http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspxConsider that you are sending an encrypted eMail to a recipient who has multiple certificates stored in Active Directory. The key question is: Which certificates are selected by Outlook 2003/2007? When sending an encrypted eMail, Outlook actually requiresen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspx#3459105Thu, 13 Oct 2011 15:04:40 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3459105Markus<p>Is any more insight available, how the &quot;first&quot; is calculated: &nbsp;&quot;If the default certificate is not found, the *first* valid certificate in the store is selected.&quot; How is the list ordered exactly?</p> <p>I need to know this, because we need a alerting, if a user has a functioning S/MME certificate. We need a tool that matches the my store of the users with his AD store and shows possible inconsistencies, introduced by migration of old AD with their own PKI in the central company AD one.</p> <p>I know how to eliminate invalid certificates (out of life time, no purpose &quot;Secure email&quot;) and I have learned that a certificate from a AD integrated PKI is always higher prioritized than that of a non-AD integrated PKI. I had assumed that &quot;first&quot; means either &quot;the first entry in the multivalued ldap attribute&quot; or &quot;the one with the oldest starting time&quot;. But exact tests are difficult and my results are not consistente yet. If I would knew the *exact* algorithm to choose the certificate for the S/MIME mail, that would help.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3459105" width="1" height="1">http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspx#3450109Tue, 30 Aug 2011 20:04:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3450109Stephen<p>Interesting and informative... However I&#39;m trying to figure out why Outlook 2010 is choosing an expired certificate as the default, over a new valid certificate, from the offline address book. &nbsp;Both certificates are in usercertificate attribute in AD. &nbsp;I can&#39;t figure out if Outlook is blindly selecting the expired certificate without checking its validity period, or if something in the oab is explicitly telling Outlook to use the older certificate as the default. &nbsp;Either way, the behavior is somewhat problematic during the cleanup plus propagation delay for getting expired certificates out of users&#39; oabs.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3450109" width="1" height="1">http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspx#3357178Wed, 22 Sep 2010 19:42:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3357178Jack<p>I have some questions.</p> <p>S/MIME will use the User Certificate, right?</p> <p>Can we push all users certificates on Exchange server GAL (global address list)? If yes, how to push them? </p> <p>Then Outlook will look for user certificate in GAL first; If not find, then outlook will search user certificate in Active Directory user object attributes, correct?</p> <p>Thanks</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3357178" width="1" height="1">http://blogs.technet.com/b/pki/archive/2008/12/17/outlook-s-mime-certificate-selection.aspx#3357167Wed, 22 Sep 2010 19:12:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3357167Jack W<p>It makes the understanding of S/MIME much easier. Save much time.</p> <p>Thank you</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3357167" width="1" height="1">