Digital signature (Unixmail)
Table of contents
The user certificates of the DFN PKI allow you to digitally sign your e-mails.
The digital signature of an e-mail has the following advantages:
- The recipient of the e-mail can verify that the message comes from the specified sender only.
- The recipient of the e-mail can verify that the message has not been tampered with. (Integrity)
Without a digital signature, each e-mail can be easily manipulated and the sender of the e-mail is not verified.
The standardized method for digital signature of e-mails is S/MIME (Secure/Multipurpose Internet Mail Extensions).
To sign your e-mails digitally, you must add your user certificate to the certificate store of the e-mail client or into the internal certificate memory of the operating system (Microsoft Windows, Mac OS X).
The configuration of email clients for the digital signature of e-mails is described below.
MOZILLA Thunderbird
You must import your user certificate into Thunderbird. In Thunderbird, open the following menu: Edit->Settings->Privacy->Security->Certificates. Select the "Your certificates" tab and click Import. Select the file (PKCS12-Format) that contains your user certificate.
Your user certificate and all other sensitive certificate information are protected by a master password. If you have not yet assigned a master password, please do so now. You will need the master password if you want to send digitally signed e-mails. Thunderbird will prompt you to enter it now.
After assigning the master password, you will be prompted to enter the password with which you have protected your user certificate in the selected file. The user certificate has now been successfully imported into Thunderbird and is displayed under the "Your Certificates" tab. Now you can close the Thunderbird settings pop-up window.
To enable the use of your user certificate in your e-mails, it must be connected with your e-mail account. To do so, right-click on your e-mail account and open the Properties menu. Select S/MIME security in the left drop-down menu under your e-mail account. Then select your user certificate for the digital signature in the right-hand window. To do this, click "Select..." and select your user certificate by clicking OK. The Imported Certificate screen will appear in the Digital Signature field.
Thunderbird does not digitally sign e-mail by default. You have to select the option yourself. If you want Thunderbird to automatically sign all e-mails from you, you will need to tick the Digital Signature (default) option.
If you do not want Thunderbrid to automatically sign every e-mail, you have to select S/MIME and sign the message when composing the e-mail.
If you have received an email that has been digitally signed, Thunderbrid shows you with an icon, whether the e-mail has been received unchanged and from the correct sender. On clicking the icon, you will see the corresponding information about the sender's digital signature.
Microsoft Outlook 2007
To digitally sign your e-mail, first elect your e-mail account in Outlook. Then go to Tools -> Trust Center -> E-mail security at the top of the menu. Then tick the "Send signed messages as plain text" check box in the right menu. If you want Outlook to automatically sign all emails, tick "Add digital signature to outgoing messages".
Now, include your user certificate in Outlook. To do so, click on the Settings button on the right in the same window. A window with the security settings will open. By default, the cryptography format should be set to S/MIME. All other settings should be retained. If your user certificate has not been automatically integrated under a signature certificate, please click the "Select"-button under "signature certificate". Then select your user certificate and confirm with OK. All settings should now match your user certificate as shown in the example window.
Confirm the settings with "OK". You will see the following settings screen in the Trust Center window.
Confirm your settings again with OK. From now on, you can digitally sign your e-mails in Outlook.
If you are writing a new e-mail and have not set all e-mails from Outlook to be signed automatically, you have to set the digital signature manually. To do so, click the button next to the red exclamation mark in the menu bar of the new e-mail window. If the icon "letter with signature" is colored in, your e-mail will be digitally signed.
If you receive an e-mail that has been digitally signed, Outlook automatically checks the signature. You will be informed which sender signed the e-mail and whether the message was received unchanged. For further information on the digital signature, please click on the red icon on the right side of the header.
Mac OS X 10.5 Mail
First, you must import your certificate with your private key into the Mac OS X keybars. To do so, click on the file (PKCS12-Format) that contains the key and the certificate. Select the keybar login and click OK.
Now open the application of the keybar Administration via Finder->Programs->Utilities. You will find your certificate in the category "My certificates" in the Keychain registration.
You will find your private key in the category "Keys". Please select this key with your mouse.
To use the key with the certificate, you must allow access for Apple Mail. To do so, please press the key combination apple + I. Go to the access tab, click on the + icon, and then add mail. Then click on "Save Changes" and exit the key managemet.
To grant access to the necessary data from the keychain, you must restart Apple Mail. When you create a new e-mail, a new icon will be displayed to the right of the subject field, indicating that the new e-mail will be digitally signed. Apple Mail signs all e-mails by default. If you do not want this for a specific e-mail, click on the digital signature icon.
Windows MAIL
To activate the digital signature of your e-mails, first select your e-mail account. Right-click your e-mail account and select "Properties". The Properties window will open. Then, click the Security tab at the Top.
You must include your user certificate. To do so, click on the "select..." button in the certificate drop-down menu and select your user certificate. The user certificate will then appear in the certificate column.
After you click on "OK" in the Properties window, your user certificate is embedded in Windows Mail and you can digitally sign your e-mails. When you create an e-mail, you must click on the corresponding icon (sealed letter) for signing in the menu bar. Windows Mail also shows you a symbol (seal) in the header. Your e-mail will then be signed when you are sendig it via Windows Mail.
If you receive a signed e-mail, Windows Mail will automatically check the signature and show you in the security header whether the e-mail has been received correctly and from the correct sender. Your symbol will be displayed as a seal. If you click on the seal, you will receive further information on the digital signature of the e-mail.
Evolution-MAIL
Import your user certificate into Evolution. In Evolution, open the settings via Edit-> Settings-> Certificates. Change to the Your Certificates tab and click on the "import" button. The first time you import a user certificate, you must assign a password for the certificate database. This password protects all user certificates and is requested when signing e-mails. Please choose a sufficiently secure password.
Now enter the passwort with which you have saved your user certificate securely in the file (PKCS12). If the user certificate has been imported successfully, you will be able to see the certificate in the Your Certificates tab.
Now assign your user certificate to your e-mail account. To do so, go to the left of the e-mail accounts and select your e-mail account. Click on the Edit button. The account editor will open. Go to the Security tab. In the Secure (S/MIME) section, select your user certificate. To do so, click on the "select" button and select your user certificate. After activating it, you will se your user certificate (Imported certificates) after signature certificate. If you want Evolution to sign all e-mails by default, please check "sign outgoing mails (by default)". Click "OK" to activate the new settings.
You can now digitally sign your e-mails. If you create a new e-mail and do not automatically sign all e-mails by default, you have to sign the e-mail manually. Select Security -> sign with S/MIME from the menu of the e-mail.
Whenever you receive a signed e-mail, Evolution will automatically check the digital signature and show you whether the signature is valid in the e-mail window. Click the "seal"-icon and you will receive all the information about the signature and the certificate.
MUTT
Import your user certificate. The user certificate must be in PKCS12 format and must contain the certificates of the certificate chain. Run the following command:
smime_keys add_p12 name_of_your_certificate.p12
You are prompted to enter the password that you have selected to protect the user certificate. Then, enter a new password, which will be used to protect the signature key for your user certificate in Mutt. When you send a signed e-mail, Mutt will ask you to enter this password.
In order for Mutt to correctly integrate the user certificate, you must specify the key ID of the signature key in the .smime.rc file. You can obtain the key ID with the following command:
smime_keys list | grep your_mail_address
Enter the key-id into the file .smime.rc into the following line:
set smime_default_key="keyID"
Now start Mutt. By default Mutt will automatically sign all your e-mails. Before you send an e-mail, your password for the signature key is requested.
When you receive signed e-mails, Mutt will automatically check the digital signature.