This article describes how to remove, export and import digital
certificates in Internet Explorer and Outlook Express.
Digital certificates, referred to as digital IDs in Outlook Express, are
digitally signed statements that bind an encrypted key pair to a user's
identity. This key can be used to sign and encrypt digital information.
You can use digital certificates to verify that another person has the
right to use a given identity.
A digital certificate is signed by the Certification Authority that issued
the certificate. A Certification Authority is a company responsible for
issuing digital IDs and continuously verifying that digital IDs are still
valid. The digital certificate is composed of a public key, a private key,
and other identity information. The digital certificate may also include
your e-mail address so that Outlook Express can use it to send digitally
signed e-mail. While a private key associated with a certificate can be
marked as "not exportable," most certificates and their associated private
keys can be moved from one computer to another if you follow the
instructions described in the "Exporting Digital Certificates" and
"Importing Digital Certificates" sections later in this article.
You can attach multiple digital certificates to a message or transaction,
forming a certification chain where each certificate proves the
authenticity of the previous certificate. The top-level Certification
Authority must be independently known and trusted by the recipient.
When you install a digital certificate in a Web browser, it functions as
electronic credentials that can be used by secure Web sites. This enables
digital certificates to be used in place of password dialog boxes,
services that require membership, or services that restrict access to
Outlook Express supports Secure/Multipurpose Internet Mail Extensions
(S/MIME) technology. Secure e-mail in Outlook Express protects your
Internet communications using the following methods:
- Digital signatures
Digitally signing your e-mail message with a unique ID assures the person
who receives the message that you are the true sender of the message, and
that the message was not altered in transit. Encrypting mail that you send
ensures that no one except the intended recipient can read the contents of
the message while it is in transit. When you send your digital ID to
others, you are actually giving them your public key. In order for another
person to send you encrypted mail they must have your public key. When
another person sends you e-mail that includes your public key, only you
can read the message because your private key is required to decrypt it.
Internet Explorer stores digital certificates in the registry. Outlook
Express uses these digital certificates to digitally sign and encrypt
Because Outlook Express can manage multiple e-mail accounts, you can have
a digital certificate associated with each of your e-mail accounts. The
registry keys that contain the entries for your digital certificates do
not contain any information about the Web address with which it is
associated. For this reason, if you have multiple e-mail accounts for
which you have obtained a digital certificate, you should export the
digital certificate before you remove it.
Exporting Digital Certificates
NOTE: Once a Personal Certificate has been acquired, you should
export the certificate to a safe place. If your PWL file becomes
damaged or missing, the certificate will not be available for use
and an error will occur when you try to send e-mail. For more
information about this issue, see the following article in the
Microsoft Knowledge Base:
Unable to Use Personal Certificates in Outlook Express
To export digital certificates, follow these steps:
- Click Start, point to Settings, click Control Panel, and then double-
- On the Content tab, click Personal, click a certificate you want to
export, and then click Export.
- If necessary, type the file name and password to encrypt, confirm the
password, and then click OK. The file name should have a .pfx
extension. By default, the file is saved to the My Documents folder
if it exists. If the My Documents folder does not exist, the file is
saved to the Windows folder.
NOTE: You may be prompted multiple times for the password.
Removing Digital Certificates
When a digital certificate is removed, any e-mail that is encrypted with
the associated digital ID is no longer readable. This includes e-mail that
you received before you removed the digital certificate, as well as e-mail
you receive after you remove the digital certificate. The e-mail is
encrypted using your public key, and because the digital certificate has
been removed, you no longer have the private key needed to decrypt it. To
read this e-mail again, you must import the digital certificate back into
Internet Explorer, and then enabled it in Outlook Express. There is no
method of exporting encrypted e-mail to an unencrypted format. If you
receive any encrypted mail that you must be able to access, make sure you
have successfully exported the digital certificate before you remove it.
You may also be unable to view any Web sites that require client
authentication based on that digital certificate until you either import
it again, or generate another digital certificate to use for that Web
For these reasons, Microsoft does not recommend removing digital
certificates. You should keep the current digital certificate and obtain a
new one for a new e-mail account or Web site that requires one. However,
if this is not possible, and a digital certificate must be removed due to
incorrect operation or for troubleshooting purposes, follow these steps:
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys
And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" Help topics
in Regedt32.exe. Note that you should back up the registry before you edit
Delete all the folders under the following registry key, and then restart
When you remove the digital certificate from Internet Explorer, the
associated digital ID is removed from Outlook Express.
Importing Digital Certificates
To import digital certificates that you previously exported, follow these
- Click Start, point to Settings, click Control Panel, and then double-
- On the Content tab, click Personal, and then click Import.
- In the Password box, type your password.
NOTE: You may be prompted multiple times for your password.
- In the Certificate File To Import box, type the filename of the
certificate you want to import, and then click OK.
- Click Close, and then click OK.
For information about how to use a digital ID in Outlook Express, please
see the following article in the Microsoft Knowledge Base:
How to Digitally Sign and Encrypt Messages in Outlook Express
For additional information about digital certificates and digital IDs, in
Internet Explorer, click Contents And Index on the Help menu, click the
Index tab, type "personal certificates" (without quotation marks), and
then click Display. In Outlook Express, click Contents And Index on the
Help menu, click "creating and sending email messages," and then click
"what are secure messages."
For information about security, visit the following Microsoft Web site: