To encrypt a message, you need the recipient's public key. To decrypt a message, you must have a private key. Keys are issued by a CA. Keys issued by AD are issued by an Enterprise Root CA.
To allow encryption and digital signatures, ensure that a certificate template is configured. Windows XP allows autoenrollment. Configure key recovery in case users lose their certificates.
To digitally sign a message, your private key certificate must be installed on the computer. You can encrypt a message via OWA if your private key is unavailable.