A. After a user has the certificates required for digital signatures and encryption installed, enabling them in Outlook is relatively simple. To do so, perform these steps:

  1. Open Outlook and Select Options from the Tools menu.
  2. Select the Security tab and click Settings.
  3. If you're prompted to "Get a Digital ID," you don't have certificates. Otherwise, the dialog box will show "My S/MIME Settings ()" as the Security Settings Name, and S/MIME as the Cryptography Format, as Figure 14 shows.
  4. Click OK.

When an Outlook user sends email, the client displays two buttons that enable digital signing and encryption of messages, as Figure 15 shows.

When a user receives a digitally signed message, the user will see a padlock and ribbon icon above the message body. You can view the signature validation by clicking the ribbon icon, as Figure 16 shows.

To enable encrypted messages to be sent, both sender and recipients need each others' public keys, so a digitally signed message must have been sent in advance and a reply sent from the recipient (which shares the public keys). If keys are published in Active Directory (AD), you can send encrypted messages to a recipient with no prior communication. If you don't have access to the recipient's public key, you'll receive an error message stating which recipients had missing or invalid certificates.

You might also see the error message if you're using Outlook 2003 in cached mode and you're trying to mail someone who only recently acquired public key infrastructure (PKI) services (within the past 24 hours). Outlook 2003 cached mode queries the Offline Address Book (OAB), which it only downloads every 24 hours. If you know the recipient does have a certificate, force a download of the latest copy of the OAB (Tools, Send/Receive, Download Address Book). You might also need to force a rebuild of the OAB on the Exchange server (which by default is updated each day at 4 A.M.) To force a rebuild, open Exchange System Manager (ESM), select Recipients, Offline Address Lists. Right-click Default Offline Address List and select Rebuild. You should perform this rebuild before downloading the OAB from the Outlook client.

As with digital signatures, if a message is encrypted, a padlock icon appears on the message header. Click the icon to display more information, as Figure 17 shows.