In short
Installing an S/MIME certificate in Outlook is two jobs: import your certificate file (.pfx or .p12) into the right place — the Windows certificate store for classic Outlook and Outlook on the web, Outlook's own Settings > Mail > S/MIME page in new Outlook, or the macOS Keychain on a Mac — then select it as your signing and encryption certificate in that Outlook's security settings. Signing works immediately after that; encrypting to someone also requires their certificate, which you get by receiving one signed email from them.
The certificate arrived, you have a .pfx file and a password, and now Outlook is pretending none of it exists. This is the point where most S/MIME setups stall — not because the process is hard, but because "Outlook" is currently four different programs, and each one keeps its certificate settings somewhere else. This guide walks through all four: classic Outlook for Windows, the new Outlook for Windows, Outlook on the web, and Outlook for Mac. Pick your section, follow the steps, and finish with the signed-mail exchange that makes encryption work in both directions.
What do you need before you start?
Three things: your S/MIME certificate as a .pfx or .p12 file, the password that protects that file, and an Outlook account whose email address exactly matches the address inside the certificate. The file formats are interchangeable — both are PKCS#12 bundles holding your certificate and its private key — and the password was set when the certificate was issued or exported.
The address match matters more than people expect. A certificate issued to jan@company.com won't appear as a choice for an Outlook profile signed in as jan.kowalski@company.com, even though both reach the same mailbox. Outlook filters certificates by exact address, so check what's inside the certificate before blaming the import.
If you don't have a certificate yet, you'll need one issued to your email address by a publicly trusted CA — otherwise recipients see trust warnings instead of a verified signature. The Certum S/MIME certificates My-SSL carries start at $8.99 per year for an individual address, and everything in this guide applies to them directly. One habit worth forming on day one: keep a copy of the .pfx file and its password somewhere safe. Mail encrypted to you can only ever be opened with that key.
Which Outlook are you actually using?
Check the toggle. If the top-right corner of the app shows a "New Outlook" switch and there's a File menu in the ribbon, you're in classic Outlook. If the switch is on — or there's no File menu at all — you're in new Outlook, which is a different program with different S/MIME behavior. Outlook on the web is anything running at outlook.office.com in a browser, and Outlook for Mac is its own case again.
The distinction isn't cosmetic. Classic Outlook reads certificates from the Windows certificate store and works with any account type. New Outlook keeps its own imported copies and offers S/MIME only on work or school accounts — a personal outlook.com address gets no S/MIME there at all. Phones are a separate story: the Outlook mobile apps support S/MIME only for Microsoft 365 work accounts, normally rolled out by an IT team, while on iPhones the built-in Apple Mail app handles S/MIME for any account.
How do you install an S/MIME certificate in classic Outlook for Windows?
Two stages: import the .pfx into the Windows certificate store, then point Outlook at it in the Trust Center. Import by double-clicking the file; configure under File > Options > Trust Center > Trust Center Settings > Email Security. Once the certificate is selected for signing and encryption, the Sign and Encrypt buttons appear on the Options tab of every new message.
1. Import the certificate into Windows
Double-click the .pfx file. The Certificate Import Wizard opens — choose Current User as the store location (not Local Machine; Outlook won't find it there), enter the file password, and let the wizard place it in the Personal store automatically. If you want to be able to move the certificate to another machine later without the original file, tick "Mark this key as exportable" — but only on a computer you control.
2. Open Outlook's Trust Center
In Outlook, go to File > Options > Trust Center > Trust Center Settings > Email Security. Under "Encrypted email," click Settings. Give the security settings profile any name, then use the Choose buttons to select your certificate for both the signing certificate and the encryption certificate. Set the hash algorithm to SHA256 if it isn't already.
3. Decide your defaults, then send
Back on the Email Security page, "Add digital signature to outgoing messages" makes every email you send carry your verified identity — a sensible default, since signed mail is also how contacts collect your certificate for encryption. Leave "Encrypt contents" unticked as a global default; encryption fails for any recipient whose certificate you don't have yet. Per message, both switches live on the Options tab of the compose window.
How do you set up S/MIME in the new Outlook for Windows?
New Outlook imports the certificate itself: go to Settings (the gear icon) > Mail > S/MIME, click Import, select your .p12 or .pfx file, and enter its password. This only works for work or school accounts — Microsoft doesn't offer S/MIME for personal outlook.com addresses in new Outlook — and it currently applies to the primary account in the profile.
Note what this means during a migration: certificates you installed for classic Outlook are not picked up automatically, because new Outlook doesn't read the Windows certificate store for your own certificate. Import the .pfx file again inside new Outlook's settings, even on the same machine. Keeping that original file (and password) around is what makes moments like this painless.
Once imported, the same Settings > Mail > S/MIME page holds the defaults for signing and encrypting outgoing mail, and individual messages can be signed or encrypted from the compose window's Options. The feature set has been catching up to classic Outlook through 2026: as of May 2026, new Outlook stores recipients' S/MIME certificates in Contacts (carried over from classic Outlook automatically) and supports LDAP directories for certificate lookup — both of which previously forced organizations to stay on the classic client.
How do you use S/MIME in Outlook on the web?
Outlook on the web can sign and encrypt, but only after two extra pieces are in place: your Exchange administrator must enable S/MIME for the organization, and you must install the Microsoft S/MIME browser extension. It works in Edge and Chrome on Windows — there's no OWA S/MIME on a Mac, on Linux, or on mobile — and your certificate must already be in the Windows certificate store on the PC you're using.
The admin part happens once per organization: publishing the CA chain and switching S/MIME on in Exchange Online or Exchange Server. If you're the admin, Microsoft's Configure S/MIME in Exchange Online guide covers the PowerShell involved. If you're not, and the S/MIME option is missing from OWA's settings, this is why — no browser extension can add it for you.
With the tenant enabled, install the extension when OWA prompts you (or from the Edge Add-ons store), import your .pfx into Windows by double-clicking it — the same Current User import as for classic Outlook — and then find the signing and encryption defaults under OWA's Settings > Mail > S/MIME. In Chrome, some organizations push the extension by policy; if it refuses to appear, that's a conversation with IT rather than a setting you can flip.
How do you set up S/MIME in Outlook for Mac?
On a Mac the certificate lives in the Keychain, not in Outlook. Import the .p12 into Keychain Access first, then assign it in Outlook under Tools > Accounts > Security. Outlook for Mac only lists certificates that sit in your login keychain, are valid, and match the account's email address — the same three conditions that trip people up on Windows, wearing macOS clothes.
1. Import into Keychain Access
Double-click the .p12/.pfx file (or open Keychain Access and use File > Import Items), choose the login keychain, and enter the file password. Afterwards you should see your certificate under My Certificates with a disclosure triangle revealing its private key — if the triangle is missing, you imported a public-only .cer file by mistake.
2. Assign it in Outlook
In Outlook, open Tools > Accounts, select the matching account, and open the Security settings. Choose your certificate under Digital signing and again under Encryption, with SHA-256 as the signing algorithm. The dropdowns only show certificates the Keychain considers valid for that address, so an empty list means a keychain or address problem, not an Outlook one.
3. Pick defaults and test
The same pane offers "Sign outgoing messages" — worth enabling for the certificate-exchange reasons above — and per-message controls appear in the compose window under Options. Send yourself a signed test message; macOS may ask once for permission to let Outlook use the key, which you can grant with "Always Allow."
How do you send your first signed and encrypted email?
Start with signing, because it only depends on you. Compose a message, enable Sign from the Options controls, and send it to yourself. If it arrives with a valid-signature indicator (a ribbon or seal icon, depending on the client), your certificate, store, and settings all work. Encryption comes second, because it depends on the recipient too.
Encrypting a message uses the recipient's public key, not yours. That key reaches you inside their certificate, and the standard way to get it is disarmingly low-tech: they send you a signed email, you save the sender as a contact, and Outlook files the certificate away for future use. Inside one Exchange organization the directory can serve published certificates automatically; with external partners, the signed-mail exchange is the way it's done.
So the working ritual for two people setting up encrypted mail: both install certificates, both send one signed message, both save the other as a contact — then either side can flip on Encrypt and it just works. If you try to encrypt before that exchange, Outlook stops you with an error naming the recipients it has no certificate for, which is the system behaving correctly rather than breaking.
Common problems and how to fix them
Almost every S/MIME failure in Outlook comes down to one of five causes: the certificate is in a store Outlook doesn't read, the email address doesn't match, the private key is missing, the recipient's certificate isn't on file, or the account type doesn't support S/MIME in that client. Here's how each one presents and what fixes it.
The Choose button shows no certificates
On Windows, re-run the import and make sure you picked Current User — certificates imported into Local Machine don't show up for Outlook. Then open certmgr.msc and confirm the certificate sits under Personal > Certificates with a key icon on it. No key icon means you installed the .cer instead of the .pfx; import the .pfx and the problem disappears.
"Your digital ID name cannot be found by the underlying security system"
Outlook found certificates, just none that match this account's address. Open the certificate in certmgr.msc and check the email address in its Subject or Subject Alternative Name — aliases, shared mailboxes, and send-as addresses all trigger this. The fix is a certificate issued to the exact address you send from.
Encryption fails for one specific recipient
You don't have their certificate yet. Ask them to send you a digitally signed email, then save the sender to your contacts and try again. If you're both in the same Exchange organization and it still fails, their certificate may not be published to the directory — that's an admin-side fix.
S/MIME options are missing entirely
Check the client-and-account combination against the table above. In new Outlook and Outlook on the web, a personal outlook.com account simply has no S/MIME — no setting reveals it. In OWA, a missing S/MIME section usually means the organization hasn't enabled it. Classic Outlook and Outlook for Mac are the clients that work with any account.
Lost the .pfx password
There's no recovery — the password is the only thing standing between the file and your private key, so it can't be reset. If the certificate is already installed somewhere with an exportable key, export a fresh .pfx from there and set a new password. Otherwise, reissue the certificate through your CA and treat the old file as scrap.
Keep expired certificates installed
When you renew, resist the urge to tidy up. Every message that was encrypted to your old certificate needs the old private key to open, forever. Install the new certificate for outgoing mail and leave the old one where it is — removing it turns your encrypted archive into noise.
The bottom line
Import the .pfx into the store your Outlook actually reads, select it in that Outlook's security settings, and trade one signed email with anyone you want to encrypt with — that's the whole setup. If you're still at the "need a certificate" stage, the Certum S/MIME certificates at My-SSL run $8.99 per year for an individual address and $29.99 for a business identity, and both arrive as exactly the kind of .pfx/.p12 file this guide walks you through installing.