Fermilab Computing Division
Search

How to Set Your Email Client to
Digitally Sign and/or Encrypt your Outgoing Messages

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

 

Introduction

Overview

Digitally signed email allows an email recipient to verify your identity. Encrypting an email message prevents other people from reading it when it is in transit. In order to sign and/or encrypt messages, your email client must support S/MIME. S/MIME (short for "Secure/MIME") is a version of the MIME protocol that supports encryption of email messages and their contents by way of RSA's public-key encryption technology.

S/MIME is, and is likely to continue to be, widely implemented across a variety of operating systems and e-mail clients. For this reason, it is possible for users of different email clients on a variety of operating systems to exchange secure, digitally signed email messages without installing any additional software.

Email Clients

Some popular email clients that support S/MIME and for which we provide instructions on this page are:

For all of the above except Thunderbird, the email clients share a certificate store with their "corresponding" browser. This means that you don't need to import your certificate into the email client once it's in the corresponding browser; the email client can find it. Macintosh uses keychain files.

Pine does not support PKI X.509 certificate usage for signing and encrypting email messages. It does have support for PGP and GnuPG. We recommend that you transition to a different email client and use certificates.

Getting Started

Not only does your email client need to know where to find your personal certificate, it needs access to your CA's certificate (this is optional for browsers, but not for email clients). Further, if you plan to exchange encrypted email messages, your client will need to store your correspondents' certificates.

The first step is to obtain a personal DOEGrids certificate. It supports S/MIME. Do not use a KCA certificate for this purpose; it is too short-lived. Then make sure the certificate is imported into your email client (this is automatic for a shared store). Set your email client configuration to use your certificate (varies by client, instructions are on this page).

Next, make sure that in its list of trusted CAs (called "Authorities" in some clients) you see both DOEGrids (as an intermediate CA) and ESnet (the root CA). To check, and then to install them if necessary, follow the instructions for importing CA certificates into your email client.

Once you have your certificate and the trust chain established, you can send signed messages to anyone. But you can only send encrypted messages to a recipient if:

  • you, the sender, have an S/MIME-enabled certificate installed in your email client.
  • the recipient has an S/MIME-enabled certificate installed in the email client where he or she will read your message.
  • your email client has a copy of the recipient's certificate so that it can use the recipient's public key to encrypt the message such that he or she can decrypt it after receipt (using that same key)

The easiest way to give your email client a correspondent's certificate is to:

  • set your email client to automatically store the certificates it receives via incoming email in its certificate store (client-specific, and many have this set by default; instructions included in the configuration section for each client).
  • ask each correspondent to initially send you a digitally signed message (not encrypted, just signed); this includes his/her certificate.

 

Thunderbird v1.0.7

To verify the certificates, begin from the Thunderbird mail window:

  1. From the Tools menu, click Options .
  2. Click the Advanced category.
  3. Under Certificates, click Manage Certificates
  4. Under the Authorities tab, look for ESnet; under it you should find DOEGrids and ESnet Root; if not there, download them if necessary, and import them (click the Import button).
  5. Under Your Certificates, make sure that only your valid DOEGrids certificate is there; delete any expired certificates.

To configure your default signing and encryption settings, start from the Thunderbird mail window.

  1. Under Tools click Account Settings.
  2. Click Security.
  3. Select the certificate(s) to use (it's easiest to use the same for both signing and encryption, in fact you probably only have one!)
  4. Select the defaults you prefer: "Digitally sign all messages (by default)" and/or "Never" or "Required" for encryption. You can override either of these defaults on the message window for individual messages.

Override the default for signing and/or encrypting when sending a message:

  1. Start a new message.
  2. Find the padlock icon on the message toolbar with the word "Security" under it.
  3. If you click on the down arrow to the right of this icon, you can choose "Encrypt" or "Do not encrypt", and you can check or uncheck "Digitally sign".
  4. If you click on the lock, you can view the current settings and your certificate details.

 

Netscape Mail v7.2

To verify the certificates, begin from the Mail window:

  1. From the Edit menu, choose Preferences.
  2. Open the Privacy & Security menu on the left.
  3. Choose Certificates.
  4. Click Manage Certificates.
  5. Under the Authorities tab, look for ESnet; under it you should find DOEGrids and ESnet Root; if not there, download them if necessary, and import them (click the Import button).
  6. Under Your Certificates, make sure that only your valid DOEGrids certificate is there; delete any expired certificates.

To specify which signing and encryption certificates to use, begin from the Mail window:

  1. Open the Edit menu and choose Mail & Newsgroups Account Settings.
  2. Click Security under the name of the mail account whose security settings you want to configure.
  3. Under Digital Signing, click the Select button. (You may be asked to provide your Master Password before you can proceed further.)
  4. A dialog box appears that allows you to select from among your available signing certificates.
  5. Choose the certificate you want to use, then click OK.
  6. Follow the same steps under Encryption: click the Select... button, select the encryption certificate you want to use, and click OK.
  7. Typically you'll want to specify the same certificate under Encryption that you specified under Digital Signing (in fact, you'll probably only have one).

To configure your default signing and encryption settings, start from the Mail window.

  1. Open the Edit menu and choose Mail & Newsgroups Account Settings.
  2. Click Security under the name of the mail account whose security settings you want to configure.
  3. Select the defaults you prefer: "Digitally sign all messages (by default)" and/or "Never" or "Required" for encryption. You can override either of these defaults on the message window for individual messages.

Override the default for signing and/or encrypting when sending a message:

  1. Start a new message.
  2. Find the padlock icon on the message toolbar .
  3. If you click on the down arrow, you can choose "Encrypt" or "Do not encrypt", and you can check or uncheck "Digitally sign".
  4. If you click on the lock, you can view the current settings and your certificate details.

 

Outlook (Microsoft Office 2003)

To check the personal and CA certificates Outlook will find (recall that for FERMI domain machines, CA certificates are updated automatically for you):

  1. From your Start menu, navigate to Settings > Control Panel > Internet Options.
  2. Choose the Content tab, and under the Certificates heading, click the Certificates button.
  3. Under Personal, verify that you have your valid DOEGrids certificate; if not there, import it.
  4. Also verify that no expired personal certificates appear; if so, remove them.
  5. Under Intermediate Certification Authorities, look for DOEGrids; if not there, download it if necessary, and, import it into IE.
  6. Under Trusted Root Certification Authorities, look for ESnet Root; if not there, download it if necessary, and, import it into IE.
  7. Click Avanced Options. Make sure that Secure Email is checked. Click OK.
  8. Close.

Set Outlook to use the correct certificate:

  1. In the main Outlook window, on the Tools menu, click Options .
  2. Click the Security tab.
  3. Under Encrypted e-mail, click the Settings button.
  4. The defaults should be fine; make sure it's going to use the certificate that you want. If not, under Certificates and Algorithms click the Choose buttons. Choose the right one for both signing and encryption (it's easiest if you choose the same one for both, and you probably only have one).
  5. Click OK.
  6. Back on the Options dialog box, under Encrypted e-mail, check “Send clear text signed message when sending signed messages ”.

Set Outlook to sign and/or encrypt outgoing messages by default:

  1. Go to Tools > Options > Security (tab)
  2. Under Encrypted e-mail, check "Encrypt contents and attachments for outgoing messages" and/or “Add digital signature to outgoing messages”. You can override either of these defaults on the message window for individual messages.
  3. Check “Send clear text signed message when sending signed messages”
    (NOTE: If you do not send messages as "clear text signed", users without an S/MIME supporting email client will be unable to read them – they will look like encrypted email messages.)
  4. Click OK.

Override the default for signing and/or encrypting when sending a message:

This involves adding buttons for Sign and Encrypt to your message toolbar, and requires that you turn off Microsoft Word as the message editor.

  1. Go to Tools > Options > Mail Format (tab).
  2. Uncheck “Use Word to edit email messages”.
  3. Click OK.
  4. Create a new email message…
  5. Right-click on the toolbar and click Customize.
  6. Select the Commands tab, and select the Standard category of commands.
  7. In the Commands window, you will see two buttons near the bottom.
  8. One is an envelope with a red seal (for signing), the other is an envelope with a blue lock (for encrypting).
  9. Drag each of these into your toolbar (to a place you like – e.g., just before the Options button.
  10. Click Close.
  11. You should now have these two buttons on your toolbar. Click one or the other (or both) to enable signing and/or encryption prior to sending off each email message.

 

Outlook Express (Microsoft Office 2003)

We recommend that you choose a different email client than OE because it's been superseded by Outlook and is no longer maintained, but it will work.

Set OE to use the correct certificate:

  1. In the main window, on the Tools menu, click Options .
  2. Click the Security tab, and then under Secure Mail, click the Digital IDs button.
  3. Under Personal, verify that you have your valid DOEGrids certificate; if not there, import it.
  4. Also verify that no expired personal certificates appear; if so, remove them.
  5. Under Intermediate Certification Authorities, look for DOEGrids; if not there, download it if necessary, and, import it into IE.
  6. Under Trusted Root Certification Authorities, look for ESnet Root; if not there, download it if necessary, and, import it into IE.
  7. Click Avanced Options. Make sure that Secure Email is checked. Click OK.
  8. Close the Certificates window.
  9. Back on the Options window, click the Advanced button.
  10. Click the "Include my digital ID when sending signed messages" check box. (This allows the recipients of your messages to easily verify your message using your public key.)

To digitally-sign and/or encrypt messages by default:

  1. In the main window, on the Tools menu, click Options .
  2. Click the Security tab, and then select one or both check boxes at the bottom of the Secure mail area. (Encrypt contents and attachments for all outgoing messages and/or Digitally sign all outgoing messages.) You can override either of these defaults on the message window for individual messages.

Override the default for signing and/or encrypting when sending a message:

  1. Create a new message.
  2. Check if these symbols are on the new message toolbar:
  3. If so, all you need to do is click the one(s) you want prior to sending a message.
  4. If not, right click in the new message toolbar, choose Customize, and add the icons (separately) to the toolbar. The icons and thus the functionality will be available to you in all subsequent outgoing messages.

 

Mail (Mac OSX Tiger)

If you used Safari to obtain your certificate, it launches the Keychain Access application to transfer the certificate, and you don't need to manually import it into Mail. It's ready to go!

To send a signed email, simply select the sign button in the new message window. Similarly, to send an encrypted message select the encrypt button . The encrypt button will be visible only when the recipient has a certificate and you have a copy of the recipient's certificate stored in your Keychain.

For further reading, see the Apple site's Mac OS X 10.3: Mail - How to Use a Secure Email Signing Certificate (Digital ID).

Eudora v6.2.3 on Mac

(Not done)

 

 

 

Troubleshooting

If you're like me, you set everything up, then tried to send a signed or encrypted message, and it failed with an error. Here are some hints as to what to look for. The resolutions vary from application to application. I'm assuming that once you've gotten this far with your email client, you can probably find the path to what you need!

"Sending of message failed, unable to sign message; ...validate that certificates... valid and trusted...":

  • If the error message says something about an invalid certificate, check to see if you have an expired certificate, along with your valid certificate, under "Your certificate". If so, remove it. Your email client may be picking up the expired one instead of the right one.

"..Problems encrypting cause missing or invalid certificates or conflicting or unsupported encryption capabilities" followed by "Continue will encrypt and send but recipient may not be able to read it":

  • If you're sending an encrypted message, the likely problem is that the recipient's certificate is not listed under "Other people". Have recipient send you a digitally signed message, then try again.
  • If you're testing encryption by sending to yourself, make sure your certificate appears under the heading for "Other people" in addition to the "Your certificate" heading. Encryption requires the recipient's certificate to appear there, even if it's you.

Problems with trust chain:

  • If the error message says something about "trust", it's probably the CA certificate chain that's not right. Make sure you've got the ESnet root CA and DOEGrids CA showing under "Authorities".

"Encrypting is impossible"

  • Again, check that all the necessary certificates are under Your Certificate, Other Peoples, and Authorities (or equivalents).

 

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)