Comments on How To Encrypt Mails With SSL Certificates (S/MIME)

How To Encrypt Mails With SSL Certificates (S/MIME) This article is about how to use the S/MIME encryption function of common e-mail clients to sign and/or encrypt your mails safely. S/MIME uses SSL certificates which you can either create yourself or let a trusted certificate authority (CA) create one for you.

7 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous

Many, many thanks. This article help me too much.

By: Anonymous

Hi there,

Here are a couple notes regarding my experience with self-created Class1 certs for e-mail.

 1:  When you go to create the client cert, it is good practice to add the correct x509 extensions.  Create a file called client.conf and add the following:

[user@host]$ cat client.cnf 
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

Now we can sign the certificate:

openssl x509 -req -days 36500 -in your_client_cert.csr -signkey your_CA_private.key -out your_client.crt -extfile client.cnf -extensions ssl_client

 Now that you have a client cert and key pair, you want to import it into a P12.  It may be necessary to include the CA into the P12 so that recipients can add it to their CA truststore:

openssl pkcs12 -export -in your_client.crt -inkey your_client_private.key -out your_client.pfx -name "Your Name" -CAfile your_ca.crt -caname "Your CA Name" -chain

 One very important note:  "Your Name" and "Your CA Name" are the aliases used in the PKCS12 store.  These aliases MUST be greater than one character long, else Sun/Oracle will fail to find the certificates in the store (refer to the code for sun.security.util.ObjectIdentifier).  Using aliases/names like "1" or "2"  will cause you random and insanely hard to resolve issues down the line.

By: Martin

Thanks a lot for that article! I tried to give smime a try but I was not successful so far. Your article saved me a lot of time and worked perfectly on my first try!

By: Anonymous

Hi

The

Second method generates p12  keys that has "00" as serial. I think that this is a problem

 thanks

By: Herbert Duya

I use this but my .p12 certificate doesn't recognize by Iphones . Please help in creating my own smime . Thank you

By: BOBO

Noice Article

 

By: jazz

how to enable with roundcube webmail client and ispconfig multi sites/email domains?