Microsoft Outlook e-mail security – Sign + encrypt e-mail using certificates

19. April 2023
Autoenrollment mit öffentlich vertrauten CA in der Windows-PKI

Outlook 2016

This guide is optimized for installing and using certificates with Microsoft Outlook 2016 to sign and encrypt emails. You can find this guide at

In order for signers to be able to create valid signatures when sending emails, the necessary private keys and certificates must be installed in the Microsoft certificate management. The installation process is required once for the Signator.
If the mail recipient has a current Microsoft operating system (including the updates recommended by Microsoft), no activities are required on his part. Signed emails are recognized automatically. Troubleshooting certificate usage in Outlook.
The documentation also contains instructions on how to use the GLOBALTRUST LDAP server and help on setting up an Outlook account for the first time.
The documentation also includes previous guidance for Outlook 2013 and Outlook 2007/2010.


Quick installation for experienced users

Install certificate

  • Download the PKCS#12 file from GLOBALTRUST and install it in the Windows certificate manager with a double-click
  • In the Outlook options select the settings for the trust center
  • Under E-mail security select “Settings…” for Encrypted e-mail messages
  • Select signature and encryption certificate, switch hash algorithm to “SHA256”.



Compose a new message
Show options ribbon
Press the Sign or Encrypt button → Send
To encrypt a message, a certificate from the recipient is required (see documentation)
GLOBALTRUST creates private key and certificate

If GLOBALTRUST creates the private key and issues the certificate, the signer receives a single file in PKCS#12 format (.P12 extension) that contains the private key, their own certificate and all information on the certification path.
After successful installation (see below) you will receive a certification path that looks like this:

“GLOBALTRUST” → “GLOBALTRUST CLIENT 1” → “your end user certificate” or
“GLOBALTRUST 2015 ” → “GLOBALTRUST 2015 CLIENT 1” → “your end user certificate” or
“GLOBALTRUST 2020 ” → “GLOBALTRUST 2020 CLIENT 1” → “your end user certificate”

Note: due to specific requirements, other certificate chains are also possible, but they all start with GLOBALTRUST.

Certificate usage in Outlook with multiple email addresses

Outlook only accepts certificates for signing e-mails that contain exactly the same e-mail address as the active user account. If someone wants to sign at different email addresses, then he needs several certificates. You can find out how to display the certificates here.

You might be interested in that

What are the costs of not going paperless?

What are the costs of not going paperless?

While digitization reached almost every aspect of daily work, the necessity for handwritten signatures in B2B environments preserves printing paper its crucial role – and incurs costs. However, by implementing e-signatures, businesses can reduce expenses, streamline processes, and contribute to a more sustainable...

read more
Sign and encrypt emails using an Apple iPhone

Sign and encrypt emails using an Apple iPhone

User guide for signing and encrypting emails with the GLOBALTRUST CLIENT certificate on your Apple iPhoneAs of May 10, 2023 1 Basic 1.1 Goals of this document A step-by-step guide on how to add the certificate to your iPhone to then sign and/or encrypt emails. This guide was created for an Apple iPhone (iOS version:...

read more