Ĩesky | english

Email Certificates


For more details and a client cert FAQ see the ClientCerts page.

A bit of background knowledge

If Alice wants to send Bob an encrypted mail she needs the public key of Bob.

The S/MIME-protocol, which is used by most email clients as the standard protocol, uses signed mails to distribute public keys. Every S/MIME signature contains the complete certificate, including the public key of the signer.

So to do encrypted communication Alice first has to get an email certificate for herself and send Bob a signed message. Bob's mailer usually automatically extracts the certificate from the signature and stores it in its certificate database. Now Bob has the option to send Alice an encrypted mail, even if he has no certificate for his mailer!

But usually Bob should also get his own certificate, otherwise encryption can only be used for one direction of message transfer.

Getting a personal email client cert

Simple way: Use a browser

Using this method, your private and public keys will automatically be generated by your browser and the public key will be sent to CAcert for signing. Your private key is never transmitted over the network (it stays in your browser's secure storage but can be exported from there afterwards).

Mozilla et al.

.certificate to disk, which means, saving it in PKCS12 format (.p12 file extension).

Internet Explorer

If you want to create a PKCS12 file to use it in Thunderbird this is the procedure:

N.B.: You may also use the Certificates console to import a PKCS12 file created otherwise for use in IE or Outlook. Give it a try, it's easy! :-)

The manual way: Create key locally (using OpenSSL) and get certificate with CSR

These are the needed steps in order:

  1. Generate the key (may be a part of the next step)
  2. Create the CSR - Certificate Signing Request

  3. Paste the CSR in the Generate Certificate form on CAcert.org
    Choose options (not sure whether "Enable certificate login with this certificate" is respected by the server, or something else must be done to prevent creation of a certificate which allows login) Click on Generate Certificate

  4. Save the certificate to a file, or install it in your browser (but more must be done to actually use the key resp. certificate, because the server response doesn't contain the private key part!)
  5. Assemble the certificate in PKCS12 format (.p12 file extension) which includes the private key part and can be imported in web browsers like Firefox and email application.

One possible way to accomplish this is the following:

openssl req -nodes -newkey rsa:4096 -keyout my.key -out my.csr

Fill out the two fields Common Name and Email Address (although that might be unnecessary?) and leave all other blank. After that the private key is in file private.key (note: not protected by a passphrase - this can only be done using OpenSSL's rsa command), and the key signing request including the public part in server.csr .

openssl pkcs12 -export -in my.crt -inkey my.key -in root.pem -out my.p12

openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12


Now the PKCS12 certificate you can work with (which you can keep in a safe place as your backup copy) can be created in the file my.p12 (or choose another name) with this command:

Import the resulting file to Mozilla, Thunderbird, Outlook etc. At the same time this is your backup copy (which you should move to a safe place).

Mozilla Thunderbird

Installing the certificate

For a more detailed HOWTO, see ../ThunderBird

Using the certificate to sign/decrypt e-mail messages


Installing certificates of your counterparts

openssl smime -verify -in SMIME-SIGNED-E-MAIL -noverify -pk7out > SMIME-SIGNED-E-MAIL.pk7
openssl pkcs7 -print_certs -in SMIME-SIGNED-E-MAIL.pk7 > SMIME-SIGNED-E-MAIL.pem
openssl x509 -in SMIME-SIGNED-E-MAIL.pem -noout -hash
cp SMIME-SIGNED-E-MAIL.pem ~/.smime/certificates/$(openssl x509 -in SMIME-SIGNED-E-MAIL.pem -noout -hash)".0"
echo $(openssl x509 -in SMIME-SIGNED-E-MAIL.pem -noout -email) $(openssl x509 -in SMIME-SIGNED-E-MAIL.pem -noout -hash)".0" ALIAS >> ~/.smime/certificates/.index

Using the certificate to sign/encrypt e-mail messages

MS Outlook

Click on Tools > Trust Centre

With MS Outlook, you can use your certificate to sign e-mail messages you send out and to decrypt e-mail messages sent to you. Follow the instructions in the above chapter Getting a personal e-mail certificate. Double-click the .p12 file that you have saved to disk, to install your certificate in de MS Windows certificate store. Your certificate is now available in all MS products that support S/MIME.

You can also use Outlook to encrypt a message that you send to someone with a CAcert certificate. First you will need to install the other person's certificate in your client. The easy way to do this is to have that person send you a signed e-mail message and verify that the certificate is correct (e.g. by checking the fingerprint via telephone or other direct contact with the other person). Once you have received that signed message and verified the certificate, it will be automatically stored in the MS Windows certificate store.

Outlook 2007 Installation

The Outlook Trust Centre

Outlook specific instructions on how to sign/decrypt/encrypt

Upload the certificate

When you receive the signed email right click on the senders address (not the email itself). Select add to contacts. This will install the public certificate for you to use when sending emails. You can see that certificate by selecting the certificates tab on the top of your contact information.

If this person is already in your contact list then do the following:

Right click the senders address (not the email itself). Select add to contacts. Select the certificates tab. highlight the certificate and select export. change the name to something you will recognize and select a location you will remember, enter a password and save. Close the new contact and do not save the changes (this removes the duplicate contact). Right click the senders address (by now you should recognize the pattern) select lookup contact. select the certificates tab and import the certificate using the path, name and password you just entered. You should be able to send encrypted messages to that address now.

Once your client certificate is loaded, outlook creates profiles for your sending account. When composing an email you will see two buttons on the send menu. (sign = envelope with ribbon, encrypt = envelope with lock). To sign an email press the sign button. This will send the email in plain text but will attach the digital public certificate. To encrypt an email press the encrypt button. This will encrypt the email using the send to email public certificate stored in your contacts file under the certificates tab. Only the person with the private key can read the email.

Outlook specific instructions on how to change your certificate

If you have an older CACert Certificate that can not be renewed you will need to create a new certificate. Once you add this certificate to your Microsoft certificate store you will have to tell outlook which of the two certificates to use for signing and sending emails. Remember that you should not remove old certificates or you will not be able to read old emails.

To change which certifiate to use for signing and encrypting, (you really should use two certificates one that is only for signing only and one that is for encryption but that is another topic) to your new certificate in outlook do the following.

Open outlook. On the menu select Tools > Options ... to open the options window. Select the Security tab. In the section titled Encrypted e-mail you will see a choice field labled default setting. Next to the choice field there is a button that says settings... Press that button to open the Change Security Settings window. In the section named Certificates and Algorithms you will see the certificates used for signing and for encrypting. You can use the Choose ... buttons to set them to the proper certificates. If you have more then one certificate then remember to select the right certificate by the expiration date, and if you have more then one email to set you can select the proper email account by selecting the proper email account in the securities setting name choice field at the top.

Mac OS X Safari or OmniWeb

These browsers will correctly download your key and certificate and put them in the Mac OS X Keychain. Every well written Mac OS X program will subsequently be able to access them from there. Most unfortunately this does not include Firefox and Thunderbird, which use their own certificate storage as on other platforms. See the paragraph about Mozilla software above.

To get your private key out of the Mac OS X Keychain open the Keychain Access application in /Applications/Utilities.

Under Categories, click on My Certificates, then click on your Certificate (Check that it is the right one, the one issued by the CA Cert Signing Authority). Finally click on File -> Export which presents you with a Dialog box to choose the location of the .p12 file which will contain your certificate and your private key. After you click on save, Keychain Access asks you a passphrase with which you should encrypt the .p12 file. Possibly, Keychain Access will ask you for your keychain password to access your key (normally this is your login password)

Then continue as described otherwhere.

Additionally, you may back up your keychain, found in $home/Library/Keychains.

Certs on the Mac

mac_keychain_cacert.tiff (Outdated Screenshot of the Keychain Access application)

Mac OS X Mail.app (native eMail application) for Signing / Encrypting

Mail.app is capable to deal with x.509 certificates.

Your private and public personal (aka "client-") certificate is stored in your Mac OS X Keychain, which is managed with the Keychain Access Application found in /Applications/Utilities.

You get this certificate installed by the way described above. If you use Safari, everything is done automatically.

If Your Safari version does not import the private key, use the Firefox procedure (see below).

If you use Firefox: Go through the key generation process, install the certificate in Firefox, then back it up (Preferences -> Advanced -> View Certificates -> Backup) in a .p12 file and import that file into the Mac OS X Keychain by double-clicking the filename.

That's the flow. There's a very good and detailed documentation here: http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html?page=1. I really encourage you to read it.

But this is not enough. Mail.app uses root-certificates which are generally stored / managed / provided (for all users) by your OS. Applications like Safari and Mail.app ask the OS for it.

Unfortunately, your own keychain is not asked (bug?).

Therefore remember, when you add the root certificates to the Mac OS X Keychain, add it to the X509Anchors keychain! Get http://www.cacert.org/certs/root_X0F.crt and http://www.cacert.org/certs/class3_x14E228.crt, doubleclick on them, then choose the X509Anchors keychain.

Snow Leopard's Keychain Access (and probably also Leopard) does not have an X509Anchors keychain, nor it will ask where to import the certificates.

If the keychain is missing just create a new keychain named X509Anchors, then drop all the CACert certificates in it.

Now if you'd like, you can close Mail.app, Safari, etc.. - maybe also Keychain Access (just to be sure), and afterwards start Mail.app again.

These steps were needed because Apple does not ship with the cacert Root CA Certificate.

Now, since we have our private, public and cacert's root-certificate imported, everything should work fine, and we could have a look to what Apple says about using x.509 Certificates for signing and encrypting: http://docs.info.apple.com/article.html?artnum=25555

That's it. Hope you had luck.

If you have problems, drop me a note: https://secure.cacert.org/wot.php?id=9&userid=17280.


Small howto on these is KMail


Evolution runs with x.509 out of the box. It needs no extra configuration of packages. You only have to load the cert into the mailclient.


The page at http://www.emacswiki.org/cgi-bin/wiki/GnusSMIME describes the procedure. CAcert's root certificates have to be linked into the smime-CA-directory (like described there).


<!> TODO:

EmailCertificates (last edited 2021-07-14 11:26:16 by AlesKastner)