Microsoft small business knowledge base

Article ID: 312900 - Last Review: February 24, 2015 - Revision: 5.0


This article demonstrates how to programmatically assign a digital certificate to a MAPI profile to use with Microsoft Outlook for digitally signing and encrypting e-mail. This article addresses the MAPI part of this task, and assumes a working knowledge of the Secure Multipurpose Internet Messaging Extensions (S/MIME).

More information

To assign a certificate to a MAPI profile, follow these steps:
  1. Get the hashes for both your signing certificate and your encryption certificate. These hashes are in binary format, and can be retrieved by using the CertGetCertificateContextProperty function of the Cryptography application programming interface (API):
    CertGetCertificateContextProperty(pCert, CERT_HASH_PROP_ID, *lpbHash, cbHash);
  2. Generate an ASN1-encoded S/MIME capabilities binary large object (BLOB) for your certificates. For more information, see the Request for Comments (RFC) for S/MIME.
  3. Create a BLOB to hold your security settings. Each setting or property is made up of a TAG/LENGTH/DATA combination as follows:

    Collapse this tableExpand this table
    TAGIndicates the property (see list below).2 bytes
    LENGTHIndicates total length of property, including tag and length bytes.2 bytes
    DATAContains the data.Variable length

    Here is an example:
    0100 0800 01000000
    TAG = 1
    LENGTH = 8 bytes
    DATA = 1
    Here are the properties that you must include in your BLOB:

    Collapse this tableExpand this table
    PropertyNumeric ValueLengthDescription
    PR_CERT_PROP_VERSION0x00018Reserved, always 1.
    PR_CERT_MESSAGE_ENCODING0x00068Type of encoding (S/MIME = 1).
    0x1 = Default certificate for S/MIME.
    0x2 = Default certificate for all formats.
    0x4 = Send certificate with message.
    PR_CERT_DISPLAY_NAME_A0x000BVariableDisplay name of setting in Outlook user interface (for example, "My S/MIME Settings").
    PR_CERT_KEYEX_SHA1_HASH0x0022VariableBinary hash for encryption certificate. This property can be omitted if you want to allow signing only.
    PR_CERT_SIGN_SHA1_HASH0x0009VariableBinary hash for signing certificate.
    PR_CERT_ASYMETRIC_CAPS0x0002VariableASN1-encoded S/MIME capabilities BLOB.

    Note that the properties are all stored in one continuous byte stream.
  4. Use the IProfAdmin interface to open the MAPI profile.
  5. Open the GUID_Dilkie profile section, where the security settings are stored. Define GUID_Dilkie as follows:
    const GUID CDECL GUID_Dilkie = {  0x53bc2ec0, 0xd953, 0x11cd, {0x97, 0x52, 0x00, 0xaa, 0x00, 0x4a, 0xe4, 0x0e}  };
  6. Step 5 gives you an IProfSect interface. On this interface, set the following property:
    This property is a multivalued binary property. You must set the first binary value on the property with the BLOB that you created in step 3.
    LPPROFSECT          lpProfSect = NULL;
    SPropValue          SecProp;
    LPSPropValue        lpSecProp = &SecProp;
    SBinary             sbCert;
    LPBYTE              lpbCertBlob = NULL;
    ULONG               cbCertBlob = 0;
    // Do the work to generate lpbCertBlob (step 3) and open GUID_Dilkie profile section.
    // Set up property tag structure for PR_SECURITY_PROFILES.
    SecProp.ulPropTag = PR_SECURITY_PROFILES;
    SecProp.Value.MVbin.cValues = 1;
    SecProp.Value.MVbin.lpbin = &sbCert;
    SecProp.Value.MVbin.lpbin[0].cb = cbCertBlob;
    SecProp.Value.MVbin.lpbin[0].lpb = lpbCertBlob;
    // Set properties on the profile section.
    if (FAILED(hRes = lpProfSect->SetProps(1, lpSecProp, NULL)))
        printf("Error setting property on profile.\n");
        goto error;

Applies to
  • Microsoft Outlook 2013
  • Microsoft Outlook 2010
  • Microsoft Office Outlook 2007
  • Microsoft Office Outlook 2003
  • Microsoft Outlook 2000 Standard Edition
  • Microsoft Outlook 2002 Standard Edition
  • Microsoft Messaging Application Programming Interface
kbhowto kbmsg KB312900
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support