This site requires JavaScript to be enabled
Knowledge Home|Create Incident|Print
FAQ > How to set your email client to digitally sign and/or encrypt your outgoing messages
How to set your email client to digitally sign and/or encrypt your outgoing messages
Article: KB0010830 Published: 2013-01-31 Last modified: 2017-06-26

How to set your email client to digitally sign and/or encrypt your outgoing messages

Introduction

Overview

Digitally signed email allows an email recipient to verify your identity. Encrypting an email message prevents other people from reading it when it is in transit. In order to sign and/or encrypt messages, your email client must support S/MIME. S/MIME (short for "Secure/MIME") is a version of the MIME protocol that supports encryption of email messages and their contents by the way of public-key encryption technology using X.509 compatible certificates.

S/MIME is, and is likely to continue to be, widely implemented across a variety of operating systems and e-mail clients. For this reason, it is possible for users of different email clients on a variety of operating systems to exchange secure, digitally signed email messages without installing any additional software.

Email Clients

Some popular email clients that support S/MIME and for which we provide instructions on this page are:

For all of the above except Thunderbird and Alpine, the email clients share a certificate store with their "corresponding" browser. This means that you don't need to import your certificate into the email client once it's in the corresponding browser; the email client can find it. Macintosh uses keychain files.

Pine does not support PKI X.509 certificate usage for signing and encrypting email messages. It does have support for PGP and GnuPG. We recommend that you transition to a different email client and use certificates.

 

Getting Started

Not only does your email client need to know where to find your personal certificate, it needs access to your copy of the CA's certificate (this is optional for browsers, but not for email clients). Further, if you plan to exchange encrypted email messages, your client will need to store your correspondents' certificates.

In order to send an encrypted email message, you first need to get a signed email message from the intended recipient(s) so the email client will store their personal certificates for later use to encrypt the email messages to each.  See detailed instructions below.

 

The first step is to obtain a personal OSG PKI certificate. It supports S/MIME. Then make sure the certificate is imported into your email client (this is automatic for a shared store). Set your email client configuration to use your certificate (This varies by client; instructions are on this page).

Next, make sure that in the certificate's list of trusted CAs (called "Authorities" in some clients) you see CILogon OSG CA (the root CA) certificate. To check, and then to install it if necessary, follow the instructions for importing CA certificates into your email client.

Once you have your certificate and the trust chain is established, you can send signed messages to anyone. But you can only send encrypted messages to a recipient if:

  • you, the sender, have an S/MIME-enabled certificate installed in your email client.
  • the recipient has an S/MIME-enabled certificate installed in the email client where he or she will read your message.
  • your email client has a copy of the recipient's certificate so that it can use the recipient's public key to encrypt the message such that he or she can decrypt it after receipt (using their corresponding private key)

The easiest way to give your email client a correspondent's certificate is to:

  • set your email client to automatically store the certificates it receives via incoming email in its certificate store (client-specific, many have this set by default; instructions included in the configuration section for each client).
  • ask each correspondent to initially send you a digitally signed message (not encrypted, just signed); this includes his/her certificate.

 

Thunderbird v10 (Any OS)

To verify the certificates, begin from the Thunderbird mail window:

  1. From the Edit menu, click Preferences (If you are using a Mac, you can find it under the Thunderbird menu).
  2. Click the Advanced category.
  3. Under Certificates, click View Certificates
  4. In the Certificate Manager window under the Authorities tab, look for OSG CA. Under it you should find CILogon OSG CA-1. If it is not there, download if necessary, and import (click the Import button).
  5. Check that the trust setting of the CA certificate is correct.  Do this by selecting a certificate and then clicking on the Edit Trust button at the bottom of the window.  The pop-up window will display the trust settings; it is recommended that all the check-boxes be checked (the "This certificate can identify mail users" must be checked so your personal certificate can be used to sign Email). Note that these trust settings are only present for (both) CA certificates and not for your personal certificate but do have affects on the usability of your personal certificate.
  6. Under Your Certificates, make sure that your valid personal OSG PKI  certificate is there. You should also delete any expired certificates.

To configure your default signing and encryption settings, start from the Thunderbird mail window.

  1. Under Tools, click Account Settings.
  2. Click Security under the name of the selected mail account to configure that account's security settings.
  3. Select the certificate to use (it's easiest to use the same certificate for both signing and encryption; in fact you probably only have one!)
  4. Select the defaults you prefer: "Digitally sign all messages (by default)" and/or "Never" or "Required" for encryption. You can override either of these defaults on the message window for individual messages.

Override the default for signing and/or encrypting when sending a message:

  1. Start a new message.
  2. Find the padlock icon on the message toolbar with the description S/MIME under it.
  3. If you click on the down arrow, you can check or uncheck Encrypt This Message or Digitally Sign This MessageOr you can select the Options menu and check or uncheck the Encrypt This Message and Digitally Sign This Message items under than menu.
  4. If you click on the padlock icon (or select View Security Info after clicking on the down arrow), you can view the current settings and your certificate details.

Microsoft Outlook 2010/2013/2016 (Windows)

To check the personal and CA certificates Outlook will find (recall that for FERMI domain machines, CA certificates are updated automatically for you):

  1. From your Start menu, select the Control Panel. From the Control Panel window, select  Internet Options.
  2. Choose the Content tab, and under the Certificates heading, click the Certificates button.
  3. Under Personal, verify that you have your valid OSG PKI  certificate. If it is not there, import it.
  4. Also verify that no expired personal certificates appear. If there are expired personal certificates, remove them.
  5. Under Intermediate Certification Authorities, look for OSG CA-1. If it is not there, download it if necessary, and import it into IE.
  6. Click the Advanced button. Make sure that Secure Email is checked in the list of Certificate purposes. Click OK.
  7. Under Trusted Root Certification Authorities, look for OSG Root CA. If it is not there, download it if necessary, and import it into IE.
  8. Click the Advanced button. Make sure that Secure Email is checked in the list of Certificate purposes. Click OK.

 

Set Outlook to sign and/or encrypt outgoing messages by default and to use the correct certificate:

  1. In the main Outlook window, in the File menu, click the Options menu item.
  2. Select the Trust Center section and click on the Trust Center Settings button.
  3. Click the E-mail Security section and select the following options.
    • Add Digital Signature to Outgoing Messages to include your signing certificate on all outgoing messages.
    • Send clear text signed messages when sending signed messages to ensure that recipients can read your signed messages. This is especially important for recipient's using Web-based or mobile email clients. (NOTE: If you do not send messages as "clear text signed", users without an S/MIME-supporting email client will be unable to read them – they will look like encrypted email messages.)
    • It is recommended that you not select the option to Encrypt contents and attachments for outgoing messages and instead manually choose encryptions for individual messages rather than setting it as the default.
  4. Click the Settings button.  Outlook displays the certificates available for signing and public encryption of E-mail under Certificates and Algorithms. Outlook should include your public signing certificate when it sends signed E-mail so that other users can validate your E-mail and can send you encrypted messages.
  5. Click the Choose button to the right of the Signing Certificate to choose the certificate to be used for signing E-mail (it's easiest if you choose the same one for both, and you probably only have one). Click OK.
  6. Select Hash Algorithm SHA1Selecting anything other than SHA1 is likely to cause problems (possibly unreadable messages) with other email clients and older Outlook versions.
  7. Click the Choose button to the right of the Encryption Certificate to choose the certificate to be used for signing E-mail (it's easiest if you choose the same one as for the Signing Certificate, and you probably only have one). Click OK.
  8. Select Encryption Algorithm 3DES (recommended) or AES 256-BIT.  The use of 3DES is recommended so recipients of your emails using older Outlook versions or other email clients can decrypt and read your messages.
  9. Click OK again.
  10. Send an email to yourself as a test.  Check the delivered message for display of the signing icon, encryption icon or both (depending on the options you selected).

 

Override the default for signing and/or encrypting when sending a message:

This involves adding buttons for Sign and Encrypt to your message toolbar, and requires that you turn off Microsoft Word as the message editor.

  1. Go to Tools > Options > Mail Format (tab).
  2. Uncheck “Use Word to edit email messages”.
  3. Click OK.
  4. Create a new email message.
  5. Right-click on the toolbar and click Customize.
  6. Select the Commands tab, and select the Standard category of commands.
  7. In the Commands window, you will see two buttons near the bottom.
  8. One is an envelope with a red seal (for signing), the other is an envelope with a blue lock (for encrypting).
  9. Drag each of these into your toolbar (to a place you like – e.g., just before the Options button).
  10. Click Close.
  11. You should now have these two buttons on your toolbar. Click one or the other (or both) to enable signing and/or encryption prior to sending off each email message.

 

Mail (Macintosh OSX)

If you used Safari to obtain your certificate, the Keychain Access application is automatically launched to transfer the certificate, and you don't need to manually import it into Mail. It's ready to go! This also applies if you used Firefox to obtain your certificates and then imported them into the keychain.

You can check that your certificates are present and setup by starting the Keychain Access application.  Usually you will see the OSG CA certificates and your personal certificate (identified by your name) in the login (default) keychain. In particular check that the OSG Root CA certificate icon has a small blue plus sign imposed; this indicates that the trust options are properly set for the OSG certificates.  Select your personal OSG certificate then the Get Info item from the File menu.  This displays a window with detailed information about the certificate; in the top of this window (below the Expires: line) there should be a checkmark and the text "This certificate is valid" indicates that the OSG certificate trust chain is intact.  Further you can right-click (or control-click) on your personal OSG certificate and select the "Evaluate ..." item from the context menu.  In the resulting Viewing and Evaluating Certificates window, click on the S/MIME button, enter your E-mail address and click Continue to check the certificate validity in signing E-mail.

To send a signed email, simply select the sign button  in the new message window. Similarly, to send an encrypted message select the encrypt button . The encrypt button will be visible only when the recipient has a certificate and you have a copy of the recipient's certificate stored in your Keychain.

 For further reading, see the Ars Technica site's How to secure your e-mail under Mac OS X and iOS 5 with S/MIME.

 

Microsoft Outlook 2011 (Macintosh OS X)

Outlook for Macintosh uses the keychain for certificate storage.  Instructions on checking the certificates in your keychain can be found in the Mac OS X Mail section above.

 

Set Outlook to sign and/or encrypt outgoing messages by default and to use the correct certificate:

  1. In the main Outlook window, in the Tools menu, click the Accounts menu item.
  2. Select your mail account and click the Advance button.
  3. Click the Security tab.
  4. In the Digital Signing area, click on the pop-up menu option. The Certificate pop-up menu only displays certificates that are valid for email signing or encryption that are already in the keychain for your Mac OS X account.
  5. Select your (identified typically by your first and last names) Digital Signing certificate from the list.
  6. Click Choose.
  7. Select Signing (Hash) Algorithm SHA1Selecting anything other than SHA1 is likely to cause problems (possibly unreadable messages) with other email clients and older Outlook versions
  8. After selecting your certificate, set the following options:
    • Select Sign outgoing messages to digitally sign messages by default.
    • Select Send digitally signed messages as clear text to ensure that recipients can read your signed messages. This is especially important for recipient's using Web-based or mobile email clients. (NOTE: If you do not send messages as "clear text signed", users without an S/MIME-supporting email client will be unable to read them – they will look like encrypted email messages.)
    • Select Include my certificates in signed messages to include your signing certificate wirh your public key on all outgoing messages so recipients can use it to send your encrypted messages.
  9. In the Encryption area, click the pop-up menu option.  Again select your certificate from the list as above..
  10. Select Encryption Algorithm 3DES.  The use of 3DES is recommended so recipients of your emails using older Outlook versions or other email clients can decrypt and read your messages.
  11. Also in the Encryption area, it is recommended that you not select the option to Encrypt outgoing messages and attachments by default and instead manually choose encryptions for individual messages rather than setting it as the default.
  12. Click OK to close the Edit Accounts dialog and then close the Accounts window.
  13. Send an email to yourself as a test.  Check the delivered message for display of the signing icon, encryption icon or both (depending on the options you selected).

 

Override the default for signing and/or encrypting when sending a message:

Depending on the default options you selected, when you compose a new message, Outlook will display a lock icon and one of three options.

  • This message will be Digitally Signed
  • This message will be Encrypted
  • This message will be Digitally Signed and Encrypted

To change the options on a message-by-message basis when you are composing a new message:

  1. Click the Options tab.
  2. Click Security.
  3. Then clicjk Encrypt Message, Digitally Sign Message or select both.

 

Alpine (Linux command line client)

 

Alpine is a command line mail client for Linux that supports the S/MIME standard.  By default, Alpine stores the certificates used for S/MIME in the .alpine-smime directory located in your account's home directory. Within .alpine-smime will be 3 subdirectories containing files with PEM-encoded contents as used by OpenSSL.

  1. .alpine-smime/public directory contains public certificates.  These files should have names that are the email addresses with a suffix of .crt appended. An example filename would be auser@fnal.gov.crt
  2. .alpine-smime/private directory contains private keys (probably just one for your private key).  Again these are named with email addreses but with a suffix of .key added.  The private key file corresponding to our example certificate file would be auser@fnal.gov.key
  3. .alpine-smime/ca directory contains the CA certificates you want to trust but which are not contained in the set of system CAs.  The filenames are arbitrary but must have .crt suffixes.

If you have a certificate, you can sign outgoing messages.  After typing the Ctrl-X command to send a message you will see the Send message? prompt.  Available subcommands include G to sign and E to encrypt the message. Typing the G command will change the prompt to Send message (Signed)?, typing E will change the prompt to Send message (Encrypted)? and typing both G and E will get Send message (Encrypted, Signed)?.

When reading signed messages, no special actions are required on your part.  There should be a addition at the start of the message which says either "This message was cryptographically signed." or "This message was cryptogaphically signed but the signature could not be verified."  If an encrypted message is received, the encrypted text will not be shown.  You have to use the Ctrl-D command (from the screen where you are viewing the message) to decrypt the text.  Supply your passphrase (for your encrypted private key) when asked.  You can also use the Ctrl-F Security command for a signed or encrypted message to provide information about the certificate to sign or encrypt the message.

 

 

Troubleshooting

If you encountered an error message when sending a signed or encrypted message, here are some hints as to what to look for. The resolutions vary from application to application. The following is a list of possible error messages:

1. "Sending of message failed, unable to sign message; ...validate that certificates... valid and trusted...":

If the error message says something about an invalid certificate, check to see if you have an expired certificate, along with your valid certificate, under "Your certificate". If so, remove it. Your email client may be picking up the expired one instead of the right one. Also verify that you have the necessary CA certificates installed and that their trust settings are enabled for signing email.

2. "..Problems encrypting because missing or invalid certificates or conflicting or unsupported encryption capabilities" followed by "Continue will encrypt and send but recipient may not be able to read it":

If you're sending an encrypted message, the likely problem is that the recipient's certificate is not listed under "Other people". Have recipient send you a digitally signed message, then try again.

3. If you're testing encryption by sending to yourself, make sure your certificate appears under the heading for "Other people" in addition to the "Your certificate" heading. Encryption requires the recipient's certificate to appear there, even if it's you.

4. Problems with trust chain

If the error message says something about "trust", it's probably the CA certificate chain that's not right. Make sure
you've got the DigiCert Grid Root CA and DigiCert Grid CA-1

showing under "Authorities".  Also verify the trust settings of the CA certificates and make sure they are enabled for signing email.

5. Encrypting is impossible

Again, check that all the necessary certificates are under Your Certificate, Other Peoples, and Authorities (or equivalents).

 

 

Acknowledgements

Thanks to the University of Texas at Austin for their online Outlook documentation that was borrowed from for these instructions for Outlook 2011 (Windows) and Outlook 2011 (Mac OS X).  They also have extensive online documentation on other aspects of digital certificates and information on other (and older versions of) Email clients using digital certificates.

Information on Alpine was gotten from the University of Washington Alpine documentation site.


:     
Was this helpful?
YesNo
Rate this article