Email Encryption - Information and Setup

Summary

KU IT & Microsoft both provide email encryption to university users. Users need to be aware of the limitations around Microsoft Encryption and when it should not be used.

Microsoft Encryption - Basic Encryption
- Available to all active students, faculty and staff
- No additional setup required
- IMPORTANT: Should not be used to transmit any PII, Confidential, or other Sensitive Data
InCommon Encryption - Enhanced Encryption
- Available to all active students, faculty and staff
- Requires additional setup
- Should be used when transmitting PII, Confidential or other Sensitive Data
- Only works between KU <-> KU email addresses

These are the individual processes that must be completed to ensure your InCommon email encryption is working. In some situations additional steps may need to be taken when a user is unable to send encrypted email to specific people. This information can be found in the "troubleshooting section."

Things to Know

New certificate request take 24 hours to fully process and be ready for use after successfully configuring Outlook Client.
InCommon Encryption is not available on Mobile Devices.
Your certificate is unrecoverable.
- Back up your email encryption certificate to https://onedrive.ku.edu
These instructions have been written for users who have requested certificates in the past but the steps also applies to those who need to request them for the first time.
- Some images will differ for first time users.
Use multiple different computers?
- Your certificate will need to be installed on each computer you use to read encrypted emails.

You will need your saved certificate in the following situations:

Your computer is:
- Repaired
- Replaced
You change departments and get a different computer.

Step 1: Requesting an email encryption certificate

Visit https://myidentity.ku.edu.
Click on Email Services.
Click on Request a Personal Certificate.
- There is a message here that you'reonly able to have one encryption certificate. If your certificate has expired, or a copy of the certificate was not saved. Please ignore this message. If you have your current certificate backed up and you need to reinstall that certificate please skip to Step 2.
On this screen you are given some additional information. Click Continue.
- Access code is not displayed here for security reasons. Please make note of it before proceeding.
Click on InCommon Federated Login.
This field is slow to respond. You MUST type in University of Kansas as shown and click Submit.
Enter the access code that was displayed on your screen from Step 4. Click Next.
Click on Enroll Certificate in the upper right corner.
- User may see prior or expired certificates here. This is for informational purposes only. Be sure to back up your certificate for later use.
You will be required to fill in the following information if it's not already done so for you.
- Certificate Term - Currently 2 Years is the maximum
- First Name, Last Name
  - When you check the box below to accept the end user license agreement. A pop up will display in the middle of the screen. A sample of this image is shown to the right of the check box in the image below. When you click Accept. Your submit button will turn green.
  - When submit button turns green. Please click it.
Change the Key Protection Algorithm from SECURE AES256-SHA256 to Compatible TripleDES-SHA1.
- Certificates generated with AES256-SHA256 are not usable and you will be required to request a new certificate.
- You must create a password that is at least 20 characters in length.
  - This is not tied to your KU Online ID. If your password is forgotten or mistyped. You will have to request a new certificate.
- Click Download once the requirements from above have been satisfied.
Your certificate will automatically download depending on your browser settings. Open this file directly from your browser or from your Downloads folder.

When the file is open you are ready to proceed to next set of instructions found below in Step 2.

Step 2: Installing Email Encryption Certificate

Please choose your operating system. Instructions provided for Outlook Client Only. Installing the Certificate is a straightforward process. You will need the password from Step 1 to successfully install your certificate. If you do not know what your password is. You will need to request a new certificate.

Mac OS

Installing the certificate in Mac is pretty straight forward. These instructions were written on Mac OS 14.4.1: Sonoma with Microsoft Office Outlook 16.89.2. Instructions may differ slightly if you're on a different Mac OS or Outlook Version.

Open Downloads Folder.
- Click on Finder application.
- Click on Downloads on the left.
Open the downloaded file smime_(randomstring of charcters).
Enter your certificate password.
Click OK.

You are ready to proceed to next set of instructions found below in Step 3.

Windows

After opening the file that was downloaded either from your browser or your download folder. Please follow these instructions to finish the installation of your certificate.

Click Next.
Click Next.
Here you will take the following actions:
- Enter the password you used to create the certificate.
  - If you mistyped, forgotten or the password simply does not work. You will need to request a new certificate.
- Ensure both boxes are checked as shown below.
- Click Next.
Click Next.
Click Finish.

You are ready to proceed to next set of instructions found below in Step 3.

Step 3: Configuring Outlook Client

InCommon Email encryption is only support for the Outlook Client on a Desktop or Laptop. Mobile Devices do not support this encryption certificate.

Outlook - MacOS

These instructions were written on Mac OS 14.4.: Sonoma (with Microsoft Office Outlook 16.89.2. Instructions may differ slightly if you're on an different Mac OS or Outlook Version.

Open Outlook, click on Outlook in the top left corner.
Click on Settings.
Click on Accounts.
Click On Security.

First Time Users: Will only see one certificate to select. The images below depict situations where a user has multiple certificates.
Select University of Kansas which should be your new certificate.
- Click on the Drop Down for both Digital Signing and S/MIME Encryption and select University of Kansas.
- Click on OK when changes have been made.

If you have multiple University of Kansas certificates. Please go to the Troubleshooting Encryption Issues for guidance's on this topic.

Before:

After:

Click on the Red X on the Accounts dialogue box after completing the steps above. Configuring Outlook is now complete. You are ready to proceed to Step 4 down below.

Outlook - Windows

Open Outlook.
When Outlook is open. Click on File.
Click on Options.
Click on Trust Center.
Click on Trust Center Settings.
Click on Email Security followed by Settings.
Click on Choose.
See explanation below to determine which certificate you need to select.

First Time Setup: You will see the certificate with a date range that points to sometime in the future. Please simply click "Ok" on this image. No further steps are needed here.
The dates shown below will not match what you see.

Users that previously setup email encryption will most likely see a certificate that is either:

About to expire
Has expired
Replacing a lost certificate with a new one

First look at the date at the top. If it matches one of the scenario's above.

Click on More Choices.

Locate the certificate with the newest date and then:

Click on Correct Certificate.
Click OK.

At this stage. Please simply click OK until you've returned to outlook closing all sub menus. This process is now complete. You are ready for Step 4.

Step 4: Sending Encrypted Email

It is best practice to wait 24 hours before sending or reading encrypted email right after getting a new certificate. Exchange needs time to update your certificate which automatically gets posted to the Global Address Book. If there is an urgent matter that needs attended to. Please see the troubleshooting encryption issues below for additional Information.

Mac OS

To send an encrypted email via Outlook follow these steps:

Start a new email message
Click Draft (Top Menu Bar).
Click S/MIME.
Click Encrypt.
Click Add Digital Signature.
- As needed to digitally sign your email.

Now your ready to prepare and send your encrypted email.

Windows

To send an encrypted email via Outlook follow these steps:

Start a new email message.
Click Options.
Click Encrypt.
Click drop down arrow on Encrypt.
Click Encrypt with S/MIME.
Click Sign.
- As needed to digitally sign your email.

You will now be able to send encrypted email.

Troubleshooting Encryption Issues

Issues with email encryption may require the sender, recipient, or both to take action to achieve resolution. Under certain situations a user may need to request a new encryption certificate. Requesting a new encryption certificate should be only used as a last resort. To request a new certificate please start at Step 1 again.

Step 1: Checking a User's Certificate Status

Not everyone has encryption setup at KU. Users who get this message should check the status of both their own and the recipients user's email encryption.

The KU Directory https://directory.ku.edu is beneficial for checking yours or the recipient certificate status. You must sign in to check certificate status or to complete any search that's geared towards student information.

Unsupported browsers for using the KU DIrectory include:

Brave
DuckDuckGO
TOR Browser

Here are the steps to check your's or another users certificate status.

Go to https://directory.ku.edu
Click login (upper right).
Search by users First Name, Last Name
Click on User's Name.
Click Blue Box that says: Check for "Email Encryption Certificate.

One of two things will be displayed:

A user's valid certificate.

Users certificate is expired or not published.

A user who has an expired certificate will need to go through the steps above to request a new certificate.

Now that we know the status of everyone certificates. These are the steps end users need to take to resolve issue relating to sending encrypted emails.

Unable to send encrypted emails

Cached Outlook Contact exists in both OWA and Outlook. This cache contains information about a users encryption certificate. Both the sender and recipient may need to do this step. To delete a cached contact. Please follow these steps.

Open a new email message.
Type the users email address into the To: box.
Click the X next to their name when it comes up. This should say delete when you hover over it.

Once the cached contact has been deleted,

Type the users email address in the To: line.
Click Check Name as shown below. This will create a new cached contact card.

If you're able to receive an encrypted email but you cannot read the encrypted email. Please look to see which scenario you may fall into.

Reading Encrypted Emails - Valid Certificate

Check to see if your encryption certificate has already expired as outlined in Step 1 of the troubleshooting panel. If your encryption certificate is not expired. You need to ensure your Outlook Client is configured with the correct certificate. Please revisit Step 3 from above. This may happen if your computer is repaired, replaced, or you change departments and get a different computer.

Reading Encrypted Email - Expired Certificate

An expired certificate is only able to open encrypted emails that were sent to you during the time the certificate was valid for. If your certificate has expired but someone sent you an encrypted email that you cannot open, you need to follow these steps.

Request a new certificate.
Install new certificate.
Confirm certificate has been published to the directory.
Ask the sender to resend the encrypted email after the first 3 steps have been completed.

Article Changelog

1/24/2026

Article updated to basic visual standard.

0 reviews

Print Article

Updating...

Email Encryption - Information and Setup

Summary

Things to Know

Step 1: Requesting an email encryption certificate

Step 2: Installing Email Encryption Certificate

Mac OS

Windows

Step 3: Configuring Outlook Client

Outlook - MacOS

Outlook - Windows

Step 4: Sending Encrypted Email

Mac OS

Windows

Troubleshooting Encryption Issues

Step 1: Checking a User's Certificate Status

Unable to send encrypted emails

Reading Encrypted Emails - Valid Certificate

Reading Encrypted Email - Expired Certificate

Article Changelog

Related Articles (1)

Deleting...