Generating a CSR and Obtaining a PFX File for S/MIME on Windows
Andrew JohnsonShare
Windows offers several routes to an E-Mail Certificate, and the cleanest one runs through OpenSSL, which produces a Certificate Signing Request (CSR) naming your e-mail address and later packages everything into the Personal Information Exchange (PFX) file that Outlook and every other client consumes. The whole sequence takes four commands.
Generating the Key and Request
With OpenSSL installed, generate the Private Key and the request together, placing your name as the common name and your sending address in the subject.
openssl req -new -newkey rsa:2048 -nodes -keyout smime.key -out smime.csr -subj "/CN=Your Name/emailAddress=you@yourdomain.com"
The address must match the mailbox the E-Mail Certificate will protect exactly, since clients match the two character for character. Submit the request file contents when placing your order, then complete the mailbox validation. Learn About S/MIME Mailbox Validated E-Mail Certificates 🔗
Guard the key file carefully in the meantime, since it exists only on this machine. Trustico® never holds Private Keys at any stage. Learn About Private Key Information 🔗
Building the PFX File
Download the issued E-Mail Certificate and the ca-bundle of Intermediate Certificates from the tracking system once validation completes. View Our Tracking & SSL Management 🔗
Package the key, the E-Mail Certificate, and the chain into one PFX container, choosing a strong export password when prompted.
openssl pkcs12 -export -inkey smime.key -in smime.crt -certfile smime.ca-bundle -out smime.pfx
This file is the portable form of your identity, ready for Windows, a phone, or any other client, and worth backing up safely alongside its password.
Importing on Windows
Double click the PFX file and walk through the import wizard, keeping Current User as the store location, which is the correct choice for an E-Mail Certificate since it belongs to you rather than to the machine. Enter the password, allow the wizard to place the entry automatically, and finish.
Note : This is the one place the double click import is right. Server SSL Certificates belong in the machine store and break when imported this way, while personal E-Mail Certificates belong in exactly the user store the double click reaches.
With the identity in the user store, the client work is nearly done.
Configuring Outlook
In Outlook, open the options and navigate to the Trust Center, then the e-mail security settings. Add a new security setting, choose the imported entry for both signing and encryption, and save.
The compose ribbon then carries sign and encrypt buttons under its options. Signing works immediately and carries your public E-Mail Certificate to recipients, while encrypting to someone becomes possible once a signed message from them has arrived, which is the standard working as designed. Learn About S/MIME E-Mail Certificates 🔗
Troubleshooting
An export failing over mismatched material means the issued E-Mail Certificate does not pair with the key file, usually because the request was regenerated after submission. A reissue against the current request resolves it. Learn About Reissuing Your Certificate 🔗
Outlook refusing the entry for signing points at an address mismatch between the E-Mail Certificate and the sending account, which only a replacement for the correct address fixes. Office 365 environments carry a few settings of their own, covered separately. Learn About S/MIME in Office 365 🔗
