Knowledge Base

 

 

Overview 

By the end of this article, a Windows user will have an S/MIME email certificate installed in the local certificate store and configured in Microsoft Outlook for signing and encryption. The procedure covers seven steps: generate a Certificate Signing Request (CSR) using Windows Certificate Manager; submit the CSR to the Sectigo Certificate Authority (CA) through the Sectigo portal; complete email verification; collect the issued certificate in Public Key Cryptography Standard #7 (PKCS#7) format; import the certificate into Windows Certificate Manager; export the keypair as a Personal Information Exchange (PFX) file; and configure Microsoft Outlook to use the certificate for Secure/Multipurpose Internet Mail Extensions (S/MIME) signing and encryption. 

What is an S/MIME certificate? 

Secure/Multipurpose Internet Mail Extensions (S/MIME) is the email industry standard for digitally signing and encrypting messages between mail clients. An S/MIME certificate binds the sender’s email address to a public/private key pair issued by a trusted Certificate Authority (CA) such as Sectigo. The certificate proves the sender’s identity to recipients, protects message integrity through a digital signature, and — when the recipient also holds an S/MIME certificate — encrypts the message body so that only the intended recipient can read it. On Windows, the certificate is stored as a Personal Information Exchange (PFX) file that bundles the certificate and the private key into a single password-protected container. 

Prerequisites 

Gather the following before starting the procedure: 

• A Windows workstation with administrator access to run Windows Certificate Manager (certmgr.msc). 

• Microsoft Outlook 2016 or later installed and configured with the email account the certificate will protect. 

• An active internet connection and access to the Sectigo portal (store.sectigo.com). 

• An active Sectigo S/MIME (email) certificate order with the order number on hand. 

• Access to the inbox of the email address that will appear in the certificate, so the verification email can be opened. 

• Notepad or another plain-text editor to copy the CSR contents. 

Steps 

Step 1 — Generate the Certificate Signing Request (CSR) 

Open Windows Certificate Manager and create a new CSR for the email address that the certificate will protect. The short procedure below summarizes the workflow; the linked Sectigo Knowledge Base article contains the full screen-by-screen walkthrough. 

• Press Windows + R, type certmgr.msc, and press Enter to open Windows Certificate Manager. 

• In Certificate Manager, right-click Personal, choose All Tasks, then Advanced Operations, then Create Custom Request. 

• Select Proceed without enrollment policy and click Next. 

• Choose (No template) Legacy key as the template, set the request format to PKCS #10, and click Next. 

• Expand Details, click Properties, and on the Subject tab add a Common Name (your email address) and an E-mail attribute. 

• On the Private Key tab, set the key size to 2048 bits and mark the key as exportable. 

• Click OK, then Next, save the CSR as a Base 64 file (.csr or .txt), and finish the wizard. 

For the full walkthrough, see: CSR Generation for E-Mail (S/MIME) Certificates Using Windows Certificate Manager 

Step 2 — Submit the CSR to the Sectigo portal 

Submit the CSR to Sectigo to request the email certificate: 

• Open the saved CSR file in Notepad and copy the entire contents, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines. 

• Sign in to the Sectigo portal with your account credentials. 

• Click My Products and Services in the top navigation. 

 

Image 1 — My Products and Services dashboard inside the Sectigo portal. 

Under Sectigo products, select Signing certificates to locate your S/MIME email certificate order, then click Set up on that order to begin CSR submission. 

• On the next page, enter the Contact Email Address — use the same email address that the certificate will protect. 

 

Image 2 — CSR submission form on the Sectigo portal. 

• Paste the full CSR contents into the designated text box. 

• Review the details on the confirmation screen, then click Submit to complete the setup. 

 

Image 3 — Review and Complete screen on the Sectigo portal. 

Step 3 — Verify the email address 

After the CSR is submitted, Sectigo sends a verification email to the contact email address you entered. Complete the email verification to authorize issuance: 

• Open the verification email from Sectigo in the inbox of the contact email address. 

• Click the verification link in the email body. The link opens a Sectigo verification page. 

• Enter the verification code shown in the email into the page and submit it to complete the verification. 

 

Image 4 — Sectigo email verification message with the verification link and code. 

 

Image 5 — Verification page where the verification code is entered. 

Step 4 — Collect the issued certificate 

Once verification is complete, Sectigo sends a certificate collection email. Download the issued certificate in Public Key Cryptography Standard #7 (PKCS#7) format — a container that includes the issued certificate together with the Sectigo intermediate chain: 

• Open the collection email from Sectigo. 

• Click the collection link to open the Sectigo download page. 

• Choose the PKCS#7 (.p7b) download option and save the file to your Downloads folder. 

 

Image 6 — Certificate collection email from Sectigo. 

 

Image 7 — Sectigo download page with the PKCS#7 collection option. 

Step 5 — Import the certificate into Windows Certificate Manager 

Import the downloaded PKCS#7 file into Windows Certificate Manager so that the certificate pairs with the private key created in Step 1. A short summary of the workflow follows; the linked article contains the full screen-by-screen walkthrough. 

• Open Windows Certificate Manager (certmgr.msc). 

• Right-click the Personal store, choose All Tasks, then Import. 

• In the Certificate Import Wizard, browse to the downloaded PKCS#7 (.p7b) file and click Next. 

• Select Place all certificates in the Personal store and click Next, then Finish. 

• Confirm that the certificate appears under Personal > Certificates with a key icon, which indicates the private key is bound. 

For the full walkthrough, see: Import a Certificate to Windows Certificate Manager 

Step 6 — Export the certificate as a PFX file 

Export the certificate and its private key from Windows Certificate Manager into a single Personal Information Exchange (PFX) file. The PFX file is the portable backup that can be reimported on another machine or attached to other email clients. A short summary follows; the linked article contains the full walkthrough. 

• In Certificate Manager, open Personal > Certificates and right-click the imported S/MIME certificate. 

• Choose All Tasks > Export to launch the Certificate Export Wizard. 

• Select Yes, export the private key. 

• Keep the default Personal Information Exchange (.PFX) format with Include all certificates in the certification path if possible selected. 

• Set a strong password to protect the PFX file, choose a save location, and finish the wizard. 

For the full walkthrough, see: Exporting the Certificate as a PFX File from Windows 

Step 7 — Configure Outlook to use the certificate for S/MIME 

Configure Microsoft Outlook to use the imported certificate to sign and (when supported) encrypt outgoing email. A short summary follows; the linked article contains the full walkthrough for Outlook 2016 and later. 

• Open Outlook, then choose File > Options > Trust Center > Trust Center Settings. 

• Select Email Security in the left pane. 

• Under Encrypted email, click Settings to open the Change Security Settings dialog. 

• Enter a Security Settings Name (for example, “My S/MIME profile”). 

• Click Choose next to Signing Certificate and select the imported Sectigo certificate. Repeat for Encryption Certificate. 

• Click OK on each dialog to save the profile. 

• To sign individual messages, open a new message, choose Options on the ribbon, and click Sign. 

For the full walkthrough, see: How to Configure an Email (S/MIME) Certificate on Outlook 2016 

How to verify success 

Confirm the procedure completed correctly with the following checks: 

• In Windows Certificate Manager (certmgr.msc), open Personal > Certificates and confirm the Sectigo S/MIME certificate is listed with a small key icon next to it — the key icon confirms the private key is bound and the certificate is usable for signing and decryption. 

• Double-click the certificate. On the General tab, confirm the Issued to field shows the protected email address and that the certificate is marked as having a corresponding private key. 

• Confirm the saved PFX file is accessible and can be reimported on a second machine using the password you set. 

• In Outlook, compose a new test message to yourself, click Sign on the Options ribbon, and send it. The received message displays a red ribbon icon, indicating it is signed and the signature validates against your Sectigo certificate. 

• Exchange a signed message with a colleague who also has an S/MIME certificate, then send an encrypted reply. Outlook displays a blue padlock icon on encrypted messages. 

 

Related Articles 

CSR Generation for E-Mail (S/MIME) Certificates Using Windows Certificate Manager 

Import a Certificate to Windows Certificate Manager 

Exporting the Certificate as a PFX File from Windows 

How to Configure an Email (S/MIME) Certificate on Outlook 2016