Signing and encrypting email messages with X.509 certificates

HCL Traveler for Microsoft Outlook (HTMO) supports Domino signing and encryption/decryption of emails exchanged with other Domino email users. Beginning in HTMO 3.0.1, end-to-end encryption and signing via native Microsoft Outlook X.509 certificate handling is also supported.

A user can sign messages using their X.509 public key, encrypt messages using the recipient's X.509 public key, and decrypt received messages using his X.509 private key. The native Outlook processing encodes secured emails using S/MIME.A message can be secured using either Domino signing/encryption or S/MIME signing/encryption, but not both.

To encrypt or sign an email using S/MIME, when composing an email in Outlook, hit the Options tab to see the Encrypt and Sign icons. Those icons will appear once the X.509 certificates are properly installed.

The Traveler server configuration value NTS_SMIME_SUPPORT=true must be set to enable this function. For more information, see Notes.ini settings.


  • Traveler 11.0.1 or higher
  • X.509 public/private keys generated for each user

The following steps describe how to configure your HTMO Outlook Profile to send X.509 signed messages.

Installing the private key in Outlook for signing mail

In order to send and receive S/MIME messages from HTMO, the user's private key must be installed in Outlook, either manually or via a Common Access Card. To install the private key manually, complete the following steps:
  1. Make sure you have the following:
    • Your private key in either .p12 or .pfx format
    • The certificate password
  2. In Outlook, select File > Options > Trust Center > Microsoft Outlook Trust Center > Trust Center Settings > Email Security > Digital IDs (Certificates) > Import/Export.
  3. Select Import existing Digital ID from a file, browse for the .p12 file, enter the certificate password, and hit OK.
  4. For Importing a new private exchange key, leave the default (Medium) and hit OK.
  5. On the "Security Warning" popup asking Do you want to install this certificate?, hit Yes.
  6. Select Email Security > Encrypted email. Uncheck all options.
  7. Select Settings. Change Security Settings should be filled in with the correct defaults (all checkboxes checked), but if not, select appropriate settings. Hit OK twice to exit back to Outlook's mail screen.

You should now be able to see Outlook’s option to Sign a message.

Importing Public Certificates to local Outlook contacts for sending encrypted mail

To send S/MIME encrypted mail to others, their public keys must be present in mail file local contacts. Users can export public certificates from signed messages via Outlook as .p7b files, and then import these files into local Outlook contacts.

  1. From a signed message, click on the signature icon, then click on Details….
  2. Click View Details.
  3. Click View Certificate.
  4. Click Copy to File.
  5. Export to .p7b file format, and navigate through the remaining screens to save the file.
  6. Navigate to local contacts in Outlook (People), locate the contact (if already exists or create new), and navigate to Certificates view.
  7. Import the previously exported certificate file and save the contact.

You should now be able to see Outlook's option to send an encrypted message to the recipient.