OpenSSL

S/MIME Certificate

Generate CSR Configuration

https://www.soumu.go.jp/main_content/000715550.pdf
https://www.soumu.go.jp/main_content/000733512.pdf

  • organizationIdentifier Format:
    • eIDAS(Sectigo) = NTRJP-1234-56-789012
    • Japanese Guidelines = NTRJP-1234567890123
cat << EOF > csr.conf
[ req ]
default_bits       = 2048
prompt             = no
distinguished_name = dn
string_mask        = utf8only

[ dn ]
C  = JP
ST = Tokyo
O  = Company Name
organizationIdentifier = NTRJP-1234-56-789012
CN = Your Name
emailAddress = email@example.com
EOF

Generate Private Key and CSR for S/MIME Certificate Request

#openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr -config csr.conf
## Country Name (2 letter code) [AU]:
## State or Province Name (full name) [Some-State]:
## Locality Name (eg, city) []:
## Organization Name (eg, company) [Internet Widgits Pty Ltd]:
## Organizational Unit Name (eg, section) []:
## Common Name (e.g. server FQDN or YOUR name) []:
## Email Address []:

CSR Confirmation

openssl req -in request.csr -noout -text
openssl req -in request.csr -noout -subject -nameopt oid
## subject=2.5.4.6=JP, 2.5.4.8=Tokyo, 2.5.4.10=Company Name, 2.5.4.97=NTRJP-1234-56-789012, 2.5.4.3=Your Name, 1.2.840.113549.1.9.1=email@example.com

Send the generated CSR to your Certificate Authority (CA) to receive the certificate (e.g., .crt or .p7b)

Extract PEM from PKCS#7 (as needed)

openssl pkcs7 -print_certs -in certificate.p7b -noout
openssl pkcs7 -print_certs -in certificate.p7b -out certificates.pem
openssl x509 -in certificates.pem -text -noout

Troubleshooting - Single-Line PKCS#7 PEM Formatting

PEM PKCS#7 requires line breaks; a single-line file causes parse errors as shown below:

## unable to load PKCS7 object
## 4000EE99999F0000:error:0440004C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:792:Expecting: PKCS7
awk 'BEGIN{b="-----BEGIN PKCS7-----";e="-----END PKCS7-----"}
{i=index($0,b);j=index($0,e);s=substr($0,i+length(b),j-i-length(b));gsub(/[[:space:]]/,"",s)
print b;for(k=1;k<=length(s);k+=64)print substr(s,k,64);print e}' broken.p7b > fixed.p7b

Export PKCS#12 from Private Key and Certificates

openssl pkcs12 -export -inkey private.key -in certificates.pem -out smime.p12
## Enter Export Password:
## Verifying - Enter Export Password:

Implementing S/MIME in Outlook and OWA (with Windows PowerShell)

Outlook Client:
https://support.microsoft.com/en-us/office/set-up-outlook-to-use-s-mime-encryption-2e57e4bd-4cc2-4531-9a39-426e7c873e26

Exchange Online:
https://learn.microsoft.com/powershell/exchange/exchange-online-powershell
https://learn.microsoft.com/powershell/module/exchangepowershell/
https://learn.microsoft.com/exchange/security-and-compliance/smime-exo/configure-smime-exo
https://techcommunity.microsoft.com/blog/exchange/how-to-configure-smime-in-office-365/584516
https://qiita.com/takanori_izumi/items/8922ae98d59dd045873e

## Check the issuer of the certificate associated with the email address
(Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -like "*email@example.com*"}).Issuer
## Export the required CA and root certificates to SST
#Get-ChildItem Cert:\CurrentUser\CA | Where-Object {$_.Subject -like "*Sectigo Public Email Protection CA R36*"} | Export-Certificate -FilePath "smime-ca.sst" -Type SST
#Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*Sectigo Public Email Protection Root R46*"} | Export-Certificate -FilePath "smime-root.sst" -Type SST
## Export the required CA and root certificates to SST
$certs = @()
$certs += Get-ChildItem Cert:\CurrentUser\CA | Where-Object {$_.Subject -like "*Sectigo Public Email Protection CA R36*"}
$certs += Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -like "*Sectigo Public Email Protection Root R46*"}
$certs | Export-Certificate -FilePath "smime.sst" -Type SST
## Install the Exchange Online PowerShell module
Install-Module -Name ExchangeOnlineManagement
#Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
## Temporarily allow local PowerShell scripts to run in the current session
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
## Connect to Exchange Online
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
## Check current settings
Get-Command Set-SmimeConfig
Get-SmimeConfig
## SMIMECertificateIssuingCA                        :
## SMIMECertificatesExpiryDate                      :
## SMIMEExpiredCertificateThumbprint                :
## OWASigningAlgorithms                             : 8004
## OWAAllowUserChoiceOfSigningCertificate           : False
## OWAIncludeCertificateChainWithoutRootCertificate : False
## Upload the S/MIME certificate chain configuration
Set-SmimeConfig -SMIMECertificateIssuingCA ([System.IO.File]::ReadAllBytes('smime.sst'))
## Confirm the uploaded certificate
Get-SmimeConfig
## SMIMECertificateIssuingCA                        : {0, 0, 0, 0...}
## SMIMECertificatesExpiryDate                      : 2099/12/31 23:59:59
## SMIMEExpiredCertificateThumbprint                : AABBCCDDEEFF11223344556677889900AABBCCDD
## Configure the signing algorithm to SHA256
Set-SmimeConfig -OWASigningAlgorithms 800C
  • OWASigningAlgorithms
    • 8004: SHA1 or 160-bit SHA-1
    • 800C: CALG_SHA_256 or 256-bit SHA
## Allow users to select their preferred signing certificate (as needed)
Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true
#Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $false
## Include the certificate chain without the root certificate (as needed)
#Set-SmimeConfig -OWAIncludeCertificateChainWithoutRootCertificate $true
#Set-SmimeConfig -OWAIncludeCertificateChainWithoutRootCertificate $false
## Include S/MIME capabilities in outgoing messages (as needed)
#Set-SmimeConfig -OWAIncludeSMIMECapabilitiesInMessage $true
#Set-SmimeConfig -OWAIncludeSMIMECapabilitiesInMessage $false
## Disconnect the current Exchange Online
Disconnect-ExchangeOnline

Troubleshooting - Certificate is Not Trusted

## An error occured while sending this S/MIME message. The certificate used to sign this message isn't trusted by your organization.

Import the SST certificate using the steps above and wait for a while until the configuration is applied

Troubleshooting - Gmail S/MIME Verification Failure

## Mail was unable to verify the authenticity of the S/MIME certificate

Gmail does not support verification of S/MIME signatures from Outlook on the Web (OWA)

References

https://www.openssl.org/

Acknowledgments

Daiphys is a professional services company in research and development of leading-edge technologies in science and engineering.
Get started accelerating your business through our deep expertise in R&D with AI, quantum computing, and space development; please get in touch with Daiphys today!

Name*


Email*


Subject


Message*




* Indicates required field

Daiphys Technologies LLC - https://www.daiphys.com/

  • Last modified: 2026/05/07 02:09
  • by Daiphys