Hi Everyone,  I need your help.

I need to implement encryption for both outbound and inbound emails within my company. We are using the SN (ServiceNow) email client to send and receive messages. To ensure secure communication, I plan to configure S/MIME encryption.

Here is my current understanding of how S/MIME works:

S/MIME – Outbound Email

• Signing outbound emails from SN:
  ServiceNow uses the private key of the sender (SN instance email account) to digitally sign the email. The recipient (my company user) uses the sender’s public key to verify the signature.

• Encrypting outbound emails:
  ServiceNow uses the recipients’ public keys (e.g., my company users) to encrypt the email. Each recipient then uses their own private key to decrypt the message.

S/MIME – Inbound Email

• Signature verification for inbound emails into SN:
  The sender (my company user) signs the email using their private key. ServiceNow verifies the signature using the sender’s public key.

• Decrypting inbound emails:
  The sender (my company user) encrypts the message using ServiceNow’s public key. ServiceNow then uses its private key to decrypt the email.

Where I’m confused is: where do we obtain the public/private keys?
Is this something that only my company needs to provide, or does it involve both ServiceNow and my company? I'm unsure of the exact requirements and the initial steps needed to get this set up.  For context, my company has around 90,000 employees, so I want to ensure we have a scalable and correct approach from the beginning.