• EmailCertificates

Email Certificates

FAQ

For more details and a client cert FAQ see the ClientCerts page.

Getting a personal email client cert

To make your certificate exportable, it is recommended to use Netscape/Mozilla/Firefox web browser when creating the certificate.

Make sure you get 50 or more assurer points, so that you can generate a certificate with your name in it. Login to the CAcert.org website with your e-mail address and password and click on the client certificate menu.

Click on New to generate a new client certificate. Check the box for the e-mail address(es) that you want to use the certificate with, and make choose the Display Name that suits you best. Then click Next. In the next page you can choose two different certificate strengths. Click on Generate Certificate and wait until you see the page Installing your certificate.

Select Edit/Preferences in your browser (depending on whether you use Netscape/Mozilla/Firefox on Windows or Unix platforms, the name of the menu can also be Tools/Options or ......). Go to Advanced/Security/Certificates/Manage certificates. You'll now have a certificate under the tab Your certificates. Backup this certificate to disk, which means, saving it in PKCS12 format (.p12 file extension).

Mozilla Thunderbird

Installing the certificate

• Tools/Options/Privacy/Security (Thunderbird 1.5) or Tools/Options/Advanced/Certificates (Thunderbird 1.x). In Thunderbird 2.0, use Edit/Preferences to bring up the "Thunderbird Preferences" window followed by Advanced/Certificates.

• View Certificates (Thunderbird 1.5 or 2.0) or Manage Certificates (Thunderbird 1.x)

• Import

• Select the CAcert PKCS12 certificate (with .p12 extension)
• Choose a passphrase for the Thunderbird local certificate store (choose with care and don't forget!)
• Type the passphrase with which you protected the .p12 certificate

• Manage Certificates

• Select Authorities (in the Certificate Manager window of Thunderbird 2.0)

• Find and Edit the Root CA / CA Cert Signing Authority

• Select at least the setting This certificate can identify mail users

• Go to Tools/Account Settings (Thunderbird 1.5) or Edit/Account Settings (Thunderbird 2.0) and choose the account for which you want to user your certificate

• Choose Security and click Select in the Digitally Signing part of the configuration screen

• You can now choose your CAcert certificate

• The certificate will also automatically be chosen as the certificate to Encrypt and decrypt messages sent to you

• Note: If you are adding another person's public certificate and it doesn't import in the Other People's tab, go to the Websites tab and import it there. It should still work correctly.

For a more detailed HOWTO, see ../ThunderBird

Using the certificate to sign/decrypt e-mail messages

• Write a new message

• Before sending the message, click on the Security drop-down menu and select Digitally sign this message

• Send the message. You'll be asked to type the passphrase that you used to protect your Thunderbird local certificate store.

Mutt

• Read the instructions from S/MIME for Mutt

• Or have a look at mutt smime-notes.txt

• Download the CAcert root certificate and issue the command smime_keys add_root root.crt

• Mutt should have been shipped with an smime.rc file ( /usr/share/doc/mutt/examples/smime.rc under Debian). Copy the contents into your muttrc and replace the value from set smime_default_key with your own key id

MS Outlook

With MS Outlook, you can use your certificate to sign e-mail messages you send out and to decrypt e-mail messages sent to you. Follow the instructions in the above chapter Getting a personal e-mail certificate. Double-click the .p12 file that you have saved to disk, to install your certificate in de MS Windows certificate store. Your certificate is now available in all MS products that support S/MIME.

You can also use Outlook to encrypt a message that you send to someone with a CAcert certificate. First you will need to install the other person's certificate in your client. The easy way to do this is to have that person send you a signed e-mail message and verify that the certificate is correct (e.g. by checking the fingerprint via telephone or other direct contact with the other person). Once you have received that signed message and verified the certificate, it will be automatically stored in the MS Windows certificate store.

--- Outlook specific instructions on how to sign/decrypt/encrypt ---

When you receive the signed email right click on the senders address (not the email itself). Select add to contacts. This will install the public certificate for you to use when sending emails. You can see that certificate by selecting the certificates tab on the top of your contact information.

If this person is already in your contact list then do the following:

Right click the senders address (not the email itself). Select add to contacts. Select the certificates tab. highlight the certificate and select export. change the name to something you will recognize and select a location you will remember, enter a password and save. Close the new contact and do not save the changes (this removes the duplicate contact). Right click the senders address (by now you should recognize the pattern) select lookup contact. select the certificates tab and import the certificate using the path, name and password you just entered. You should be able to send encrypted messages to that address now.

Once your client certificate is loaded, outlook creates profiles for your sending account. When composing an email you will see two buttons on the send menu. (sign = envelope with ribbon, encrypt = envelope with lock). To sign an email press the sign button. This will send the email in plain text but will attach the digital public certificate. To encrypt an email press the encrypt button. This will encrypt the email using the send to email public certificate stored in your contacts file under the certificates tab. Only the person with the private key can read the email.

--- Outlook specific instructions on how to change your certificate ---

If you have an older CACert Certificate that can not be renewed you will need to create a new certificate. Once you add this certificate to your Microsoft certificate store you will have to tell outlook which of the two certificates to use for signing and sending emails. Remember that you should not remove old certificates or you will not be able to read old emails.

To change which certifiate to use for signing and encrypting, (you really should use two certificates one that is only for signing only and one that is for encryption but that is another topic) to your new certificate in outlook do the following.

Open outlook. On the menu select Tools > Options ... to open the options window. Select the Security tab. In the section titled Encrypted e-mail you will see a choice field labled default setting. Next to the choice field there is a button that says settings... Press that button to open the Change Security Settings window. In the section named Certificates and Algorithms you will see the certificates used for signing and for encrypting. You can use the Choose ... buttons to set them to the proper certificates. If you have more then one certificate then remember to select the right certificate by the expiration date, and if you have more then one email to set you can select the proper email account by selecting the proper email account in the securities setting name choice field at the top.

Mac OS X Safari or OmniWeb

These browsers will correctly download your key and certificate and put them in the Mac OS X Keychain. (Where every well written Mac OS X program will subsequently be able to access them. Most unfortunately this does not include Firefox and Thunderbird)

To get your private key out of the Mac OS X Keychain open the Keychain Access application in /Applications/Utilities.

Under Categories, click on My Certificates, then click on your Certificate (Check that it is the right one, the one issued by the CA Cert Signing Authority). Finally click on File -> Export which presents you with a Dialog box to choose the location of the .p12 file which will contain your certificate and your private key. After you click on save, Keychain Access asks you a passphrase with which you should encrypt the .p12 file. Possibly, Keychain Access will ask you for your keychain password to access your key (normally this is your login password)

Then continue as described otherwhere.

Additionally, you may back up your keychain, found in $home/Library/Keychains.

Certs on the Mac

mac_keychain_cacert.tiff (Outdated Screenshot of the Keychain Access application)

Mac OS X Mail.app (native eMail application) for Signing / Encrypting

Mail.app is capable to deal with x.509 certificates.

Your private and public personal (aka "client-") certificate is stored in your Mac OS X Keychain, which is managed with the Keychain Access Application found in /Applications/Utilities.

You get this certificate installed by the way described above. If you use Safari, everything is done automatically.

If you use Firefox: Go through the key generation process, export the certificate from Firefox, and import it to the Mac OS X Keychain by double-clicking the filename.

That's the flow. There's a very good and detailed documentation here: http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html?page=1. I really encourage you to read it.

But this is not enough. Mail.app uses root-certificates which are generally stored / managed / provided (for all users) by your OS. Applications like Safari and Mail.app ask the OS for it.

Unfortunately, your own keychain is not asked (bug?).

Therefore remember, when you add the root certificates to the Mac OS X Keychain, add it to the X509Anchors keychain! (Briefly: Get [http://www.cacert.org/certs/root.crt ]http://www.cacert.org/certs/root.crt and http://www.cacert.org/certs/class3.crt, doubleclick on them, then choose the X509Anchors keychain.)

Now if you'd like, you can close Mail.app, Safari, etc.. - maybe also Keychain Access (just to be sure), and afterwards start Mail.app again.

These steps were needed because Apple does not ship with the cacert Root CA Certificate. Cross your fingers cacert will manage this in the near future ;))

Now, since we have our private, public and cacert's root-certificate imported, everything should work fine, and we could have a look to what Apple says about using x.509 Certificates for signing and encrypting: http://docs.info.apple.com/article.html?artnum=25555

That's it. Hope you had luck.

If you have problems, drop me a note: https://secure.cacert.org/wot.php?id=9&userid=17280.

KMail

• http://steffenpingel.de/news/archive/2006/feb/27/using-cacert-certificates-with-kmail-on-debian/ (English with screenshots)

• these packages could be useful:
  • pinentry- [ qt | gtk | gtk2 ]
  • kleopatra
  • gpgsm
  • gpg-agent

Small howto on these is Kmail

• it seems, there are several bugs left in KMail 1.9.5 or the plugins of this time. But x.509 works fine in KMail after installing and configuring evolution too. May be it fixes some configs.

Evolution

Evolution runs with x.509 out of the box. It needs no extra configuration of packages. You only have to load the cert into the mailclient.

• http://en.wikipedia.org/wiki/Novell_Evolution

Gnus

The page at http://www.emacswiki.org/cgi-bin/wiki/GnusSMIME describes the procedure. CAcert's root certificates have to be linked into the smime-CA-directory (like described there).

Misc

TODO:

• Explain the next steps: What do I need to do to send someone an encrypted email, so I need a public key or what ?
• Insert step-by-step Powerpoint/Web Presentation for each client.