Would you like to prove to your contacts the authenticity of your emails ? A S/MIME signature of your messages may be a solution. It will guarantee that a message comes from you, and that its content wasn’t altered. You can do it for free – as long as it’s for a personnal use – using a Comodo free email certificate. The solution may be seducing, but there are two caveats.
First, the validation of your signature is done by your recipient email client, and most email clients just don’t support it. As a rule of thumb, consider only the outlook desktop app supports it (gmail, outlook.com, default android client don’t support it, iphone can support it but it’s disabled by default). And there’s nothing you can do about it.
Second, the procedure to sign your messages may give some headaches, and it’ll be different for each email client. But at least, here is a step by step guide to digitally sign outgoing messages on Outlook.
- Get a mail Certificate
- Install your mail certificate in your local certificate store
- Check that your certificate is properly installed
- Configure Outlook to sign outgoing messages
1. Get a mail certificate
You can’t use a domain certificate for this. Even though the techonolgy and format are the same, a mail certificate is bound to a specific email address, and you cannot use a single certificate for all addresses within a domain.
Watch out : the certificate generation uses some features of your Internet Browser. I could get it working only on Internet Explorer 11 in admin mode (right click on your IE icon, and select “Run as an administrator”).
Even though I couldn’t get it working using Chrome or Chromium, this was most likely a permission issue. If you try, just make sure that you authorize the Comodo site to generate certificates by clicking on the lock on the left of the address bar :
If you wonder why certificate generation relies on your browser, think security and confidentiality. The certificate contains a private key and a public key. No one but you should know your private key, it is used to sign your messages. The public key, available to everyone, will be used to check your signature authenticity.
If the certificate were generated by a remote server, you could never be sure that no one kept a copy of your private key, whether on the server, or by intercepting the email you received with your certificate, or the file you downloaded.
So, any certificate sent to you by Comodo, or downloaded from their site only contains the public key. The private key never left the computer where you started the generation.
As explained by Comodo :
Backup your private key! We do not get a copy of your private key at any time so, after completing this application procedure, we strongly advise you create a backup. Your certificate is useless without it
Your private key never leaves this computer and is never transmitted to the certificate issuer.
Your public and private keys are generated by the crypto module on your local machine.
The options under “Private Key Options” are to instruct your local software on how to generate your keys.
They are not instructions sent to remote servers for remote key generation.
Which means that if the private key generation fails (ex : because of an unsupported/misconfigured browser), installing the downloaded certificate will only deploy the public key, which can’t be used to sign your email.
2. Install your mail certificate in your local certificate store
If you got your certificate from Comodo, you will have to install it on the machine and with the account used to generate the certificate (since the private key is only stored on this machine).
Once your receive the email telling you that your certificate is ready, download it, and double click on it to install it on your machine. Keep the default options. The certificate only contains the public key, but it will then match the stored private key.
3. Check that your certificate is properly installed
To check that your certificate is properly installed, you must ensure that it is listed in the certificate store, and that it contains a private key.
Open the Windows Certificate Manager (launch it from command line using certmgr.msc) :
Go to Personnal > Certificates, the certificate with your email address should be listed.
Right click on the certificate, and chose “All tasks > Export”. The export wizard should offer you to iclude the private key. If it doesn’t, the private key is not properly installed. Check if it’s not installed in another path of the certificate store. If you don’t find it, it’ll be painful… You’ll have to:
- revoke your certificate (for a Comodo certificate, through this page)
- delete the public certificate from the certificate manager
- Go once again through the certificate acquisition process.
If the private key is available, make a backup of your certificate including private key, and store it safely.
4. Configure Outlook to sign outgoing messages
In Outlook 2016, create a new message, go to the “Options” tab, and click on the advanced icon in the bottom right corner :
Click on the “Security settings” button, then check “Add a digital signature” and “Send the message as signed clear text”. Click on the “Change settings” button, and select the appropriate certificate.
If you don’t see your certificate, or Outlook tells you there’s no certificate available, the generation of the certificate may have failed. Revoke it, and repeat the acquisition and installation process. Make sure the mail certificate is for your outlook email address, and try with Internet Explorer 11 in admin mode.
If the certificate was properly listed, and you could select it. Try and send a mail to yourself. Once the message received, if a small red badge appears on the message, congrats, you did it, you can now sign all your outbound messages !