3.2. Securing E-mails.

3.2.1. Generate and use an s/mime certificate

Simply generate and sign a certificate request but with the Common Name (CN) being your e-mail address.

Now sign your message test.txt (output test.msg) using your certificate newcert.pem and your key newreq.pem:

openssl smime -sign -in test.txt -text -out test.msg -signer newcert.pem -inkey newreq.pem

You can now transmit test.msg to anybody, you can use this procedure to make signed advisories, or other signed documents to be published digitally.

3.2.2. To use this certificate with MS Outlook

You need to import it in Outlook as a pkcs12 file. To generate the pkcs12 file from your newcert.pem and newreq.pem:

CA.pl -pkcs12 "Franck Martin"
(openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out newcert.p12 \
-name "Franck Martin")

or use this command to bundle the signing certificate with your pkcs12 file

openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile cacert.pem \
-out newcert.p12 -name "Franck Martin"

Beware this certificate contains your public and private key and is only secured by the passphrase. This is a file not to let into everybody's hand.

In MS Outlook go to Tools, Options and Security, Click on the import/export button select to import the newcert.p12 file, enter the export password and the Digital ID "Franck Martin" (That's my name so use your name in the above examples). And Click on Ok.

Now click on the Settings button, MS Outlook should have selected the default setting so just click on New. And finally click on Ok, except if you want to change the default settings. You are ready to send signed e-mails. When you send a signed e-mail the user at the other end will receive your public key, and will therefore be able to send you encrypted e-mails.

As you have issued this certificate from a self-signed certificate (root CA Certificate), the trust path won't be valid because the application does not know the root CA Certificate. The root CA certificate has to be downloaded and installed. Refer to the chapter "Install the CA root certificate as a Trusted Root Certificate in Internet Explorer".

You can send your message as encrypted signed messages or clear text message. The encryption is not really an encryption as the message contains everything needed to decrypt the message, but it ensures that the recipient won't read the message if he does not have an s/mime compliant reader.

Note that early version of MS-Outlook XP will search the Internet to verify the validy of the certificate. It can take several seconds before the e-mail is displayed and several minutes for MS-Outlook XP to timeout when you don't have a full time or on-demand Internet connection. The bug is that this process is exclusive, the whole machine freezes till MS-Outlook XP has finished somehow.

3.2.3. To use this certificate with MS Outlook Express

FIXME

3.2.4. To use this certificate with Netscape Messenger

FIXME

3.2.5. To use this certificate with Evolution

Evolution 1.0 does not work with S/MIME, but only with PGP. It is planned that Evolution will handle S/MIME in a future release (from the evolution bug database). However in some instances Evolution recognises that the document is clear text signed and displays it correctly, even though it can't check the signature (early versions of Evolution does not understand one of the 3 MIME signature types, unfortunately the one MS-Outlook uses quite often).

3.2.6. To use this certificate with Balsa

FIXME

3.2.7. To use this certifcate with KMail

FIXME