Getting an SMIME certificate: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
m (Update Verisign URL)
(47 intermediate revisions by 10 users not shown)
Line 1: Line 1:
__NOTOC__
__NOTOC__


==Certificate Authorities==
===Sources of Free SMIME Certificates===
===Sources of Free SMIME Certificates===
Free SMIME certificates are available from:
Free certificates usable for [http://en.wikipedia.org/wiki/S/MIME S/MIME] are available from:
*[http://www.thawte.com/email/index.html Thawte]
*[http://trustcenter.de/en/products/tc_certificates.htm TC Trustcenter]
*[http://certs.ipsca.com/Products/SMIME.asp ipsCA]
*[https://cert.startcom.org/?app=101&type=1 StartCom]
*[https://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/page_dev004002.html Verisign]
*[http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html InstantSSL / Comodo] (Requires IE to enroll)
*[https://www.cacert.org/index.php?id=1 CAcert] (CAcert is NOT one of the trusted authorities built-in to FireFox and ThunderBird)


===Free Certificates from Thawte===
*[https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx Actalis]
You can get a free [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate that is trusted by the built-in authorities in Firefox and Thunderbird from Thawte via their personal e-mail certificate program. Initially, the certificate will not have your name, but only your e-mail address. After you have received 50 trust points, you can have your name on your certificate. You earn trust points for verifying your identity to notaries in the Thawte Web of Trust.  
*[https://www.cacert.org/index.php?id=1 <S>CAcert</S>] (CAcert is NOT one of the trusted authorities built-in to FireFox and ThunderBird. The connection is also untrusted)
*[https://www.comodo.com/home/email-security/free-email-certificate.php Comodo]
*[https://www.globalsign.com/document-security-compliance/microsoft-office-document-security/ GlobalSign] (free 30-day trial)
*[http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html InstantSSL]
*[https://www.secorio.com/index.php?S_MIME_Email_Certificates Secorio]
*[https://cert.startcom.org/ <S>StartCom</S>] (StartCom certificates have been revoked by Mozilla) [https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/]
*[https://www.wosign.com/english/Free_Email_Certificate.htm <S>Wosign</S>] (WoSign certificates have been revoked by Mozilla)


For more details and to sign up and get your free personal S/MIME email certificates, click [http://www.thawte.com/email/index.html here].
Some of them are free only for personal use. It can also cost money to revoke a free certificate. [http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml]


As of April 2007 the [http://www.thawte.com/email/index.html Thawte site] does not officially offer Thunderbird in its list of what software you might be using when you sign up for a personal certificate there but those pages aren't updated. It does offer Mozilla Firefox/Thunderbird, Netscape Communicator/Messenger as possibilities when requesting a X.509 certificate. If you use Firefox to get your certificate and take the Mozilla Firefox/Thunderbird, Netscape Communicator/Messenger option, you are notified by an alert that a certificate has been installed into Firefox. To find that certificate and get a file that you can import into Thunderbird using the directions above, go, in Firefox, into "Tools -> Options -> Advanced -> Encryption". Push "View Certificates".  Highlight the certificate and click "Backup." Follow the prompts to produce the necessary file. You'll be asked to set a password for the certificate because the certificate contains your private key that must remain secret to ensure security.
Let's Encrypt does not currently offer S/MIME certificates. See https://community.letsencrypt.org/t/s-mime-certificates/153 for a thread explaining why you can't use their SSL/TLS certificates for S/MIME.


===Free Certificates from Verisign===
===To obtain certificate from an authority===
Alternatively you can get a similar free certificate from [https://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html VeriSign] - just click the buy button and choose the free option. Note that the free certificate is good for 60 days while the pay-for one lasts a year. VeriSign runs a free LDAP service that is compatible with Netscape, Mozilla, Thunderbird, Outlook, and Outlook Express so your friends can look-up your certificate automatically while composing email to send you encrypted email.  
Firefox and Microsoft Internet Explorer contain cryptotools capable of generating public/private keypairs. When signing up for a certificate with an authority, their website triggers your browser to create a keypair and transmit to them the public key, which is then certified. For this reason, when you return to pick up your completed certificate (typically a few minutes later), it is mandatory that you do so with ''' ''the same browser on the same computer'' '''. You will otherwise not possess the private key necessary for pickup.
 
It will then still be necessary to export the resulting new key and certificate to a regular but password protected file that can then be imported into Thunderbird's certificate store. The CA's and/or your browsers help files should explain how to export your new certificate and keys.
 
To export it as a .p12 (Personal Information Exchange File) file using Firefox go to [[Menu differences in Windows, Linux, and Mac|Tools -> Options]] -> Advanced -> Encryption -> View Certificate and select the certificate. Then press the backup key. You will be prompted for a password which you will have to enter when you import the file.  
 
To import the file  into Thunderbird, use "[[Menu differences in Windows, Linux, and Mac|Tools -> Options]] -> Advanced -> Encryption -> View Certificates -> Import". You will be prompted for the password you used when you exported (or backed up) the file.
 
Once you have imported your certificate into Thunderbird, it will be available for pairing with one or more accounts in Thunderbird using Tools -> Account Settings -> Security -> Select.
 
Be thoughtful about whether to select to "digitally sign all messages by default". Institutional firewalls may protect their own security protocols and break your cryptographic signature, leaving your recipient with all kinds of warnings about the message being invalidly signed. As S/MIME usage is still not widespread, most people still don't know how to interpret this. A broken signature will probably seem worse to them than receiving a message with no crypto signature at all, even though the contents are identical in both cases.
 
Webmail users will see an unreadable attachment which can raise similar questions.


==Self-signed certificates==
==Self-signed certificates==
You may use a personally self-signed certificate in Thunderbird. However, since these certificates are not signed by an approved certificate authority, the certificate will not be trusted by other computers or people unless they add the self-signed certificate to their list of certificate authorities. Personally self-signed certificates are generally only useful for exchanging information with people you already know and trust.
You may use a personally self-signed certificate in Thunderbird. However, since these certificates are not signed by an approved certificate authority, the certificate will not be trusted by other computers or people unless they add the self-signed certificate to their list of certificate authorities. Personally self-signed certificates are generally only useful for testing or for exchanging information with people you already know and trust.


It's possible to generate self-signed certificates using the Firefox Add-on [https://addons.mozilla.org/en-US/firefox/addon/4471 Key Manager]:
It's possible to generate self-signed certificates using the Firefox Add-on [https://addons.mozilla.org/en-US/firefox/addon/4471 Key Manager]:
Tools - Key Manager Toolbox - Key Manager - Your Keys - Generate SelfSign Cert and insert you data. On tab Advanced - Standard X.509 Extensions check "Is CA?".<br>
Tools - Key Manager Toolbox - Key Manager - Your Keys - Generate SelfSign Cert and insert you data. On tab Advanced - Standard X.509 Extensions check "Is CA?".
Another option is using the command line [http://www.openssl.org/ OpenSSL].
 
Another option for those who have sufficient understanding of certificate structures is using the command line. See [https://fam.tuwien.ac.at/~schamane/_/oldblog/140216_openssl_self-signed_certificates_thunderbird.html OpenSSL self-signed certificates & Thunderbird]


Special considerations for installing personally self-signed certificates can be found in the [[Installing an SMIME certificate]] article.
Special considerations for installing personally self-signed certificates can be found in the [[Installing an SMIME certificate]] article.
Line 34: Line 47:


To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the ''Keychain Access'' window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.
To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the ''Keychain Access'' window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.
==Other uses for certificates==
Free certificates are not necessarily limited to use only by ''S/MIME'' email. The same digital id's can be imported and employed during document generation, for example, by ...
* ''Adobe Acrobat'' for signing and encrypting pdf documents. This requires the non-free ''Acrobat'' to generate. The free ''Adobe Reader'' is available to decrypt and verify.
* ''OpenOffice'' also contains some signing capability using certificates.
These have the advantage over ''S/MIME'' in that they pass more easily through firewalls, but at the price of requiring more steps to generate.


==See also==
==See also==
Line 40: Line 59:
==External links==
==External links==
*[http://www.google.com/search?hl=en&q=Creating+a+self-signed+certificate+using+OpenSSL&btnG=Google+Search Creating a self-signed certificate using OpenSSL]
*[http://www.google.com/search?hl=en&q=Creating+a+self-signed+certificate+using+OpenSSL&btnG=Google+Search Creating a self-signed certificate using OpenSSL]
* [https://datatracker.ietf.org/doc/draft-ietf-acme-email-smime/ IETF draft on Extensions to Automatic Certificate Management Environment for end user S/MIME certificates]


[[Category:Privacy and security]]
[[Category:Privacy and security]]
[[Category:Privacy and security (Thunderbird)]]
[[Category:Privacy and security (Thunderbird)]]

Revision as of 07:21, 15 September 2018


Certificate Authorities

Sources of Free SMIME Certificates

Free certificates usable for S/MIME are available from:

Some of them are free only for personal use. It can also cost money to revoke a free certificate. [2]

Let's Encrypt does not currently offer S/MIME certificates. See https://community.letsencrypt.org/t/s-mime-certificates/153 for a thread explaining why you can't use their SSL/TLS certificates for S/MIME.

To obtain certificate from an authority

Firefox and Microsoft Internet Explorer contain cryptotools capable of generating public/private keypairs. When signing up for a certificate with an authority, their website triggers your browser to create a keypair and transmit to them the public key, which is then certified. For this reason, when you return to pick up your completed certificate (typically a few minutes later), it is mandatory that you do so with the same browser on the same computer . You will otherwise not possess the private key necessary for pickup.

It will then still be necessary to export the resulting new key and certificate to a regular but password protected file that can then be imported into Thunderbird's certificate store. The CA's and/or your browsers help files should explain how to export your new certificate and keys.

To export it as a .p12 (Personal Information Exchange File) file using Firefox go to Tools -> Options -> Advanced -> Encryption -> View Certificate and select the certificate. Then press the backup key. You will be prompted for a password which you will have to enter when you import the file.

To import the file into Thunderbird, use "Tools -> Options -> Advanced -> Encryption -> View Certificates -> Import". You will be prompted for the password you used when you exported (or backed up) the file.

Once you have imported your certificate into Thunderbird, it will be available for pairing with one or more accounts in Thunderbird using Tools -> Account Settings -> Security -> Select.

Be thoughtful about whether to select to "digitally sign all messages by default". Institutional firewalls may protect their own security protocols and break your cryptographic signature, leaving your recipient with all kinds of warnings about the message being invalidly signed. As S/MIME usage is still not widespread, most people still don't know how to interpret this. A broken signature will probably seem worse to them than receiving a message with no crypto signature at all, even though the contents are identical in both cases.

Webmail users will see an unreadable attachment which can raise similar questions.

Self-signed certificates

You may use a personally self-signed certificate in Thunderbird. However, since these certificates are not signed by an approved certificate authority, the certificate will not be trusted by other computers or people unless they add the self-signed certificate to their list of certificate authorities. Personally self-signed certificates are generally only useful for testing or for exchanging information with people you already know and trust.

It's possible to generate self-signed certificates using the Firefox Add-on Key Manager: Tools - Key Manager Toolbox - Key Manager - Your Keys - Generate SelfSign Cert and insert you data. On tab Advanced - Standard X.509 Extensions check "Is CA?".

Another option for those who have sufficient understanding of certificate structures is using the command line. See OpenSSL self-signed certificates & Thunderbird

Special considerations for installing personally self-signed certificates can be found in the Installing an SMIME certificate article.

Self-signed certificates in Mac OS X 10.4

You can create your own self-signed certificate using the Keychain Access application's Certificate Assistant. To export your certificate as a PCKS12 file for import into Thunderbird, click "My Certificates" in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select "File -> Export". You will be asked for a password to protect this file. This is the password you will require when importing the certificate into the "Your Certificates" tab of Thunderbird after entering your master password.

To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.

Other uses for certificates

Free certificates are not necessarily limited to use only by S/MIME email. The same digital id's can be imported and employed during document generation, for example, by ...

  • Adobe Acrobat for signing and encrypting pdf documents. This requires the non-free Acrobat to generate. The free Adobe Reader is available to decrypt and verify.
  • OpenOffice also contains some signing capability using certificates.

These have the advantage over S/MIME in that they pass more easily through firewalls, but at the price of requiring more steps to generate.

See also

External links