At least one private and public key pair, including a certificate in standard X.509 v3 format, must be issued to each Communications Express Mail user who will use S/MIME. The certificate, used in a verification process, assures other mail users that the keys really belong to the person who uses them. A user can have more than one key pair and associated certificate.
Keys and their certificates are issued from within your organization or purchased from a third-party vendor. Regardless of how the keys and certificates are issued, the issuing organization is referred to as a certificate authority (CA).
Key pairs and their certificates are stored in two ways:
On a common access card (CACs), referred to as smart cards
These cards are similar to commercial credit cards and should be used and safeguarded by the mail user as they do their own credit cards. Smart cards require special card readers attached to the mail user’s computer (client machine) to read the private key information. See Keys Stored on Smart Cards for more information.
In a local key store on the mail user’s computer (client machine)
A mail user’s browser provides the key store. The browser also provides commands to download a key pair and certificate to the key store. See Keys Stored on the Client Machine for more information.