Email Certificates

Emails without a digital certificate are like postcards sent through the regular post where everyone in the post office can read what you wrote. In the case of regular emails anyone with access to any of the mail servers that your email passes through can read it.

Another aspect to regular emails is that unless the sending mail server uses authentication there is nothing to stop the from address from being spoofed (set to any email address at all regardless of where it really came from). Even when the sending server does use authentication that doesn't help the recipient since the email may have been sent from a different mail server that doesn't use authentication and which therefore allowed the from address to be spoofed.

A digital certificate attached to your emails serves three purposes.

  1. it provides a verification to the recipient that the email was actually sent from the email address it says it came from.
  2. When both parties have digital certificates for their email accounts it allows emails between them to be encrypted so that no third party can read them.
  3. It allows the recipient to tell if the email has been altered since it was sent (note that if they have a virus scanner adding clean messages to the end of the emails they receive then that will alter the email and produce a warning message).

One big advantage that email certificates have as compared to other digital certificates is that email certificates can be obtained free from some certificate authorities, that unlike web certificates where you have to pay in order to use them. My favourite place for getting free email certificates is Comodo because their email certificates are always free unlike some of the others that only offer free certificates at certain times (which may therefore not be free when the 12 months is up and you need to renew the certificate). Assuming you decide to get your email certificate from Comodo then you can obtain and install the certificate quite easily. The first thing you need to do is to press the GET YOUR FREE EMAIL CERT NOW ! button in the middle of the page.

The Comodo email certificate link option.

This will bring up the form where you can apply for a digital email certificate. Simply fill in your name, email address, country, specify a revocation password (that you can use to have the certificate revoked if someone else steals it off your computer)and then after reading the subscriber agreement press the Agree and Continue button.

You should now get a message that a private key is being generated. Once that is done you will be taken to another page that indicates that your certificate has been generates. An email is then sent to your email account that contains a code that you need to enter to be able to actually retrieve the certificate.

Once the email arrives you can either click on the link in the email or go to this page and enter the security key provided. Note that this must be done using the same browser on the same computer as you used to request the certificate in the first place so that the private key already stored in that browser can be found. If you can't use the link from within the email and have to go to the site then it is simply a matter of entering your email address and the supplied collection password and then pressing the Install and Continue button in order to download the certificate. You should then get an alert indicating that your certificate is installed in the browser.

If you are using Internet Explorer and Outlook or Outlook Express then your email program should also have access to the certificate from there. With Thunderbird or other email programs you need to export the certificate out of the browser and import it into the email program.

To export a certificate from Firefox you need to go to Options in the Tools menu and then go to the Advanced tab. On the Encryption page press the View Certificates button. Your email certificate that you just obtained should appear on the Your Certificates page. Select the certificate by clicking on it and then select the Backup button. This will allow you to save the certificate as a PKCS12 file (with a .p12 extension). You will need to specify a backup password to save the file (this prevents someone importing the file into any email program and pretending to be you). Other browsers will have a similar process.

To import a certificate into Thunderbird you need to go to Account Settings in the Tools menu and select the Security tab and then the View Certificates button. Next on the Your Certificates page press the Import button. You should then select the file you saved from your browser. You will then need to enter the appropriate password(s) to install the certificate. After closing that window you can then check the Digitally sign messages checkbox to have all of your outgoing mail from that email address signed with that digital certificate.

Signing your emails adds an extra part into the emails you send using a multipart/signed MIME type. Some email programs do not follow the email standards properly and so don't recognise this properly resulting in the signature information being displayed as an attachment instead.

Once you have your certificate installed, if you receive emails from someone who also has a certificate installed you will then have the option of being able to encrypt your emails to that person. You need the public key portion of their certificate (the part sent in the multipart/signed which gets added automatically to your certificate store when you receive an email which has one) to use with your certificate in order to perform the encryption process (which your email program will handle for you if it has all the certificates it needs).


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow