Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-SMIME-setup

S/MIME email encryption setup

You can set up S/MIME encryption to secure emails through digital signing and encryption.

To access S/MIME settings, go to My Products > General Settings > S/MIME.

Configure S/MIME settings

Use this section to configure global S/MIME settings and turn on automatic certificate handling.

On the Secure MIME Settings page, you can turn on the following options:

  • S/MIME: Allows your users to send and receive S/MIME-signed and -encrypted emails.

  • Enable automatic S/MIME certificate extraction: Automatically extracts and saves certificates from inbound signed emails.

    This option lets your users reply with encrypted messages without uploading certificates manually. Inbound emails with certificates signed by a CA that Sophos Email already trusts globally, or that you've uploaded to your S/MIME CA list, are verified and delivered automatically.

To learn more about how S/MIME works in Sophos Email before you turn it on, see S/MIME settings.

Note

You must create a local CA when you set up S/MIME, even if you already use certificates from other local or external CAs. You don't have to use this CA after it's created.

Certificate extraction behavior

S/MIME certificates are extracted only from inbound messages that pass signature verification.

When Verify inbound message is turned off in your Secure Message policy, Sophos Email doesn't extract certificates, even if Enable automatic S/MIME certificate extraction is turned on.

Only messages that pass verification can contribute to the certificate trust store.

This behavior prevents potentially spoofed or unverified certificates from being stored and used for future encryption.

If your organization only needs encryption and doesn't require signature verification, you must manually upload certificates for the senders. Manually uploaded certificates are implicitly trusted.

Local CA

Use this section to create and manage your organization's local CA.

Create a local CA to sign outbound messages with your self-signed certificates, or make these certificates available for others to trust.

You can see details such as the organization name and fingerprint, and download your self-signed root certificate in PEM format. You can also share this certificate with external organizations so they can verify and trust messages sent by your users.

If you're already using certificates from other local or external CAs, you still need to create a new CA in Sophos Email, but you're not required to use it.

User Certificates

Use this section to add users and manage their individual S/MIME certificates.

User certificates allow Sophos Email to sign outbound messages and decrypt inbound encrypted messages on behalf of each user.

After you've created your local CA, you can generate or upload S/MIME certificates for individual users. Each user who wants to send and receive encrypted email must have their own certificate. We recommend you set up certificates for your users before you configure your S/MIME policies.

In User Certificates, you can do the following actions:

  • Add user: Manually add a user entry before you upload their certificate.
  • Import users: Bulk import user entries using a CSV or TXT file.
  • Upload certificate: Upload an S/MIME certificate for a selected user.

You must add or import a user before you upload their certificate.

Add a user manually

To add a user manually, do as follows:

  1. In Sophos Central, go to My Products > General Settings > S/MIME.
  2. Select the User Certificates tab.
  3. Click Add user.

  4. In Email address, enter the email address of an existing Sophos Central user.

    When recognized, the Full name field fills in automatically.

  5. Click Add.

The user is added to the list, and their S/MIME certificate is automatically created.

You can download this certificate and send it to external recipients, especially if their system can't extract certificates from signed messages or doesn't trust your CA.

Import users in bulk

To import users in bulk, do as follows:

  1. In Sophos Central, go to My Products > General Settings > S/MIME.
  2. Select the User Certificates tab.
  3. Click Import users.
  4. Prepare a file in CSV or TXT format. Each line must contain a valid email address of an existing Sophos Central user.
  5. Click Browse, then select your file.
  6. Click Import.

The users are added to the list, and their S/MIME certificates are automatically created.

You can download the certificate and send it to external recipients if needed, especially if their system can't extract certificates from signed messages or doesn't trust your CA.

Upload a certificate

You might already have S/MIME certificates for some of your users that you want to upload. These certificates allow Sophos Email to sign outbound messages and decrypt inbound encrypted messages on behalf of those users.

If the certificate is issued by a global CA, check if Sophos already recognizes that CA. See Recognized certificate authorities.

The certificate must be in a PKCS #12 container file with a .p12 extension and protected with a password. If your certificate is in PFX format, you can convert it to PKCS #12 using an industry-standard tool before you upload it.

To upload a certificate, do as follows:

  1. In Sophos Central, go to My Products > General Settings > S/MIME.
  2. Select the User Certificates tab.
  3. Click Upload certificate.

  4. In Email address, enter the email address of an existing Sophos Central user.

    When recognized, the Full name field fills in automatically. The email address must match an existing user in Sophos Central. If it's invalid, the full name won't fill in, and the upload will fail.

  5. Enter the password for the PKCS #12 certificate file.

  6. Click Browse, then select the PKCS #12 file.
  7. Click Upload.

The certificate is uploaded. You can now download it and send it to external recipients, especially if their system can't extract certificates from signed messages or doesn't trust your CA.

Note

Uploading a certificate replaces the existing certificate for the user.

S/MIME CAs

Use this section to manage trusted CAs for verifying inbound signed messages.

You can upload CA certificates to trust inbound signed messages automatically.

If Enable automatic S/MIME certificate extraction is turned on, inbound emails with certificates signed by a CA in this list are automatically trusted and delivered. The list includes CAs you upload here and global S/MIME CAs already trusted by Sophos.

To upload a certificate from an external CA, do as follows:

  1. In Sophos Central, go to My Products > General Settings > S/MIME.
  2. Click S/MIME CAs > Upload.
  3. Click Browse.
  4. Locate the certificate file on your device, then click Upload.

The certificate appears in your list.

External S/MIME Certificates

Use this section to upload and manage certificates for external recipients.

External S/MIME certificates are needed for both inbound and outbound email security:

  • They're needed to verify and decrypt inbound emails signed with a third party's self-signed certificate.
  • They allow your users to send encrypted emails to trusted third parties using S/MIME.

You can upload these certificates manually or allow automatic extraction from signed inbound emails.

To upload an external S/MIME certificate manually, do as follows:

  1. In Sophos Central, go to My Products > General Settings > S/MIME.
  2. Click External S/MIME Certificates > Upload.
  3. Click Browse.
  4. Locate the file on your device, then click Upload.

The certificate appears in your list.

Note

You can turn on Enable automatic S/MIME certificate extraction to extract and trust certificates from signed inbound emails without manual upload.

Manage S/MIME protection

Use this section to apply S/MIME encryption and signing policies to your users.

After you've uploaded the certificates, go to Email Protection > Policies to manage how S/MIME protection is applied to your users. See Secure Message policy.