Security

Email Security Part 2: Digitally Signing Your Email

This is the second in a series of articles on how to secure your email. Securing Your Email Part 1: Verifying the Sender covers the reasons for setting up your email clients to send and receive digitally signed and encrypted email. If you haven't read it, the procedures in this article will be easier to follow if you have already read Part 1.

In this article, we'll go through the process of setting up a private key that you install only on your computer, and a public certificate (public key) that is attached to your email and which others will use to encrypt mail sent to you. Your private key and the certificates should be stored in a password protected file, and generally shouldn't be kept on your computer except where they are installed in the Operating System or your email client, where they are protected by encryption.

If you want to find out more about how all of this works, Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age by Steven Levy is a good non-technical book on how public key encryption works.

This article covers how to obtain an S/MIME certificate and how to install and use it on several major email clients:

Note that some illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fruadulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.

Obtaining an S/MIME Certificate for Your Email Address

There are a number of S/MIME certificate vendors that can provide you with a certificate to use for S/MIME email signing and encryption (kind of a mouthful sentence isn't it). Here are a few that offer free email certificates, although it may be hard to find the free offerings on some sites:

There are numerous other certificate vendors. As a rule, stick to one that offers an "Extended Validation" certificate, even though you won't be using one of these. This generally guarantees that the vendor's Certificate Authority root certificate will be installed as part of the Microsoft, Apple, and Android maintenance streams and that neither you nor the people with whom you correspond will need to accept a root certificate (there is risk in accepting root certificates). There are a couple of "Community Certificate Authority" services, but they generally don't have their root certificates accepted into the operating system maintenance streams.

For the free low-verification (Class 1) certificates, the vendor will send you an email with a link that you need to click on to verify that you are the email owner. If you want to pay for an Individual or Organization Class 2 certificate or an Extended Validation certificate, you will need to supply a driver's licence (or passport) and other information that the vendor will use to verify your identity and authorization to obtain and control the certificates. You pay for the investigation--not the certificate, so make sure that you have all of the documentation together before applying so that they investigation is successful.

The tutorial that follows is for Comodo, the vendor that I have used.

If you are using an Apple, computer, do all of this in Safari rather than Firefox or Chrome, even if those are your normal browsers. If you do this in Safari, it will automatically place the certificates in the Keychain where they are directly usable by the OS X email client. If you do this in Firefox or Chrome, the certificates may stay within the browser's keystore, in which case you will need to export them and import them into the keychain.

Similarly, if you are on Windows, do this under Internet Explorer, as it may place them directly in the Certificate Manager (same thing as Apple's keychain) without any intervention on your part. In either case, you will still need to make an off-computer back-up that is stored in an encrypted file.

    1. From the home screen, select "Sign Up Now" in the lower left corner
Make sure to start at this screen to apply for a Comodo email certificate.
Figure 1. Make sure to start at this screen to apply for a Comodo email certificate.
    1. Wait for the selection list for “Private Key Options” to appear before you start to enter your identification information. Unfortunately, the screen will paint without any indication that the key quality option will appear; while it is doing this, Firefox is generating a random number that it will use to generate a private key and then a “Certificate Request”. It will take Firefox a couple of minutes to generate the private key. If you proceed with entering your personal information, Comodo will come back with an error message that Firefox did not send a Certificate Request. Protect the private key and certificate as you would a password, and make sure to store a backup copy.
Make sure to wait for the encryption grade selector to appear. If you do not wait, Firefox will not generate the private key needed to submit a certificate request.
Figure 2. Make sure to wait for the “Private Key Options” to appear. If you do not wait, Firefox will not generate the private key needed to submit a certificate request.
    1. Go to your email and click on the “Click and install Comodo Email Certificate” link.
Click on the link to retrieve and install your certificate.
Figure 3. Click on the “Click and install Comodo Email Certificate” link in the email that Comodo sends.
    1. Firefox will automatically import the certificate into the Firefox Certificate Manager. If you use Windows Explorer, it will import it into the Windows Certificate Manager.
When you click on the Get Certificate link in the email that Comodo sends, it will open up a browser window to import the certificate into Firefox
Figure 4. When you click on the Get Certificate link in the email that Comodo sends, it will open up a browser window to import the certificate into Firefox
  1. It will install the certificate in your browser's keystore. For Safari on OS X, this is shared with the OS X email client--if you restart your email program, you can skip to Installing and using the S/MIME Certificate on Mac OS X Email Client.
    Firefox will import the certificate into the Firefox Certificate Manager.  Windows Explorer will import the certificate into the Windows Certificate Manager. Safari will import the certificate into the OS X Keychain.
    Figure 5. Firefox will import the certificate into the Firefox Certificate Manager. Windows Explorer will import the certificate into the Windows Certificate Manager. Safari will import the certificate into the OS X Keychain.
  2. When you get back to the Control Panel, go to the Validations Wizard and validate all of your other email addresses.
  3. In Firefox, backup the certificates to a USB drive that you can store safely. It will prompt you for a password. Use a strong one. You will use this file to import certificates into Thunderbird, Outlook on your laptop, your iPhone or other devices that you use.
  4. Note that all subsequent illustrations show “StartCom” certificates. This article was originally written when StartCom was a reliable certificate vendor. In 2016, it was purchased by another vendor and issued some fraudulent certificates; it was subsequently removed as a Certificate Authority from most browsers and email clients. At some point I will go back and update all of these screen captures.
  5. Screen capture of Certificate Manager dialog and certificate backup option in Firefox
    Figure 6. Screen capture of Certificate Manager dialog and certificate backup option in Firefox.
  6. If you use an OS X machine, you should back up your certificates to a USB drive that you can store safely. Use the keychain access program. You will need to select the private keys and certificates for each email address. In most areas, OS X is the easiest platform for S/MIME, but in this step, it is the hardest and most error prone. Select File->Export Items. It will prompt you for a filename and file type--take the default .p12 file type. When prompted, use a strong password.
  7. Screen capture of Keychain Access program and certificate backup option on OS X operating system
    Figure 7. Screen capture of Keychain Access program and certificate backup option on OS X operating system.
  8. If you use Windows, you should back up your certificates to a USB drive that you can store safely. Use Internet Explorer or run certmgr.msc. The instructions that follow are for Internet Explorer.
      1. In Internet Explorer, select Options->Content->Certificates
    Screen capture of Microsoft Internet Explorer Options panel and certificate backup
    Figure 8. Screen capture of Microsoft Internet Explorer Options panel and certificate backup.
      1. Next, select Export
    Screen capture of Microsoft Internet Explorer export certificates dialog
    Figure 9. Screen capture of Microsoft Internet Explorer export certificates dialog.
      1. When it prompts, select "yes" to export the private key. It will require a password--use a strong one.
    Screen capture of Microsoft Internet Explorer export private keys dialog
    Figure 9. Screen capture of Microsoft Internet Explorer export private keys dialog.

When you have finished generating and backup up your certificates and private keys, you are ready to copy install them on other computers or devices. The next sections show you how to install your certificates and private keys on other devices so that you can digitally sign and encrypt emails on all devices.

Installing and using the S/MIME Certificate on Thunderbird

Installing and signing email on Thunderbird requires installing your private key and certificates, assigning the certificate to use for each email account, and setting the default value for whether or not to digitally sign and/or encrypt each email.

Installing your Private Key and Certificates on Thunderbird

The first step in setting up Thunderbird is to install the certificates that you obtained in the previous step. To do this, go to Edit->Preferences->Advanced->Certificates. You will see a display something like the figure below. Select Import and go through the dialog to find the backup file with your certificate and private key from your USB drive. It will prompt you for the password to open the backup file and then it will import them to the list under "your certificates."

Screen capture of Thunderbird certificate manager dialog where you import S/MIME certificates.
Figure 10. Screen capture of Thunderbird certificate manager dialog where you import S/MIME certificates.

Setting the Certificate to use for Each Email Account

The next step is to go to each email account and select the certificate for that email account and set the defaults that you want to use as in the figure below. The whole point of this exercise is to authenticate your email, so go ahead and check the "Digitally sign messages" box.

If you check the encryption box, understand that it will only work for email recipients for whom you have a certificate--probably not very many people at this point in time. If you CC a bunch of people, you would need certificates for each of the people that you have cc'd. The email is stored unencrypted on your disk drive; the recipient may choose to store it encrypted or unencrypted.

Screen capture of Thunderbird account preferences where you set the certificate to use for S/MIME.
Figure 11. Screen capture of Thunderbird account preferences where you set the certificate to use for S/MIME.

Sending a Signed and/or Encrypted Email

Finally, we are ready to send a signed or encrypted email. Note that if you choose encryption, the sender, recipients and subject line are never encrypted...just the contents. The figure below shows the "send" dialog on Thunderbird--notice the S/MIME pulldown on the toolbar. To change whether or not the email is signed or encrypted, just click on one of the items in the pulldown. If you select "View Security Info" it will give you a dialog box with information on the certificates of the recipients.

Screen capture of the send email screen on Thunderbird.
Figure 12. Screen capture of the send email screen on Thunderbird.

Installing and using the S/MIME Certificate on Microsoft Outlook

To sign and encrypt email on Outlook, you must first install your private key and public certificate. In Outlook

  1. Go to File->Options->Trust Center->Trust Center Settings->Email Security. Put a check mark in the setting to digitally sign emails by default.
  2. Within Trust Center, go to E-Mail Security and select Import/Export and use the Browse button to locate the .p12 file; enter the password for the certificate backup file and a name. The name doesn't appear to need to match up to anything.
  3. Screen capture of the certificate import dialog in Microsoft Outlook
    Figure 13. Screen capture of the certificate import dialog in Microsoft Outlook.
  4. Accept the default of "medium" for the access level for this private key and certificate. This will prompt you once for each certificate in the file, but it won't give you an indication of the certificate that it is importing.
  5. Screen capture of the certificate key access security setting in Microsoft Outlook
    Figure 14. Screen capture of the certificate key access security setting in Microsoft Outlook.
  6. If you want to review the certificates that you imported, use enter certmgr.msc in Run Program.
  7. Screen capture of the Microsoft Windows certmgr.msc
    Figure 15. Screen capture of the Microsoft Windows certmgr.msc.

Sending Signed Email

Sending signed email the first time will generate a couple of one-time only promopts. To start off, let's make sure that we have set the defaults:

    1. Start a new email and then go to File->Properties
Screen capture of the Microsoft Outlook email properties dialog
Figure 16. Screen capture of the Microsoft Outlook email properties dialog.
    1. Select Security. The check box for digitally signed should be checked
Screen capture of the Microsoft Outlook email properties security dialog
Figure 17. Screen capture of the Microsoft Outlook email properties security dialog.
    1. When you hit "send" you will get a very cryptic prompt to ask for access the private key that is needed to digitally sign (or encrypt) the email. Select "Allow."
Screen capture of the Microsoft Outlook grant permission to access private key dialog
Figure 18. Screen capture of the Microsoft Outlook grant permission to access private key dialog.

Installing and using the S/MIME Certificate on Mac OS X Email Client

Installing your Private Key and S/MIME Certificate on Mac OS X

The first step in sending digitally signed email is to install your private key and certificate on Mac OS X. To do this, take the key backup file (.p12 file type) and select it from finder. It will prompt you for the password to the backup file. When you enter the password, it will automatically import your private key and certificate into your keychain (keystore) and bring up the Keychain Access application. You do not need to do anything more, though it may be interesting to see all of the keys and certificates in the keychain. If you look around, you will see both the certificate and the private key that you just installed for your email account. If you have received signed email previously, you will see the certificates from those senders.

Sending Signed Email

Since we installed our private key and certificate in the previous step, the "send mail" window changed--it will now have a lock icon and a check-mark icon immediately to the right of the signature selection control as shown in the figure below. The digital signature property is now selected by default but the lock icon will show as unlocked until we enter a recipient from whom we have a certificate.

If you change the signature property, it will stay unchecked for subsequent emails until you change it back to checked.When you send an email the first time after you install your key and certificates, the email client will ask for access to your "keystore." You will need to allow access, otherwise the email client will not be able to sign and/or encrypt the email.

Screen capture of OS X email client with S/MIME digital signing enabled.
Figure 19. Screen capture of OS X email client with S/MIME digital signing enabled.

Sending Encrypted Email

To send an encrypted email, enter the email recipient in the "To:" area, and select the lock icon. If it won't lock, that means that you don't have a certificate for this person, and you can't send them encypted email. If you do have a certificate, it will now lock (encrypt) for all email sent to that email address unless you unlock the icon.

It is important to remember that you must have a certificate from someone before you can send them encrypted email. When you receive a digitally signed email from someone, the Mac OS X client will automatically install their certificate in the keystore for you.

Screen capture of OS X email client with S/MIME encryption and digital signing enabled.
Figure 20. Screen capture of OS X email client with S/MIME encryption and digital signing enabled.

Installing and using the S/MIME Certificate on an iPhone

If you haven't already done so, you should make sure to set a lock password on your iPhone so that if you lose your device, your email isn't compromised. Similarly, make sure to set the remote wipe capability.

The hardest part in setting up an iPhone to send digitally signed and encrypted email is getting the certificate backup file onto the iPhone. Here are the steps to do this:

  1. Export each certificate as an individual backup file.
  2. Copy the files to the iPhone using one of two methods:
    • Copy each certificate file to iCloud drive
    • Email it (easy, but probably less secure)
  3. Select the file and follow the prompts to enter your iPhone lock code followed by the certificate backup password.

Once you have the certificates installed on your phone, you will need to go into settings to set up your email account to use it to send mail.

    1. Open settings and choose “Accounts and Passwords”.
Open the iPhone settings for Accounts and Passwords
Figure 21. Open the iPhone settings for “Accounts and Passwords”.
    1. Select the account where you want to use the S/MIME certificate.
Select the account where you want to use the S/MIME certificate
Figure 22. Select the account where you want to use the S/MIME certificate.
    1. Select the email account account again at the right arrow.
Select the email account account again at the right arrow
Figure 23. Select the email account account again at the right arrow.
    1. On the account settings screen, open the “Advanced” settings.
On the account settings screen, open the Advanced settings
Figure 24. On the account settings screen, open the “Advanced” setting.
    1. On the Advanced Settings screen, enable S/MIME and select “Sign”.
On the Advanced Settings screen, enable S/MIME and select “Sign”
Figure 25. On the Advanced Settings screen, enable S/MIME and select “Sign”.
    1. On the digital signature screen, select the certificate that you want to use for this email account.
On the digital signature screen, select the certificate that you want to use for this email account
Figure 26. On the digital signature screen, select the certificate that you want to use for this email account.