How To Encrypt Mails With SSL Certificates (S/MIME)

Want to support HowtoForge? Become a subscriber!
 
Submitted by CSch (Contact Author) (Forums) on Thu, 2011-12-08 18:58. :: Linux | Desktop | Email | Security

How To Encrypt Mails With SSL Certificates (S/MIME)

Version 1.0
Author: Christian Schmalfeld  <c [dot] schmalfeld [at] projektfarm [dot] de>
Follow me on Twitter
Last edited 11/29/2011

This article is about how to use the S/MIME encryption function of common e-mail clients to sign and/or encrypt your mails safely. S/MIME uses SSL certificates which you can either create yourself or let a trusted certificate authority (CA) create one for you.

This tutorial comes without warranty of any kind. I do not guarantee that this will work for you.

 

1 Preliminary Note

S/MIME does not work in the direction you might think it does. You cannot send encrypted mails once you have got a valid and trusted certificate yourself - once you have that, you can receive encrypted mails if it was encrypted with your public key.

S/MIME works as a paired-key-system with a public and a private key. Your public key has to be given to the ones that want to send encrypted mails to you, while you keep your private key that is able to decrypt those incoming mails. That means, if you want to send encrypted mails, the receiver has to use S/MIME as well and you need to know his or her public key to encrypt messages. To give someone your public key, it is only necessary to send him or her an email signed with your certificate.

I perform this tutorial on a machine with Linux Mint 11 installed, so all commands that apply to that have to be altered depending on your distribution.

The steps for importing certificates into Thunderbird are the same on Linux as they are on every other operating system. This means, these steps can equally be used on Windows or Mac.

 

2 Creating An SSL Certificate Yourself

Creating a certificate yourself has the advantage of not having to give away your data to a certificate authority - these usually need your personal data for that and do not hesitate to validate these. You can also create a certificate authority yourself, however this is not necessary to sign and decrypt mails.

 

2.1 Install OpenSSL

To create a certificate yourself, you need to install the openssl package, if you haven't done that already. To do so, open a terminal and enter following:

sudo apt-get install openssl

You should then be able to enter the openssl-shell with

openssl

or to introduce openssl-commands on the default shell with the openssl string. I will use the default shell in this tutorial.

 

2.2 Create a Self Signed Certificate

First, create a folder where the files belonging to your certificate will all be placed and direct your shell to that folder. I will have all my certificate-related files in /home/ctest/ssl, where ctest is my username. To create that folder and go there I use:

mkdir /home/ctest/ssl
cd /home/ctest/ssl

What we have to do before creating the actual certificate is to generate a key for it. Enter following on the shell:

openssl genrsa -des3 -out cert.key 4096

You will then be asked to enter a passphrase for that keyfile:

ctest-System-Product-Name ssl # openssl genrsa -des3 -out cert.key 4096
Generating RSA private key, 4096 bit long modulus
.......++
...............................++
e is 65537 (0x10001)
Enter pass phrase for cert.key:

Next, you will generate the certificate signing request. Do it by entering:

openssl req -new -key cert.key -out cert.csr

You will then be asked for the certificate data. The Common Name attribute usually covers the server name, but do not enter a known servername as smtp.gmail.com here - trusted servers are usually already known by your client and therefore it will think of your certificate as identity theft! Basically, anything else that you enter should work. Make sure to spell your email address correctly:

ctest-System-Product-Name ssl # openssl req -new -key cert.key -out cert.csr Enter pass phrase for cert.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
ctest-System-Product-Name ssl #

Next, you sign the created request with the key created earlier:

openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt

You will be prompted for the passphrase you entered for it:

ctest-System-Product-Name ssl # openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt
Signature ok
[...]
Getting Private key
Enter pass phrase for cert.key:
ctest-System-Product-Name ssl #

Generally, the certificate is created now, but we need to do one more step to be able to use it on our mail clients. These expect the certificates to be in the .p12 format, which is why we need to convert them. Do so with (Replace Your Name with something serious, your name for example. This is what the certificate will be called.):

openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

The export password you will be prompted with needs to be entered on importing and exporting the certificate into clients, be sure to remember it:

ctest-System-Product-Name ssl # openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12
Enter pass phrase for cert.key:
Enter Export Password:
Verifying - Enter Export Password:
ctest-System-Product-Name ssl #

You should now have four files in your working directory. Check that by listing the directory's content:

ls -l

ctest-System-Product-Name ssl # ls -l
total 20
-rw-r--r-- 1 root root 2004 2011-11-28 12:52 cert.crt
-rw-r--r-- 1 root root 1752 2011-11-28 12:32 cert.csr
-rw-r--r-- 1 root root 3311 2011-11-28 12:31 cert.key
-rw-r--r-- 1 root root 4290 2011-11-28 12:53 cert.p12
ctest-System-Product-Name ssl #

If any of those files is missing, you have missed a step or made mistake somewhere.

 

2.3 Alternative: Create a Certificate Authority to Sign A Certificate

This method is optional and not necessary if you have completed the steps to a self signed certificate. It merely creates a certificate authority like Thawte which then signs your certificate instead of you.

To create a CA, you need to create a key for it first:

openssl genrsa -des3 -out ca.key 4096

ctest-System-Product-Name ssl # openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
.................................................................++
...................................................................
...................................................................
...................................................................
...++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
ctest-System-Product-Name ssl #

Afterwards create the CA using the key you just generated:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You will then be asked for the CA's data. The CA's Common Name must be different from the Common Name used in the certificate later.

ctest-System-Product-Name ssl # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
ctest-System-Product-Name ssl #

The following steps are similar to those in chapter 2.2. You create a certificate key

openssl genrsa -des3 -out cert.key 4096

and a certificate signing request (the Common Name attribute usually covers the server name, but do not enter a known servername as smtp.gmail.com here - trusted servers are usually already known by your client and therefore it will think of your certificate as identity theft! Basically, anything else that you enter should work. Make sure to spell your email address correctly):

openssl req -new -key cert.key -out cert.csr

Now comes the signing. Instead of signing it yourself, you use the certificate authority you created earlier:

openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -set_serial 00 -out cert.crt

ctest-System-Product-Name ssl # openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -set_serial 00 -out cert.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting CA Private Key
Enter pass phrase for ca.key:
ctest-System-Product-Name ssl #

Generally, the signed certificate is created now, but we need to do one more step to be able to use it on our mail clients. These expect the certificates to be in the .p12 format, which is why we need to convert them. Do so with (replace Your Name with something serious, your name for example):

openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

The export password you will be prompted with needs to be entered on importing and exporting the certificate into clients, be sure to remember it:

ctest-System-Product-Name ssl # openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12
Enter pass phrase for cert.key:
Enter Export Password:
Verifying - Enter Export Password:
ctest-System-Product-Name ssl #

You should now have six files in your working directory. Check that by listing the directory's content:

ls -l

ctest-System-Product-Name ssl # ls -l
total 28
-rw-r--r-- 1 root root 2041 2011-11-28 13:44 ca.crt
-rw-r--r-- 1 root root 3311 2011-11-28 13:43 ca.key
-rw-r--r-- 1 root root 1793 2011-11-28 13:45 cert.crt
-rw-r--r-- 1 root root 1651 2011-11-28 13:44 cert.csr
-rw-r--r-- 1 root root 3311 2011-11-28 13:44 cert.key
-rw-r--r-- 1 root root 4122 2011-11-28 13:45 cert.p12
ctest-System-Product-Name ssl #

If any of those files is missing, you have missed a step or made mistake somewhere.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2013-10-15 21:43.
Hi

The

Second method generates p12  keys that has "00" as serial. I think that this is a problem

 thanks

Submitted by Martin (not registered) on Sun, 2013-07-14 00:21.
Thanks a lot for that article! I tried to give smime a try but I was not successful so far. Your article saved me a lot of time and worked perfectly on my first try!
Submitted by Anonymous (not registered) on Fri, 2011-12-16 21:48.

Hi there,

Here are a couple notes regarding my experience with self-created Class1 certs for e-mail.

 1:  When you go to create the client cert, it is good practice to add the correct x509 extensions.  Create a file called client.conf and add the following:

[user@host]$ cat client.cnf 
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

Now we can sign the certificate:

openssl x509 -req -days 36500 -in your_client_cert.csr -signkey your_CA_private.key -out your_client.crt -extfile client.cnf -extensions ssl_client

 Now that you have a client cert and key pair, you want to import it into a P12.  It may be necessary to include the CA into the P12 so that recipients can add it to their CA truststore:

openssl pkcs12 -export -in your_client.crt -inkey your_client_private.key -out your_client.pfx -name "Your Name" -CAfile your_ca.crt -caname "Your CA Name" -chain

 One very important note:  "Your Name" and "Your CA Name" are the aliases used in the PKCS12 store.  These aliases MUST be greater than one character long, else Sun/Oracle will fail to find the certificates in the store (refer to the code for sun.security.util.ObjectIdentifier).  Using aliases/names like "1" or "2"  will cause you random and insanely hard to resolve issues down the line.

Submitted by Anonymous (not registered) on Fri, 2011-12-16 21:42.
Many, many thanks. This article help me too much.