Setting up SSL Certificates for Email

See http://www.drh-consultancy.demon.co.uk/pkcs12faq.html and http://www.openssl.org/docs/apps/pkcs12.html for more information.

This, http://www.ripe.net/ripencc/pub-services/db/mail_client_tests.html, may also be of interest.

If you have a certificate from a certificate authority, you can skip the first two steps.

Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arising from following these directions. You are responsible for your own security, use, and creation of certificates.

Quick steps:

  1. Setup and create root certificate.
  2. Create the PCKS12 certificate.
  3. Import into Mozilla or Thunderbird.
  4. Using in Mozilla or Thunderbird.
  5. Import for use in MS Outlook or Outlook Express.
  6. Using in MS Outlook or Outlook Express.
  7. Notes for all.

1) Setup and create root certificate

See Setting up OpenSSL to Create Certificates

Note: If all you are going to be creating is certificates to sign drawings, and possibly emails, and have an old box around I highly recommend loading it up with Apache, PHP, OpenSSL. Install PHPki and use it to create and manage your certificates. However, make sure this computer is not accessible over the internet.


2) Create the PCKS12 certificate

See Creating PKCS12 certificates.


3) Import into Mozilla or Thunderbird

Note the following may differ slightly in Mozilla. I only have Thunderbird installed.

If Tools->Options->Advanced->Manage Certificates or Tools->Account Settings-> (select account)->Security->Manage Certificates doesn't exist you might need to run:
"[path]\thunderbird.exe" -chrome chrome://pippki/content/certManager.xul

On the "Authorities" tab, install your public root certificate if you have not yet done so. Then on the "Your Certificates" tab, click the Import button. Browse to the file, select it, and click the "Open" button. You will be prompted for passwords. The first is for the store. For the second enter the password given when creating the pkcs12 file. Set other options as desired and repeat for any other accounts that use the same email address.

Now go to Tools->Account Settings and select the account that has the email address that matches the one on the certificate. Select "Security" under that account and then use the "Select" button for "Digital Signing" and "Encryption" to pick the certificate.


4) Using in Mozilla or Thunderbird

In Tools->Account Settings->[account name]->Security you can choose to always sign email and/or that encryption is required. To use on an as need basis, use the Options menu when composing or the Security button drop-down.


5) Import for use in MS Outlook or Outlook Express

to come


6) Import for use in MS Outlook or Outlook Express

to come


7) Notes for all

In order for your certificate to be trusted as digitally signed the receiver must have the certificate authority's root certificate installed (or the person must manually tell the client that the certificate is to be trusted. If you went the route of being your own CA you need to make the cacert.pem (change the extension to .crt) available to the people you email. You can make this available on a web site for download or email it to them. For people who use only MS products, importing the public root certificate only needs to be done once. Mozilla, Firefox, and Thunderbird use separate certificate stores. For people using MS Outlook or Outlook Express, you may want to point them here:
http://www.marknoble.com/tutorial/smime/smime.aspx
So making it available on a web page means they can install it via their browser and it will be available to their email client. For people who use Thunderbird, or other email programs, the certificate will need to be imported manually. For Thunderbird, see above.

To encrypt email to someone you must have their public key, as well as your private key. The easiest way to get their public key is to have them send you an email that has been signed with their personal certificate. To receive encrypted email it is the reverse - they must have your public key and their private key. In other words, if both of you do not have personal certificates then encryption cannot happen.