How To Assign an S/MIME Certificate to a MAPI Profile for Use with Outlook (312900)


The information in this article applies to:

  • Microsoft Outlook 2000
  • Microsoft Outlook 2002
  • Microsoft Extended Messaging Application Programming Interface (MAPI)
This article was previously published under Q312900

SUMMARY

This article demonstrates how to programmatically assign a digital certificate to a MAPI profile to use with Microsoft Outlook for digitally signing and encrypting e-mail. This article addresses the MAPI part of this task, and assumes a working knowledge of the Secure Multipurpose Internet Messaging Extensions (S/MIME).

MORE INFORMATION

To assign a certificate to a MAPI profile, follow these steps:
  1. Get the hashes for both your signing certificate and your encryption certificate. These hashes are in binary format, and can be retrieved by using the CertGetCertificateContextProperty function of the Cryptography application programming interface (API):
    CertGetCertificateContextProperty(pCert, CERT_HASH_PROP_ID, *lpbHash, cbHash);
  2. Generate an ASN1-encoded S/MIME capabilities binary large object (BLOB) for your certificates. For more information, see the Request for Comments (RFC) for S/MIME.
  3. Create a BLOB to hold your security settings. Each setting or property is made up of a TAG/LENGTH/DATA combination as follows:

    TAGIndicates the property (see list below).2 bytes
    LENGTHIndicates total length of property, including tag and length bytes.2 bytes
    DATAContains the data.Variable length

    Here is an example: 
    0100 0800 01000000
Translated:
TAG = 1
LENGTH = 8 bytes
DATA = 1
    Here are the properties that you must include in your BLOB:

    PropertyNumeric ValueLengthDescription
    PR_CERT_PROP_VERSION0x00018Reserved, always 1.
    PR_CERT_MESSAGE_ENCODING0x00068Type of encoding (S/MIME = 1).
    PR_CERT_DEFAULTS0x00208Bitmask:
    0x1 = Default certificate for S/MIME.
    0x2 = Default certificate for all formats.
    0x4 = Send certificate with message.
    PR_CERT_DISPLAY_NAME_A0x000BVariableDisplay name of setting in Outlook user interface (for example, "My S/MIME Settings").
    PR_CERT_KEYEX_SHA1_HASH0x0022VariableBinary hash for encryption certificate. This property can be omitted if you want to allow signing only.
    PR_CERT_SIGN_SHA1_HASH0x0009VariableBinary hash for signing certificate.
    PR_CERT_ASYMETRIC_CAPS0x0002VariableASN1-encoded S/MIME capabilities BLOB.

    Note that the properties are all stored in one continuous byte stream.
  4. Use the IProfAdmin interface to open the MAPI profile.
  5. Open the GUID_Dilkie profile section, where the security settings are stored. Define GUID_Dilkie as follows:
    const GUID CDECL GUID_Dilkie = {  0x53bc2ec0, 0xd953, 0x11cd, {0x97, 0x52, 0x00, 0xaa, 0x00, 0x4a, 0xe4, 0x0e}  };
  6. Step 5 gives you an IProfSect interface. On this interface, set the following property: 
    #define PR_SECURITY_PROFILES PROP_TAG(PT_MV_BINARY, 0x355)
    This property is a multivalued binary property. You must set the first binary value on the property with the BLOB that you created in step 3.
    LPPROFSECT          lpProfSect = NULL;
SPropValue          SecProp;
LPSPropValue        lpSecProp = &SecProp;
SBinary             sbCert;
LPBYTE              lpbCertBlob = NULL;
ULONG               cbCertBlob = 0;

// Do the work to generate lpbCertBlob (step 3) and open GUID_Dilkie profile section.

// Set up property tag structure for PR_SECURITY_PROFILES.
SecProp.ulPropTag = PR_SECURITY_PROFILES;
SecProp.Value.MVbin.cValues = 1;
SecProp.Value.MVbin.lpbin = &sbCert;
SecProp.Value.MVbin.lpbin[0].cb = cbCertBlob;
SecProp.Value.MVbin.lpbin[0].lpb = lpbCertBlob;

// Set properties on the profile section.
if (FAILED(hRes = lpProfSect->SetProps(1, lpSecProp, NULL)))
{
    printf("Error setting property on profile.\n");
    goto error;
}
Modification Type:MinorLast Reviewed:8/25/2005
Keywords:kbhowto kbMsg KB312900
©2004 Microsoft Corporation. All rights reserved.