E-Mail Konfiguration mit Nutzerzertifikaten
Table of contents
With user certificates you can digitally sign and encrypt your e-mails.
The digital signature of an e-mail provides the following advantages:
- The receiver of an e-mail is able to proof if a message has been sent by a specific addresser.
- The receiver is able to recognize, whether or not a message has been manipulated during the transmission. (Integrity)
E-mails without digital signatures can be manipulated very easily and the addresser wouldn't be identifiable.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is the standardised procedure for digitally signing e-mails.
In order to digitally sign your e-mails, you have to import your user certificate and possibly the certificate chain in the certificate memory of the e-mail client, respectively the Microsoft certificate memory.
Below, you'll find a description of how to configure the e-mail client in order to digitally sign e-mails.
MOZILLA Thunderbird
You have to import your user certificate with the private key: in the Mozilla Thunderbird Certificate Manager (Tools-->Options-->Advanced-->Certificates-->View Certificates) go to tab Your Certificates and click on Import. Choose a file (PKCS12-format) that contains your user certificate.
Your user certificate and all other necessary certificate information are protected by a so called master password. If you didn't assign a master password yet, Thunderbird will prompt you to do so. You need the master password in order to send digitally signed e-mails.
After assigning the master password, you will be prompted to type in the password you protect your user certificate in the selected file with. Your user certificate has been imported succesfully into Thunderbird and can be displayed in Your Certificates. You can close the dialogue now.
In order to use the user certificate for your e-mails, it has to be assigned to an e-mail account. To do so, click on your e-mail account with a right click and open the Settings. Choose Security in the left window under your account. On the right side you have to choose your specific user certificate for the digital signature. Click on Select, choose a user certificate and press ok.
By default, Thunderbird doesn't sign e-mails digitally. You have to set this option by yourself. If you want Thunderbird to sign all your e-mails automatically, you have to check Digitally sign messages (by default).
If you don't want Thunderbird to sign every e-mail by default, you have to check Digitally Sign This Message in the Security menu of the 'write form'.
When you receive a digitally signed e-mail, Thunderbird will show you an icon, whether or not the e-mail has been manipulated and the addresser is valid. If you see the icon, click on it to get the information about the digital signature of the addresser.
Microsoft Outlook 2007
In order to digitally sign your e-mails, choose your Outlook e-mail account first. Then go to Trust Center in the Extras menu. Choose E-Mail Security and check Send signed messages as plain text. If you want Outlook to automatically sign e-mails by default, check Add signature to outgoing messages, too.
Now, you have to include your user certificate into Outlook. To do so, click on the Stettings button and a dialogue will open with the security settings. By default, the cryptography format should be S/MIME. All the other settings schouldn't be changed. If your user certificate hasn't been included automatically under Signature Certificate, click on the Select button on the right. Choose your user certificate and cornfirm with OK.
If not every e-mail is signed automatically, you have to setup the signature for new e-mails by yourself. While writing a new e-mail, click on the icon right to the red exclamation mark. If this icon is highlighted it means your e-mail will be sent with a digital signature.
If you receive a digitally signed e-mail, Outlook will check this signature automatically. It shows you whether or not a message has been signed or manipulated during the transmission. In order to get more information about the digital signature, please click on the red icon on the right side of the head menu.
Mac OS X 10.6 Mail
Mac OS 10.6 Mail already contains a 'Deutsche Telekom' root certificate. First, you have to import your certificate with your private key to the Mac OS Keychain. To do so, click on the file that contains the key and certificate (PKCS12-format). Choose the Keychain Login and click OK.
Open Keychain Access (you can get to it by choosing Utilities from the Go menu in the Finder). You'll find your certificate in the category My Certificates in the Keychain Login.
You can find your private key in the category Keys. Select your key by click.
In order to use the imported key, Apple Mail has to get access to it. Press the key combination Apple+I. Go to the tab Access and add Mail with the +-symbol. Close the key manager by clicking Save Changes.
To give Apple Mail access to the keychain data, you have to restart it. After that, you'll see an according symbol on the bottom right while writing a new e-mail. Apple now signs all your e-mails automatically. If you don't want an e-mail to be signed, click on this symbol, to avoid a digital signatur.
WEBMAILer
You have to activate S/MIME in WebMail first, in order to sign you e-mails respectively check them automatically. Go to Mail--> Options in the head menu and choose S/MIME Options in the window.
Activate S/MIME by checking Enable S/MIME functionality? and confirm. Be aware that pop-up windows have to be enabled in your browser.
Now you have to import your user certificate in the Webmailer. Click on Import Personal Certificate. A separate window will pop up. You can upload your user certificate (file in PKCS12 format) and type in the password you protected the file with. Under Private Key Password you have to give a new password to protect your private key (from the user certificate) within the Webmailer.
If needed, you can display your public and private keys as well as details about your user certificate. You can also sign your e-mails now. In order to do this, click on New Message and write an e-mail as usual. To digitally sign this e-mail a new button Cryptography-Settings will appear under the Send button. Choose the option Sign (S/MIME).
You can now send your e-mails. In order to sign the e-mail, type in the private key password.
If you want all your e-mails to be signed automatically, please go to Options-->Message Composition
Chosse S/MIME Sign Message in the field Your default encryption method for sending messages. Finally click Save Options.
If you receive a signed e-mail, Webmail will show you wheather or not the e-mail comes from the right addresser or has been manipulated.