This is a step-by-step guide to collecting and applying your InCommon issued S/MIME certificate to enable secure-email.
Assumptions made: you collect the certificate using Mozilla’s Firefox browser – there are known issues with other browsers like Chrome and Internet Explorer. The most reliable way around these known issues is to use Firefox. For this guide, we apply the collected S/MIME certificate using Microsoft’s Outlook as the email client. The overall principles are the same if other email clients are used, e.g. Mozilla’s Thunderbird or Apple’s Mail; but, obviously, the steps will be slightly different to those given here.
Receive the email invite
Figure 1: The email invitation from support@cert-manager.com
Per Figure 1, you will receive an invite via email for your S/MIME certificate. This message will come from <support@cert-manager.com>. Using the Firefox web-browser, either click-through the provided link – ensuring that the link hits, “https://cert-manager.com/customer/InCommon/smime? action=invite&requestCode=…” – or, alternatively, visit https://cert-manager.com/customer/InCommon/smime?action=invite in Firefox.
User Registration Form
Figure 2: InCommon Certificate Manager User Registration Form
Having brought up the User Registration form, as in Figure 2, it will either have the code automatically filled-in – along with your email address – or you need to paste the code from the original email message into this form field. Fill out the other fields: email address is self-explanatory. The “PIN” field is not obvious and warrants further explanation: even though this field is called, “PIN” (Personal Identification Number) it really should be a full passphrase – however, it should NOT match your current Mines’ passphrase. This is used to protect the file you are about to generate and download and it is needed later on to import your new S/MIME bundle into your certificate store. The lifetime of this certificate is, usually, set at three years. So it’s important that this passphrase be memorable to you.
The “Pass-phrase” field further down in the form requires, again, a full passphrase that should be different to both the just selected “PIN” passphrase you’ve used and your Mines’ passphrase. However, in the grand scheme of things, this second passphrase is somewhat less important than the “PIN” one because it’s used for certificate revocation which is a centralized service that ITS can provide for you. However, this is a “certificate reset” password, so if ever you feel or know that your S/MIME identity has been compromised, it can be revoked with this passphrase. The lower section – physical address related – is non-editable, so hit “Submit”.
Digital Certificate Download
Figure 3: Digital Certificate Download page
Figure 4: Digital Certificate Download Message
Click Download and save the file to, ideally, a network drive. This way if your local machine breaks then we won’t lose this important file. Remember, per what was mentioned in the previous section, this file is protected by the “PIN” passphrase you selected, so even if it were to end up in a publicly accessible directory, it would still have protections in-place. However, the best place to put this file would be into your personal – somewhat private – network space, like Z: in the ADIT environment. Now having downloaded your S/MIME bundle, next steps are to apply this into your email client environment so you can start digitally-signing every message you send and encrypt those that require true confidentiality.
Import S/MIME Bundle into Certificate Store
Two examples are going to be used for importing the S/MIME bundle into your certificate store:
one shows this being done through OS X using the Keychain Access application; the other showing
the same for Windows.
Apple’s OS X: Importing through Keychain Access Application
Figure 5: Apple's OS X Keychain Access Import
Bring up the Keychain Access application and goto File → Import Items…, selecting the previously downloaded .p12 file. As in Figure 5, it will prompt you for the passphrase to unlock this file with – recall, this will be the “PIN” passphrase you created earlier.
This imports everything into the right place. You can view this by expanding out: login Keychain → My Certificates. You should see something along the lines of Figure 6 below, showing the certificate and private-key pieces. Notice how the expiry date is three-years from the original date of issuance.
Figure 6: OS X Keychain S/MIME bundle details
FYI: it is the private-key that is most important here and this is what the password-protection is really protecting. If anyone else gets access to your private-key they can start, potentially, pretending to be you and spoofing signed emails. This is when, upon finding out or suspecting this type of behavior, you must revoke this particular S/MIME bundle. Essentially this step tags it as untrusted. As already mentioned, S/MIME revocation is something that ITS can directly help you with.
Microsoft Windows: Importing the S/MIME bundle
To import your S/MIME bundle using Windows merely double-click on the .p12 file. This should bring up the “Certificate Import Wizard”.
Figure 7: Windows Import Certificate Wizard
Click through Next on the Intro screen.
Figure 8: Windows Specify the file to be imported
Next, ensure the file is the right one to be imported. This should have auto-populated – having come as the result of double-clicking the original file – so all should be well.
Per Figure 9, overleaf, now input the “PIN” password you created earlier. This unlocks the file contents to be imported into Windows’ certificate store. Also, please ensure that both of the following check-boxes are selected: “Mark the key as Exportable” and “Include All Extended Properties”.
Click through Next, and then merely click through the next screen, Figure 10, defaults are fine, before clicking Finish on the screen shown in Figure 11. This should result in the success message, “The Import was Successful”, as displayed in Figure 12.
Figure 9: Windows Private Key Protection
Figure 10: Windows Certificate Store Location
Figure 11: Windows Completing the Certificate Import Wizard
Figure 12: Windows Import Successful Message
Configuring Outlook
This final section is for the configuration of the Outlook email client.
Click through File → Options → Trust Center → Trust Center Settings… → Email Security, and you should be looking at Figure 13.
Figure 13: Outlook Trust Center - Email Security
Click on the Settings… button, to double-check all is as shown below in Figure 14.
Figure 14: Outlook Trust Center - Email Security - Settings
If the “Signing Certificate” and/or “Encryption Certificate” fields are not already populated, then click Choose the "…" button for each and ensure the correct S/MIME certificate is selected. Also, best-practice for technical reasons, ensure that the “Hash Algorithm” is SHA256, not the default SHA1, and the “Encryption Algorithm” is set at AES (256-bit). Everything else should be as shown in Figure 14.
Referencing back to Figure 13 again, ensure that “Add digital signature to outgoing messages” and “Send clear text signed message when sending signed messages” are both selected through the top section of this window. The first option, “Encrypt contents and attachments for outgoing messages” should not be set as a default. This is because encryption should only be applied where needed, i.e. a message contains sensitive information and needs it’s confidentiality protected. However, most messages sent and received by most people do not need to be encrypted. If you need extra help regarding encryption and which best-practices are recommended, please feel free to reach out to ITS’s information security office via security@mines.edu.