Email Security Part 2: Digitally Signing Your Email
This is the second in a series of articles on how to secure your email. Securing Your Email Part 1: Verifying the Sender covers the reasons for setting up your email clients to send and receive digitally signed and encrypted email. If you haven't read it, the procedures in this article will be easier to follow if you have already read Part 1.
In this article, we'll go through the process of setting up a private key that you install only on your computer, and a public certificate (public key) that is attached to your email and which others will use to encrypt mail sent to you. Your private key and the certificates should be stored in a password protected file, and generally shouldn't be kept on your computer except where they are installed in the Operating System or your email client, where they are protected by encryption.
If you want to find out more about how all of this works, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age by Steven Levy is a good non-technical book on how public key encryption works.
This article covers how to obtain an S/MIME certificate and how to install and use it on several major email clients:
- Obtaining an S/MIME Certificate for Your Email Address
- Installing and using the S/MIME Certificate on Thunderbird
- Installing and using the S/MIME Certificate on Microsoft Outlook
- Installing and using the S/MIME Certificate on Mac OS X Email Client
- Installing and using the S/MIME Certificate on an iPhone
Note that some illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fruadulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
Obtaining an S/MIME Certificate for Your Email Address
There are a number of S/MIME certificate vendors that can provide you with a certificate to use for S/MIME email signing and encryption (kind of a mouthful sentence isn't it). Here are a few that offer free email certificates, although it may be hard to find the free offerings on some sites:
There are numerous other certificate vendors. As a rule, stick to one that offers an "Extended Validation" certificate, even though you won't be using one of these. This generally guarantees that the vendor's Certificate Authority root certificate will be installed as part of the Microsoft, Apple, and Android maintenance streams and that neither you nor the people with whom you correspond will need to accept a root certificate (there is risk in accepting root certificates). There are a couple of "Community Certificate Authority" services, but they generally don't have their root certificates accepted into the operating system maintenance streams.
For the free low-verification (Class 1) certificates, the vendor will send you an email with a link that you need to click on to verify that you are the email owner. If you want to pay for an Individual or Organization Class 2 certificate or an Extended Validation certificate, you will need to supply a driver's licence (or passport) and other information that the vendor will use to verify your identity and authorization to obtain and control the certificates. You pay for the investigation--not the certificate, so make sure that you have all of the documentation together before applying so that they investigation is successful.
The tutorial that follows is for Comodo, the vendor that I have used.
If you are using an Apple, computer, do all of this in Safari rather than Firefox or Chrome, even if those are your normal browsers. If you do this in Safari, it will automatically place the certificates in the Keychain where they are directly usable by the OS X email client. If you do this in Firefox or Chrome, the certificates may stay within the browser's keystore, in which case you will need to export them and import them into the keychain.
Similarly, if you are on Windows, do this under Internet Explorer, as it may place them directly in the Certificate Manager (same thing as Apple's keychain) without any intervention on your part. In either case, you will still need to make an off-computer back-up that is stored in an encrypted file.
- From the home screen, select "Sign Up Now" in the lower left corner
- Wait for the selection list for “Private Key Options” to appear before you start to enter your identification information. Unfortunately, the screen will paint without any indication that the key quality option will appear; while it is doing this, Firefox is generating a random number that it will use to generate a private key and then a “Certificate Request”. It will take Firefox a couple of minutes to generate the private key. If you proceed with entering your personal information, Comodo will come back with an error message that Firefox did not send a Certificate Request. Protect the private key and certificate as you would a password, and make sure to store a backup copy.
- Go to your email and click on the “Click and install Comodo Email Certificate” link.
- Firefox will automatically import the certificate into the Firefox Certificate Manager. If you use Windows Explorer, it will import it into the Windows Certificate Manager.
- It will install the certificate in your browser's keystore. For Safari on OS X, this is shared with the OS X email client--if you restart your email program, you can skip to Installing and using the S/MIME Certificate on Mac OS X Email Client.
- When you get back to the Control Panel, go to the Validations Wizard and validate all of your other email addresses.
- In Firefox, backup the certificates to a USB drive that you can store safely. It will prompt you for a password. Use a strong one. You will use this file to import certificates into Thunderbird, Outlook on your laptop, your iPhone or other devices that you use.
- Note that all subsequent illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fraudulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
- If you use an OS X machine, you should back up your certificates to a USB drive that you can store safely. Use the keychain access program. You will need to select the private keys and certificates for each email address. In most areas, OS X is the easiest platform for S/MIME, but in this step, it is the hardest and most error prone. Select File->Export Items. It will prompt you for a filename and file type--take the default .p12 file type. When prompted, use a strong password.
- If you use Windows, you should back up your certificates to a USB drive that you can store safely. Use Internet Explorer or run certmgr.msc. The instructions that follow are for Internet Explorer.
- In Internet Explorer, select Options->Content->Certificates
- Next, select Export
- When it prompts, select "yes" to export the private key. It will require a password--use a strong one.
When you have finished generating and backup up your certificates and private keys, you are ready to copy install them on other computers or devices. The next sections show you how to install your certificates and private keys on other devices so that you can digitally sign and encrypt emails on all devices.
Installing and using the S/MIME Certificate on Thunderbird
Installing and signing email on Thunderbird requires installing your private key and certificates, assigning the certificate to use for each email account, and setting the default value for whether or not to digitally sign and/or encrypt each email.
Installing your Private Key and Certificates on Thunderbird
The first step in setting up Thunderbird is to install the certificates that you obtained in the previous step. To do this, go to Edit->Preferences->Advanced->Certificates. You will see a display something like the figure below. Select Import and go through the dialog to find the backup file with your certificate and private key from your USB drive. It will prompt you for the password to open the backup file and then it will import them to the list under "your certificates."
Setting the Certificate to use for Each Email Account
The next step is to go to each email account and select the certificate for that email account and set the defaults that you want to use as in the figure below. The whole point of this exercise is to authenticate your email, so go ahead and check the "Digitally sign messages" box.
If you check the encryption box, understand that it will only work for email recipients for whom you have a certificate--probably not very many people at this point in time. If you CC a bunch of people, you would need certificates for each of the people that you have cc'd. The email is stored unencrypted on your disk drive; the recipient may choose to store it encrypted or unencrypted.
Sending a Signed and/or Encrypted Email
Finally, we are ready to send a signed or encrypted email. Note that if you choose encryption, the sender, recipients and subject line are never encrypted...just the contents. The figure below shows the "send" dialog on Thunderbird--notice the S/MIME pulldown on the toolbar. To change whether or not the email is signed or encrypted, just click on one of the items in the pulldown. If you select "View Security Info" it will give you a dialog box with information on the certificates of the recipients.
Installing and using the S/MIME Certificate on Microsoft Outlook
To sign and encrypt email on Outlook, you must first install your private key and public certificate. In Outlook
- Go to File->Options->Trust Center->Trust Center Settings->Email Security. Put a check mark in the setting to digitally sign emails by default.
- Within Trust Center, go to E-Mail Security and select Import/Export and use the Browse button to locate the .p12 file; enter the password for the certificate backup file and a name. The name doesn't appear to need to match up to anything.
- Accept the default of "medium" for the access level for this private key and certificate. This will prompt you once for each certificate in the file, but it won't give you an indication of the certificate that it is importing.
- If you want to review the certificates that you imported, use enter certmgr.msc in Run Program.
Sending Signed Email
Sending signed email the first time will generate a couple of one-time only promopts. To start off, let's make sure that we have set the defaults:
- Start a new email and then go to File->Properties
- Select Security. The check box for digitally signed should be checked
- When you hit "send" you will get a very cryptic prompt to ask for access the private key that is needed to digitally sign (or encrypt) the email. Select "Allow."
Installing and using the S/MIME Certificate on Mac OS X Email Client
Installing your Private Key and S/MIME Certificate on Mac OS X
The first step in sending digitally signed email is to install your private key and certificate on Mac OS X. To do this, take the key backup file (.p12 file type) and select it from finder. It will prompt you for the password to the backup file. When you enter the password, it will automatically import your private key and certificate into your keychain (keystore) and bring up the Keychain Access application. You do not need to do anything more, though it may be interesting to see all of the keys and certificates in the keychain. If you look around, you will see both the certificate and the private key that you just installed for your email account. If you have received signed email previously, you will see the certificates from those senders.
Sending Signed Email
Since we installed our private key and certificate in the previous step, the "send mail" window changed--it will now have a lock icon and a check-mark icon immediately to the right of the signature selection control as shown in the figure below. The digital signature property is now selected by default but the lock icon will show as unlocked until we enter a recipient from whom we have a certificate.
If you change the signature property, it will stay unchecked for subsequent emails until you change it back to checked.When you send an email the first time after you install your key and certificates, the email client will ask for access to your "keystore." You will need to allow access, otherwise the email client will not be able to sign and/or encrypt the email.
Sending Encrypted Email
To send an encrypted email, enter the email recipient in the "To:" area, and select the lock icon. If it won't lock, that means that you don't have a certificate for this person, and you can't send them encypted email. If you do have a certificate, it will now lock (encrypt) for all email sent to that email address unless you unlock the icon.
It is important to remember that you must have a certificate from someone before you can send them encrypted email. When you receive a digitally signed email from someone, the Mac OS X client will automatically install their certificate in the keystore for you.
Installing and using the S/MIME Certificate on an iPhone
If you haven't already done so, you should make sure to set a lock password on your iPhone so that if you lose your device, your email isn't compromised. Similarly, make sure to set the remote wipe capability.
The hardest part in setting up an iPhone to send digitally signed and encrypted email is getting the certificate backup file onto the iPhone. Here are the steps to do this:
- Export each certificate as an individual backup file.
- Copy the files to the iPhone using one of two methods:
- Copy each certificate file to iCloud drive
- Email it (easy, but probably less secure)
- Select the file and follow the prompts to enter your iPhone lock code followed by the certificate backup password.
Once you have the certificates installed on your phone, you will need to go into settings to set up your email account to use it to send mail.
- Open settings and choose “Accounts and Passwords”.
- Select the account where you want to use the S/MIME certificate.
- Select the email account account again at the right arrow.
- On the account settings screen, open the “Advanced” settings.
- On the Advanced Settings screen, enable S/MIME and select “Sign”.
- On the digital signature screen, select the certificate that you want to use for this email account.