|
Sign
This sample acts as a starting point and uses a generic
certificate to sign outgoing messages. It is useful,
because it brings you up and running in less than five
minutes. Also this sample gives you a feeling about
S/MIME and the way it works.
Once the setup is complete, all messages
from youremail@yourdomain.com to
someone@hotmail.com are signed. The next step would be that you use
your own certificate rather then using the generic
certificate.
-
download
TLS/SSL Toolkit
-
extract CACert.pem into the CERT directory
-
extract sample@mydomain.com.pem into the CERT\PRIV directory
-
select Options->S/MIME->Sign and
create a new record
|
Comment:
|
Sign using a
sample certificate
|
|
For messages
from e-mail address:
|
youremail@yourdomain.com |
|
to e-mail address:
|
someone@hotmail.com |
|
use this certificate (file in PEM format): |
sample@mydomain.com.pem |
Sign and encrypt using a user certificate
This sample is based on a traditional S/MIME
configuration, where the certificate is stored in
Windows on the local machine and Outlook uses the
certificate to sign the message. The disadvantage of
such a configuration is that a S/MIME message can't be
checked using a traditional spam or virus blocker.
Further handling roaming users is a nightmare, because
the certificate are cluttered all over the users
machines.
To overcome this limitations, XWall or CryptoFilter
provide a central handling of certificates and even
further, automatically certificate exchange, with little
or no user intervention.
The sample assumes XWall or CryptoFilter at Site A using an e-mail address of @domainA.com and a second XWall or CryptoFilter at Site B using an e-mail address of @domainB.com.
Once the setup on both sites is complete, the automatic
certificate exchange must be triggered. The simplest way
is that one site starts sending a messages to the
other site, which XWall will sign. The XWall at the receiving site will then extract the
public key from the signed message and store it in the
CERT\PUB directory. The reply to this message is then
encrypted using the key that was previously extracted
and the own public key is enclosed. At the end, both keys
are exchanged and from then on every message is
encrypted.
On Site A:
-
enable Options->SMIME->Options->Collect the
public certificate of the sender
-
copy all user certificates into the CERT\PUB directory
The name of the certificate file is the
e-mail address, but with a .pem extension
( e.g. user@domainA.com.pem )
-
select Options->S/MIME->Sign and
create a new record
|
Comment:
|
Signing
from domainA.com to domainB.com
|
|
For messages
from e-mail address:
|
*@domainA.com |
|
to e-mail address:
|
*@domainB.com |
|
use this certificate (file in PEM format): |
* |
-
select Options->S/MIME->Verify and
create a new record
|
Comment:
|
Verify
from domainB.com to domainA.com
|
|
For messages
from e-mail address:
|
*@domainB.com |
|
to e-mail address:
|
*@domainA.com |
|
Verify S/MIME signature: |
enable |
|
Remove S/MIME signature: |
enable |
-
select Options->S/MIME->Encrypt and
create a new record
|
Comment:
|
Encrypting
from domainA.com to domainB.com
|
|
For messages
from e-mail address:
|
*@domainA.com |
|
to e-mail address:
|
*@domainB.com |
|
use this certificate (file in PEM format): |
* |
-
select Options->S/MIME->Decrypt and
create a new record
|
Comment:
|
Decrypting
from domainB.com to domainA.com
|
|
For messages
from e-mail address:
|
*@domainB.com |
|
to e-mail address:
|
*@domainA.com |
|
use this certificate (file in PEM format): |
* |
|
Verify S/MIME encryption: |
enable |
|
Remove S/MIME encryption: |
enable |
On Site B:
- enable Options->SMIME->Options->Collect the
public certificate of the sender
- copy all user certificates into the CERT\PUB directory
The name of the certificate file is the e-mail
address, but with a .pem extension
( e.g. user@domainB.com.pem )
- select Options->S/MIME->Sign and
create a new record
|
Comment:
|
Signing
from domainB.com to domainA.com |
|
For messages
from e-mail address: |
*@domainB.com |
| to e-mail address:
|
*@domainA.com |
| use this certificate (file in PEM format): |
* |
- select Options->S/MIME->Verify and
create a new record
|
Comment:
|
Decrypting
from domainA.com to domainB.com |
|
For messages
from e-mail address: |
*@domainA.com |
| to e-mail address:
|
*@domainB.com |
| Verify S/MIME
signature: |
enable |
| Remove S/MIME
signature: |
enable |
-
select Options->S/MIME->Encrypt and
create a new record
|
Comment:
|
Encrypting
from domainB.com to domainA.com |
|
For messages
from e-mail address: |
*@domainB.com |
| to e-mail address:
|
*@domainA.com |
| use this certificate (file in PEM format): |
* |
- select Options->S/MIME->Decrypt and
create a new record
|
Comment:
|
Decrypting
from domainA.com to domainB.com |
|
For messages
from e-mail address: |
*@domainA.com |
| to e-mail address:
|
*@domainB.com |
| use this certificate (file in PEM format): |
* |
| Verify S/MIME encryption: |
enable |
| Remove S/MIME encryption: |
enable |
Sign and encrypt using a company certificate
This sample uses a single company certificate to
sign and decrypt messages.
This sample assumes XWall or CryptoFilter at Site A using an e-mail address of @domainA.com and a second XWall or CryptoFilter at Site B using an e-mail address of @domainB.com.
There is one certificate for each site, the name of the private key file is
cert-priv-DomainA.pem and cert-priv-DomainB.pem and the name of the public key file is cert-pub-DomainA.pem
and cert-pub-DomainB.pem.
The private key file is a secrect and never leaves the
site, but the public key file must be sent to the other
site.
Once the setup on both sites is complete, all messages
between the sites are immediately encrypted.
Note: For testing you can use the
sample@mydomain.com.pem certificate from
TLS/SSL Toolkit on both sites. Once the
setup is working, you can then change the sample
certificate to a real certificate.
On Site A:
-
copy cert-priv-DomainA.pem into the CERT\PRIV directory
-
copy cert-pub-DomainB.pem into the CERT\PUB directory
-
select Options->S/MIME->Sign and
create a new record
|
Comment:
|
Signing
from domainA.com to domainB.com
|
|
For messages
from e-mail address:
|
*@domainA.com |
|
to e-mail address:
|
*@domainB.com |
|
use this certificate (file in PEM format): |
cert-priv-DomainA.pem |
-
select Options->S/MIME->Verify and
create a new record
|
Comment:
|
Decrypting
from domainB.com to domainA.com
|
|
For messages
from e-mail address:
|
*@domainB.com |
|
to e-mail address:
|
*@domainA.com |
|
Verify S/MIME signature: |
enable |
|
Remove S/MIME signature: |
enable |
-
select Options->S/MIME->Encrypt and
create a new record
|
Comment:
|
Encrypting
from domainA.com to domainB.com
|
|
For messages
from e-mail address:
|
*@domainA.com |
|
to e-mail address:
|
*@domainB.com |
|
use this certificate (file in PEM format): |
cert-pub-DomainB.pem |
-
select Options->S/MIME->Decrypt and
create a new record
|
Comment:
|
Decrypting
from domainB.com to domainA.com
|
|
For messages
from e-mail address:
|
*@domainB.com |
|
to e-mail address:
|
*@domainA.com |
|
use this certificate (file in PEM format): |
cert-priv-DomainA.pem |
|
Verify S/MIME encryption: |
enable |
|
Remove S/MIME encryption: |
enable |
On Site B:
- copy cert-priv-DomainB.pem into the CERT\PRIV directory
- copy cert-pub-DomainA.pem into the CERT\PUB directory
- select Options->S/MIME->Encrypt and
create a new record
|
Comment:
|
Encrypting
from domainB.com to domainA.com |
|
For messages
from e-mail address: |
*@domainB.com |
| to e-mail address:
|
*@domainA.com |
| use this certificate (file in PEM format): |
cert-priv-DomainB.pem |
- select Options->S/MIME->Decrypt and
create a new record
|
Comment:
|
Decrypting
from domainA.com to domainB.com |
|
For messages
from e-mail address: |
*@domainA.com |
| to e-mail address:
|
*@domainB.com |
| Verify S/MIME
signature: |
enable |
| Remove S/MIME
signature: |
enable |
- select Options->S/MIME->Encrypt and
create a new record
|
Comment:
|
Encrypting
from domainB.com to domainA.com |
|
For messages
from e-mail address: |
*@domainB.com |
| to e-mail address:
|
*@domainA.com |
| use this certificate (file in PEM format): |
cert-pub-DomainA.pem |
- select Options->S/MIME->Decrypt and
create a new record
|
Comment:
|
Decrypting
from domainA.com to domainB.com |
|
For messages
from e-mail address: |
*@domainA.com |
| to e-mail address:
|
*@domainB.com |
| use this certificate (file in PEM format): |
cert-priv-DomainB.pem |
| Verify S/MIME encryption: |
enable |
| Remove S/MIME encryption: |
enable |
Install a
certificate
The program expects the certificate in PEM format.
PEM format is Base64 encoded and therefore you can open
it with a text editor.
The extension of the file is
.pem.
Your certificates are private certificates and must have
a private key section in the pem file.
Private
certificates are stored in the CERT\PRIV
directory.
Your recipients certificates are public
certificates and are stored in the CERT\PUB
directory.
Convert a
certificate
When you obtain certificate from an authority, they may
send you a .p12 or .pfx file, which you need to convert
to a .pem file.
Extract PKCS12_to_PEM.bat and
OpenSSL.exe from
TLS/SSL Toolkit into a directory of your
choice.
Run PKCS12_to_PEM.bat and give it the name
of your .p12 or .pfx file and a cert.pem file will be
created.
Sample: PKCS12_to_PEM mycert.pfx
Or you can use the online converter at
https://www.sslshopper.com/ssl-converter.html
Sometimes when you obtain certificate from an
authority, they install the certificate direct into the
certificate store of Windows.
To export the certificate
to a .pfx file, start a MMC and select
Add / Remove
Snap-In -> Add -> Certificates -> My user account.
In the Snap-In select Certificates - Current User ->
Personal and there you find the certificate.
Press
the right mouse key and select All Task -> Export.
How to get a
Certificate
Certificates usable for S/MIME are available from:
Forum
At the forum you find
S/MIME: Best practice
|
