How to prevent Outlook 2010 from publishing certificates to userSMIMEcertificate

Microsoft Outlook 2010


Microsoft Outlook supports S/MIME to send and receive signed and encrypted email messages. Additionally, Outlook can publish certificate data into the Active Directory user object. This user object data is then available in the Global Address List (GAL). The Outlook 2010 hotfix package dated April 9, 2013 introduces a registry value that gives you more control over how Outlook publishes certificate data when the Publish to GAL option is used.

More Information

When Outlook publishes certificate information to Active Directory, the information is written to two separate attributes: 
  • userCertificate
  • userSMIMECertificate

The userCertificate attribute is the standard Active Directory property for certificates. The userSMIMECertificate attribute is used specifically by Outlook and Microsoft Outlook Web App (OWA) for S/MIME message submission. The UserSMIMECertificate attribute includes additional data, such as the preferred encryption algorithm. This makes sure the Outlook experience is as good as possible. Either attribute can be used to encrypt the data.

To encrypt a message, Outlook first checks the userSMIMECertificate attribute. If the attribute contains a certificate, Outlook uses that certificate to encrypt the message. If a certificate is not present in the userSMIMECertificate attribute, Outlook then checks the userCertificate attribute.

The userSMIMECertificate attribute is usually populated by Outlook. Very few other tools or methods create the special data format for that attribute. However, various industry standard tools might populate the more common userCertificate attribute.

If you have security infrastructure that uses a method other than Outlook to populate these certificate attributes, you may not want Outlook to publish the certificate data to userSMIMECertificate. You may be able to prevent unexpected S/MIME behavior in Outlook by limiting the storage of certificates to the userCertificate attribute.

The Outlook 2010 hotfix package dated April 9, 2013 (KB 2791026) includes a change that lets you to prevent Outlook from publishing certificate information to the userSMIMECertificate attribute. To enable this change, create the following registry value:

Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
DWORD: DoNotPublishToSMimeCert
Value: 1

When you set DoNotPublishToSMimeCert to 1, Outlook only publishes certificates to the more common userCertificate attribute. Delete the value or set it to 0 to revert to the default behavior.


There is no similar option to limit publishing certificates to userSMIMECertificate. You can only decide to publish to both attributes or only to the userCertificate attribute.

This does not change the way that outlook searches for certificate data. Regardless of the registry value, Outlook continues to first look for certificate data in the userSMIMECertificate attribute. Only when there is no valid certificate data in userSMIMECertificate does Outlook then search userCertificate.

The description in the cumulative update KB 2791026 is limited to a specific issue where certificates exist in the userCertificate and userSMIMECertificate attributes, but are mismatched. Because a mismatch is rare, this new registry setting should not be used as a generic solution for encryption problems. It is designed only to control the publishing of the certificate data.

For more information about the DoNotPublishToSMimeCert registry value, click the following article number to view the article in the Microsoft Knowledge Base:
2791026 Description of the Outlook 2010 hotfix package (Outlook-x-none.msp): April 9, 2013