Email Encryption for Outlook for Windows

The IST Security Operations Center has a self-serve webpage where you can request an S/MIME Personal Sign certificate to allow for digital signing and email encryption.

• New certificate requests and annual certificate renewals can be done by completing the form :The University of Waterloo branded GlobalSign hosted Client Certificate request page.

To request a GlobalSign S/MIME certificate, please refer to the article How to request and download a GlobalSign S/MIME certificate. It may take several business days for the certificate to be issued.

1. PersonalSign Installation - Step 1: Download Your Certificate

   1. You will receive an email from “no_reply@globalsign.com” with a link to download your certificate.

   2. You will need to enter the password you set during the application request to download the digital certificate. If you have lost or forgotten the password a request for a new S/MIME certificate needs to be submitted.

   3. Save the certificate to a secure location (i.e. OneDrive or N-drive) that you can access again if needed. You normally only install the certificate once per device, but you will need to use it again if you purchase a new computer or if a repair of your machine requires a fresh install of the OS and software.

2. Install the certificate onto your Windows computer

   1. PersonalSign Installation - Step 2: Locate & Install Your Certificate. Note: The Microsoft prompt windows may have a slightly different style (look & feel) depending on the Windows 10 display preferences set on your PC but each step and the text content will be the same.

3. Open Outlook for Windows and set up the new certificate

   1. Click the File tab at top-left of the Outlook window, then click Options towards the bottom of the left navigation menu list.

   2. Click Trust Center at the bottom of the left navigation list, then click the Trust Center Settings… button towards the upper-right of the MS-Outlook Trust Center settings page.

   3. Click Email Security mid-way down the left navigation list of Trust Center Settings, then click the Encrypted Email Settings… button at mid/upper-right.
      
      

      Open

      

       

   4. Set the Signing Certificate

      1. In the Change Security Settings window to the right of Signing Certificate click the Choose… button.

      2. The Windows Security – Select a Certificate window should list a GlobalSign personal certificate valid from the new request date for one year, e.g. Valid from: 2020-12-14 to 2021-12-15.

      3. If the valid date is older then click More choices at lower-left and select the more recent certificate.

      4. Click OK to close the Windows Security - Select a Certificate window.

      5. Under Signing Certificate set the Hash Algorithm to be SHA256 from the drop-down list.

   5. Set the Encryption Certificate

      1. To the right of Encryption Certificate click the Choose… button.

      2. If the valid date is for an old certificate then click More choices at lower-left and select the more recent certificate.

      3. Click OK to close the Windows Security - Select a Certificate window.

      4. Under Encryption Certificate set the Encryption Algorithm to be AES256 from the drop-down list.

      5. Click OK at lower-right to close the Change Security Settings window.
         
         

         Open

         

          

   6. On the Trust Center Email Security page now visible again click the Publish to GAL… button.

      1. It can take up to 24 hours for the certificate to fully sync as there are multiple email servers that manage UWaterloo email.

          

   7. Click the OK button at lower-right to save the settings and close the Trust Center window.

   8. Click the OK button at lower-right to save the settings and close the Outlook Options window.

   9. Open a new message and try sending an email that is signed. You may need to wait 24 hours to send an encrypted email message.

Related articles