<=length(s);k+=64)print substr(s,k,64);print e}' broken.p7b > fixed.p7b
openssl pkcs12 -export -inkey private.key -in certificates.pem -out smime.p12 ## Enter Export Password: ## Verifying - Enter Export Password:
Outlook Client:
https://support.microsoft.com/en-us/office/set-up-outlook-to-use-s-mime-encryption-2e57e4bd-4cc2-4531-9a39-426e7c873e26
Exchange Online:
https://learn.microsoft.com/powershell/exchange/exchange-online-powershell
https://learn.microsoft.com/powershell/module/exchangepowershell/
https://learn.microsoft.com/exchange/security-and-compliance/smime-exo/configure-smime-exo
https://techcommunity.microsoft.com/blog/exchange/how-to-configure-smime-in-office-365/584516
https://qiita.com/takanori_izumi/items/8922ae98d59dd045873e
## Check the issuer of the certificate associated with the email address
(Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -like "*email@example.com*"}).Issuer
## Export the required CA and root certificates to SST
#Get-ChildItem Cert:\CurrentUser\CA | Where-Object {$_.Subject -like "*Sectigo Public Email Protection CA R36*"} | Export-Certificate -FilePath "smime-ca.sst" -Type SST
#Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*Sectigo Public Email Protection Root R46*"} | Export-Certificate -FilePath "smime-root.sst" -Type SST
## Export the required CA and root certificates to SST
$certs = @()
$certs += Get-ChildItem Cert:\CurrentUser\CA | Where-Object {$_.Subject -like "*Sectigo Public Email Protection CA R36*"}
$certs += Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*Sectigo Public Email Protection Root R46*"}
$certs | Export-Certificate -FilePath "smime.sst" -Type SST
## Install the Exchange Online PowerShell module Install-Module -Name ExchangeOnlineManagement #Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
## Temporarily allow local PowerShell scripts to run in the current session Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
## Connect to Exchange Online Import-Module ExchangeOnlineManagement Connect-ExchangeOnline
## Check current settings Get-Command Set-SmimeConfig Get-SmimeConfig ## SMIMECertificateIssuingCA : ## SMIMECertificatesExpiryDate : ## SMIMEExpiredCertificateThumbprint : ## OWASigningAlgorithms : 8004 ## OWAAllowUserChoiceOfSigningCertificate : False ## OWAIncludeCertificateChainWithoutRootCertificate : False
## Upload the S/MIME certificate chain configuration
Set-SmimeConfig -SMIMECertificateIssuingCA ([System.IO.File]::ReadAllBytes('smime.sst'))
## Confirm the uploaded certificate
Get-SmimeConfig
## SMIMECertificateIssuingCA : {0, 0, 0, 0...}
## SMIMECertificatesExpiryDate : 2099/12/31 23:59:59
## SMIMEExpiredCertificateThumbprint : AABBCCDDEEFF11223344556677889900AABBCCDD
## Configure the signing algorithm to SHA256 Set-SmimeConfig -OWASigningAlgorithms 800C
## Allow users to select their preferred signing certificate (as needed) Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true #Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $false
## Include the certificate chain without the root certificate (as needed) #Set-SmimeConfig -OWAIncludeCertificateChainWithoutRootCertificate $true #Set-SmimeConfig -OWAIncludeCertificateChainWithoutRootCertificate $false
## Include S/MIME capabilities in outgoing messages (as needed) #Set-SmimeConfig -OWAIncludeSMIMECapabilitiesInMessage $true #Set-SmimeConfig -OWAIncludeSMIMECapabilitiesInMessage $false
## Disconnect the current Exchange Online Disconnect-ExchangeOnline
## An error occured while sending this S/MIME message. The certificate used to sign this message isn't trusted by your organization.
Import the SST certificate using the steps above and wait for a while until the configuration is applied
## Mail was unable to verify the authenticity of the S/MIME certificate
Gmail does not support verification of S/MIME signatures from Outlook on the Web (OWA)