S/MIME Encryption: Encrypting a MailMessage for multiple recipients

In older versions (e.g. 23.11.) MailMessage had an encrypt method that took an array of X509Certificate2 as parameter so we were able to encrypt a MailMessage for multiple recipients.

It seems the API has changed in newer versions so now there is a method encrypt(SmimeKey). Is it still possible to encrypt the message for multiple recipients with this new method?

@arne411

Summary
Yes – the newer MailMessage.encrypt(SmimeKey) API still allows you to encrypt a message for multiple recipients. The SmimeKey object is used to hold the recipient certificates, so you can add more than one certificate before calling encrypt.

Why it happens
In earlier releases the MailMessage.encrypt method accepted an array of X509Certificate2 objects directly. In later releases that overload was removed and replaced with a single‑parameter overload that takes an SmimeKey. This change was made to centralise S/MIME related data (certificates, keys, algorithms) in one class. The SmimeKey class provides ways to add multiple recipient certificates, so the multi‑recipient scenario is still supported – only the way you supply the certificates has changed.

What to do next

1. Load the recipient certificates – use the appropriate constructor or loader for X509Certificate2 (or the equivalent class in your language) to obtain each recipient’s public certificate.
2. Create an SmimeKey and add the certificates – instantiate an SmimeKey and add each certificate to it. The exact method name may be something like addRecipientCertificate, addCertificate, or a constructor that accepts a collection; consult the current SDK documentation for the exact API.
3. Encrypt the message – call msg.encrypt(smimeKey) on your MailMessage instance. All certificates stored in the SmimeKey will be used, resulting in an encrypted message that each recipient can decrypt with their private key.
4. Send the message – use your normal SMTP client or other transport to send the encrypted MailMessage.

Additional notes

• Verify the exact class and method names in the version of the Aspose.Email (or other) library you are using, as they may differ between .NET and Java bindings.
• If you encounter compilation or runtime issues, refer to the library’s release notes or API reference for the version you have installed.
• Testing with a small set of certificates first can help confirm that the multi‑recipient encryption works as expected.

Because the evidence does not contain the exact method signatures, the above steps are intentionally generic. Please check the current SDK documentation for the precise API calls.

I could not fully verify this explanation against the retrieved sources. Please double-check the behaviour in your environment and confirm the exact SDK/version.

@arne411
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): EMAILJAVA-35421

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

Hello @arne411,

We have added support for encrypting a MailMessage for multiple recipients in the updated API.

In older versions (e.g., 23.11) the encrypt method accepted an array of X509Certificate2, but the new API introduced the encrypt(SmimeKey) method. To restore multi-recipient encryption, we have implemented a new overload:

public MailMessage encrypt(SmimeKey... keys)

You can now pass multiple S/MIME certificates (public keys) to encrypt a message for several recipients.

We are sending you a test build aspose-email-25.11.0.1, which includes this new method.

Below is the test code we used on our side. The certificates were generated via PowerShell using self-signed certificates. Encryption, signing, decryption, and signature validation all work as expected:

$cert = New-SelfSignedCertificate `
    -DnsName "test.local" `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -KeyLength 2048 `
    -KeyExportPolicy Exportable `
    -NotAfter (Get-Date).AddYears(10)

$password = ConvertTo-SecureString -String "1" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "certs\test.pfx" -Password $password
Export-Certificate -Cert $cert -FilePath "certs\test.cer"

Java test sample::

String keyPath = "";
SmimeKey keyPrivate = SmimeKey.loadPFX(keyPath + "test.pfx", new char[] { '1' });
SmimeKey keyPublic1 = SmimeKey.loadCertificate(keyPath + "test1.cer");
SmimeKey keyPublic2 = SmimeKey.loadCertificate(keyPath + "test2.cer");
SmimeKey keyPrivate2 = SmimeKey.loadPFX(keyPath + "test2.pfx", new char[] { '1' });

MailMessage msg = new MailMessage("from@host.com", "to@host.com",
        "Encrypted and Signed message",
        "Test Body of encrypted and signed message");

// attach signature keyPrivate
MailMessage signed = msg.attachSignature(keyPrivate);
List<X509Certificate> sigCerts = signed.checkSignatureCert();
System.out.println(sigCerts.get(0).getSubjectDN().getName());

// encrypt to keyPublic1 keyPublic2
MailMessage encryptedAndSigned = signed.encrypt(keyPublic1, keyPublic2);
Assert.assertFalse(encryptedAndSigned.isSigned());
Assert.assertTrue(encryptedAndSigned.isEncrypted());

// decrypt using keyPrivate2
MailMessage decrypted = encryptedAndSigned.decrypt(keyPrivate2);
sigCerts = decrypted.checkSignatureCert();
System.out.println(sigCerts.get(0).getSubjectDN().getName());

Assert.assertTrue(decrypted.isSigned());
Assert.assertFalse(decrypted.isEncrypted());

// remove signature
MailMessage unsigned = decrypted.removeSignature();
Assert.assertFalse(unsigned.isSigned());
Assert.assertFalse(unsigned.isEncrypted());
Assert.assertEquals(msg.getBody(), unsigned.getBody());

All operations passed successfully.

Please test this updated build on your side and let us know if everything works as expected.
aspose-email-25.11.0.1.zip (Dropbox)