Email Encryption for Outlook for Mac

The IST Security Operations Center has a self-serve webpage where you can request an S/MIME Personal Sign certificate to allow for digital signing and email encryption.

Important: The certificate must be issued to the same email address from which you are sending. If you have a friendly email address enter your friendly email, e.g. in the Full Email address field otherwise you can enter (Note your username is your 8-character UWaterloo username, e.g. j25rober)

To request a GlobalSign S/MIME certificate, please refer to the article . It may take several business days for the certificate to be issued.

  1. PersonalSign Installation - Step 1: Download Your Certificate

    1. You will receive an email from “” with a link to download your certificate.

    2. You will need to enter the password you set during the application request to download the digital certificate. If you have lost or forgotten the password a request for a new S/MIME certificate needs to be submitted.

    3. Save the certificate to a secure location (i.e. OneDrive or N-drive) that you can access again if needed. You normally only install the certificate once per device, but you will need to use it again if you purchase a new computer or if a repair of your machine requires a fresh install of the OS and software.

  2. Mac OSX: removing a certificate. Complete these steps ONLY if you need to replace or repair an existing certificate.
    -To remove an old certificate before installing a replacement certificate.
    -To remove a certificate if an incorrect password was entered when trying to install it.

    1. Close Outlook for Mac.

    2. Open the Keychain Access system utility on your Mac.

    3. Click login at upper-left of the navigation menu, then click the My Certificates filter along the top of the window.

    4. Multi-click the certificate with [Your Name] on it, then click Delete ‘[Your Name]' from the pop-up menu list.

    5. Click the Delete button in the “Are you sure…?” prompt window.


    6. When prompted for admin authorization type in your Mac account admin password or press the TouchID button on your Mac.

    7. Quit the Keychain Access system utility application.

  3. Mac OSX: install the new certificate

    1. Switch to Finder and locate your certificate file “MPSYYYYMMDD######.pfx”

    2. Double-click on the certificate file.

    3. Type or copy & paste in the certificate password when prompted, then click OK or press [return] on your keyboard.


    4. The Keychain Access system utility application will open.

    5. [Control]+click (or right-click) on your globalsign certificate in the right side of the Keychain Access window, then click Get Info from the pop-up menu.


    6. In the certificate Info window click the arrow at the left of Trust to show the list of Trust options.

    7. Change the setting for When using this certificate to Always Trust (from “Use System Defaults.”)


    8. Close the Certificate Info window by clicking the red “X” dot at upper-left of the window.

    9. Quit the Keychain Access system utility application.

  4. Log out (or restart your computer) and then login to your Mac account once again. (Keychain Access login changes require a log out then login to become effective.)

  5. Enable digital signing and encryption in Outlook for Mac.

    1. Open Outlook for Mac.

    2. Click Tools then click Accounts (either via the Outlook menu bar or on the Outlook toolbar ribbon.)


    3. Your Exchange/Office 365 Account needs to be selected if you have multiple accounts set up.

    4. Confirm that your email address field matches the one listed in the certificate. Edit the field to make it match if necessary. E.g. versus

    5. Click the “Advanced…” button at lower-right.


    6. Click the “Security” tab at the upper-right of the Advanced window.

    7. Digital signing:

      1. Certificate: select [Your Name]

      2. Signing algorithm: SHA-256

      3. Sign outgoing messages: when checked all email you send defaults to include a digital signature. You can uncheck this option if you prefer to manually enable your digital signature only when needed via the Options tab of an email message composition window.

    8. Encryption:

      1. Certificate: select [Your Name]

      2. Signing algorithm: AES-256

    9. Certificate authentication:

      1. Client authentication: [Your Name]

    10. Click the OK button at lower-right to close the Advanced window.


    11. Close the Accounts window by clicking the red “X” dot at upper-left. This will also save any changes.

Note: It is necessary to install the S/MIME email certificate on a Windows PC and using Outlook for O365 for Windows to synch the certificate to the Global Address List on the Microsoft hosted server.

6. Email Encryption for Outlook for Windows

  • Required to share the public hash of your digital certificate to allow other people to send encrypted email messages back to you.

  • Required to use S/MIME email encryption using your digital certificate via the Outlook Web interface.

  • There are multiple Microsoft email servers that host uwaterloo mailboxes in Canadian data centres for improving email performance. It typically takes about 24 hours for your public certificate to synch across all the servers.

7. Send a test message

a. Click the New Email button to compose a new email message.

b. A pop-up window should prompt “Microsoft Outlook wants to sign using key “privateKey” in your keychain. To allow this, enter the “login” keychain password.”

i. Type in your Mac account login password.

ii. Click the “Always Allow” button at lower-left to complete the keychain prompt window.

c. Click the Options tab of the email window to view Encryption and Digital Signing options.

a. Sign to Digitally Sign your message will be enabled by default.
b. Click the Encrypt button to view encryption options:

*** Read the note below: these encryption options won’t function properly until you have published your public digital certificate to the email server.***

i. Encrypt with S/MIME (default option)
ii. Encrypt-Only
iii. Do Not Forward
iv. Confidential \ All employees
v. Highly Confidential \ All employees

d. Click the Message tab to return to the standard email toolbar.

e. Compose a test message and send the email to yourself and/or a co-worker to confirm encryption and digital signing is working properly.

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.