/
Configuring Outlook for S/MIME with Single-Subject Certificates in PreVeil Email Gateway

Configuring Outlook for S/MIME with Single-Subject Certificates in PreVeil Email Gateway

Overview

PreVeil now supports single-subject S/MIME certificates for use with the PreVeil Email Gateway.
Previously, customers were required to obtain S/MIME certificates containing two identities:

  • Subject: internal domain (e.g., user@acme-e2ee.com)

  • Subject Alternative Name (SAN): external domain (e.g., user@secure.acme.com)

While functional, this dual-identity requirement made certificate issuance difficult, especially from external certificate authorities.

New Capability

Customers may now use a single-subject S/MIME certificate, where the subject must match the external email domain used by the PreVeil Gateway—for example:

user@secure.<domain>.com

This greatly improves certificate authority compatibility and simplifies deployment.

1. Obtaining the Correct S/MIME Certificate

When requesting an S/MIME certificate from a Certificate Authority (CA):

  • The subject email address must equal the external (gateway) domain address, e.g.:

    • yourname@secure.acme.com

  • Both the Subject and the Subject Alternative Name (SAN) fields must be filled with the external domain address.

After issuance, the CA will typically provide the certificate in one of these formats:

  • PKCS#12 (.p12 or .pfx) – includes private key (preferred)

  • PEM (.crt / .key) – may require conversion

2. Converting Certificate to .p12 Format (If Needed)

If your certificate/private key is in PEM format, convert them to .p12 using OpenSSL:

openssl pkcs12 -export \ -inkey user.key \ -in user.crt \ -certfile ca-chain.crt \ -out user_smime.p12

You will be prompted to create an export password—this will be required during import into Outlook/Windows.

3. Importing the Certificate Into Windows Certificate Store

Outlook uses the Windows Certificate Store, so import the .p12 file into Windows:

  1. Double-click the .p12 file, or open:

    • Control Panel → Internet Options → Content → Certificates

  2. Click Import

  3. Select the .p12 file

  4. When prompted, enter the export password

  5. Choose:

    • Place in: Personal Certificate Store

  6. Complete the wizard

You should now see your certificate listed under Personal → Certificates.

4. Configure S/MIME in Outlook

Step A: Open Outlook Account Settings

  1. In Outlook, go to:

    • File → Account Settings → Account Settings

  2. Select your PreVeil Gateway profile and click Change.

Step B: Update the User Information to Use the External Domain

The email address must match the S/MIME certificate subject, i.e., the external domain address.

image-20251209-192032.png

Using the example image above, the Email Address field is set to:

desi@secure.acme-e2ee.com

Critical:
The email address entered here must match the S/MIME certificate’s subject address, or Outlook will not use the certificate for signing/encryption.

5. Configure the Reply-To Address (Must Match the External Domain)

With the new single-subject certificate support, both the Outlook account email address and the reply-to address must match the external domain address, because this is the identity tied to the S/MIME certificate.

This ensures:

  • Outlook uses the correct certificate for signing/encryption

  • The PreVeil Email Gateway correctly processes outgoing messages

  • Replies flow back through the secure external domain routing

image-20251209-192113.png

Example

If your S/MIME certificate is issued for:

desi@secure.acme-e2ee.com

Then configure:

  • Email Address: desi@secure.acme-e2ee.com

  • Reply-to Address: desi@secure.acme-e2ee.com

Important:
Do not enter the internal PreVeil address (desi@acme-e2ee.com) in the reply-to field with the new certificate model.
The external domain address must be used to maintain consistency with the S/MIME certificate subject.

6. Selecting the S/MIME Certificate Inside Outlook

  1. Go to:

    • File → Options → Trust Center → Trust Center Settings → Email Security

  2. Under Encrypted Email, click Settings

  3. Choose:

    • Signing Certificate: select the imported S/MIME certificate

    • Encryption Certificate: select the same certificate (unless separate certs are used)

  4. Set:

    • Signing Algorithm: RSA/SHA-256 (recommended)

    • Encryption Algorithm: AES-256 (recommended)

Click OK to confirm.

7. Testing S/MIME Functionality

Test digital signing:

  • Compose a new email → enable “Sign”

  • Send to a colleague or test mailbox

  • Verify signature appears correctly

Test encryption:

  • Ensure you have the recipient’s public key (certificate)

  • Compose a new email → enable “Encrypt”

If encryption/signing options are missing, verify:

  • The external domain in Outlook matches the certificate subject

  • The certificate is present in Personal → Certificates

Summary

Step

Purpose

Step

Purpose

Obtain single-subject S/MIME cert

Must match external domain (secure..com)

Convert/import to Windows

Required for Outlook usage

Update Outlook email address

Must match certificate subject

Set Reply-To

Routes replies to internal domain

Select certificate in Outlook

Enables signing/encryption