S/MIME Bundle Collection and Installation Steps 

 

You will receive an invitation email from “Sectigo Certificate Manager <support@cert-manager.com>” - this is the starting point for the enrollment steps. 

 

Either click through the, “Verify Email Address” button or copy-and-paste the unique link address below this button. These both take you to the same enrollment web-page. 

 

Through the presented form, you can select your preferences. Recommendations are for using the following: 

• Certificate term: 2 years. 

• Key Type: RSA – 4096. 

• Verify that your listed first and last names are correct. 

• Select and agree to the “I have read and agree to the terms of the Sectigo Client Certificate EULA”. Hit “Submit”. 

 

Through the next page, please ensure the “Compatible TripleDES-SHA1” is selected. Selecting the other option does use a more modern & secure setup BUT this has had issues with a number of operating-systems, so the easiest way is to proceed with the “compatibility” options. 

Input a password, that must be unique and NOT your regular Mines’ value. This is used later in the installation steps. Hit Download. 

(Note: If you’ve had any issues up to this point, please go back to the invitation email and try a different browser by copying and pasting the link that is provided.) 

 

Save the file – which is of type “.p12” (PFX) – to a known directory. This file is password-protected, using the password specified on the previous web-page. 

To install the just downloaded S/MIME bundle into your system’s certificate manager followed by installing into the email client, Outlook, please follow the steps outlined below. These are for both Windows and macOS. If you are running a different setup then please reach out to IT for support.

 

Windows Certificate Install 

 

The easiest and quickest way to install a client-certificate bundle is to open Microsoft’s “default” browser, Edge. (If you have a different browser setup as your default choice, e.g. Google Chrome, Firefox, Brave, Vivaldi, etc., the easiest option is still to open Microsoft’s Edge browser for just this step.) 

Through Edge, open Settings and search for “cert”: click on the presented “Manage Certificates” option. This opens the “Certificates” window. Hit “Import…”. This opens the “Certificate Import Wizard”.

 

Working through the import wizard, with the following series of screen-captures illustrating the steps. 

• Hit Next. 

• Hit “Browse” and navigate to the folder where you saved the downloaded p12/PFX file. 

• With the p12/PFX file selected, hit “Next”. 

• On the “Private key protection” screen, input the password you used. 

• Ensure the following are selected: 

• “Mark this key as exportable. This will allow you to backup or transport your keys at a later time.” 

• “Include all extended properties.” ← this should already be selected, by default. 

• Hit “Next”.

 

• By default, the “Certificate Store” page should be correctly setup. It states that this “personal bundle” will be imported to the “Personal” store. 

• Hit “Next”. 

• The final summary page shows: 

• “Certificate Store Selected by User: Personal”. 

• “Content: PFX”. 

• “File Name: <downloaded file location”. 

• Hit “Finish”. 

• Finally, a success message-box will be displayed, “The import was successful.”

 

 

Installing into Outlook on Windows 

 

Through Outlook, select “File” → “Options” → “Trust Center” → “Email Security” (from the left-hand sub-menu) → “Settings…” 

 

If this is your only personal certificate then the “Certificates and Algorithms” → “Signing Certificate” & “Encryption Certificate” selection boxes should already be populated. If not, then: 

• For both “Signing Certificate” and “Encryption Certificate” hit, “Choose…”. 

• This displays the “Select a Certificate” window: select the appropriate certificate to use. 

• As a sanity check this should usually have a displayed validity period from today up until 2-years out, if the recommended 2-year certificate term was used. Other sanity-check items are that it should list your name and be coming from, “Issuer: InCommon …”.

 

Back at the “Change Security Settings” window, recommendations are to select the following options: 

• “Hash Algorithm: SHA256” (or higher, so “SHA256”, “SHA384”, or “SHA512” are all good choices. “SHA1” should NOT be used.) 

• “Encryption Algorithm: AES (256-bit)” 

• Click, “OK”. 

• Back at the “Email Security” → “Encrypted Email” section, ensure the following are selected, nothing else should be selected: 

• “Add digital signature to outgoing messages”. 

• “Send clear text signed message when sending signed messages” 

• “Default Setting:” (should automatically be referencing what has just been setup) → “My S/MIME Settings (<username>@mines.edu)”. 

• Finally, let’s publish your S/MIME certificate up into our domain: 

• In “Digital IDs (Certificates)” section, hit “Publish to GAL…” 

• Hit “OK” in the displayed prompt. 

• After a period of time, maybe ~30 seconds or quicker, the popup displays, “Your certificates were published successfully.” Hit, “OK”.

 

• Hit, “OK” twice more to arrive back at the main Outlook page, away from the configuration windows you’ve just been tinkering with. 

• Now when composing a new message, hitting the “Options” tab should show, “Encrypt” → “Sign” being automatically selected. Notice: the “Encrypt” → “Encrypt” option should NOT be auto-selected, this is by choice. Encrypting messages should be applied per message, where needed, not everywhere.

 

Sending messages now should be visible to the recipients as having a valid digital signature, giving cryptographic confidence over the integrity, i.e. this message has not been modified from what you sent out. 

 

Notice how the “signed memo bar” states, “This message was digitally signed by <username>@mines.edu.” 

Further information available to recipients include being able to fully view the certificate’s data. The most important items include the statement close to the top saying, “This certificate is valid” with a green check-mark and, digging through the details tab, the “Not Valid After” information – this is the certificate’s expiration date. IF the expiration date is in the past, i.e. this certificate has expired, then the green check-marked, “This certificate is valid” message will NOT be displayed.

 

MacOS Certificate Install 

 

Open the file you just saved.  Provide the password you had set in the earlier step.

 

The Keychain Access app should open automatically after providing the password. If not, you can find it in your apps by searching for "keychain".  You can also find it under Application → Utilities in Finder.   

In Keychain Access, on the left-hand menu, go to

There, you should see the imported certificate. Double click on the certificate to see more information about it.

 

Installing into Outlook on Mac

Through Outlook, select “Outlook” → “Settings” → “Accounts” → “Security”.  These are the settings we recommend:

 

You will likely need to select “Choose Certificate” in the drop-down menu and select the certificate you’ve just installed. 

 

Once you’ve made the required changes, hit OK and Close the settings window. 

To be able to modify S/MIME settings on each message you will need to click

and then go to Customize Toolbar….  

Add

by dragging to your desired location and click “Done”, 

Now when composing a message you should get the following options to “Encrypt with S/MIME” and “Add digital signature”. 

 

As you can see, sending messages now should be visible to the recipients as having a valid digital signature, giving cryptographic confidence over the integrity, i.e. this message has not been modified from what you sent out.  Encrypting messages should be applied per message, where needed, not everywhere.