[MS365] "Fehler beim Senden dieser S/MIME-Nachricht. Das zum Signieren dieser Nachricht verwendete Zertifikat wird von Ihrer Organisation nicht als vertrauenswürdig eingestuft."

[amenk]

I followed the steps and obtained a certificate from actalis.com

I am getting these messages:

Do you have some advice where to allow the certificate ? probably in exchange admin?

I don't understand the log messages and I am not sure how much of them can be posted publicly :-)
But I don't see an obvious error there.

After all it looks pretty promising. Thank you for sharing this :-)

PS: maybe it make sense to enable GitHub discussions in this repo ?

[amenk]

I am not sure if I have the full chain in chain.pem because of the following warning:

$ openssl pkcs12 -in *.pfx -out chain.pem -nodes -cacerts -nokeys -chain -legacy
Warning: -chain option ignored without -export

~/.config/owa-smime4linux$ cat chain.pem 
Bag Attributes
    friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
<redacted for GitHub>
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
<redacted for GitHub>
-----END CERTIFICATE-----

[schorschii]

Your chain seems valid. I just noted that this OpenSSL warning about the -chain option appears on my console too. I read the manpage and it's not necessary for this purpose. I removed it from the README.

I tested this on a Exchange 2019 on-prem server and I never saw those messages you posted as screenshot. What is your environment? Microsoft 365?

And I enabled the discussions :)

[amenk]

Yes, Microsoft 365 in a business environment

[schorschii]

I found this article describing how to setup S/MIME in Office 365. According to this, two points seems to be necessary:

• Publish your personal certificate in your companies GAL (Global Address List) ie. Active Directory (only the public part, without private key of course). I have a tool for that too for Linux users who can't use Outlook. It's called CertUploader, but it focuses on on-prem AD, I don't know how to publish the certificate in Microsoft 365 without Outlook.
• Set the SMIMECertificateIssuingCA option in your Office 365 Exchange by uploading an .SST file with the allowed CA certificates. If I understood it correctly, this is basically the chain.pem as described in this repo's README.md but in a proprietary SST format. Only an administrator in your organization can probably do this.

I'll convert this issue into a Github discussion.

[schorschii]

Did you have success setting the SMIMECertificateIssuingCA option in your Office 365 Exchange?

[amenk]

Not yet, I was a bit overwhelmed by articles and their subarticles, hopefully I find time to try it soon. Will definitely give feedback then.