Integrating user certificates
In diesem Artikel wird erklärt, wie Sie Nutzerzertifikate in unterstützte E-Mail-Clients einbinden und diese zum verschlüsseln und signieren verwenden können.
1. Integrating user certificates in Outlook
These instructions were created with Outlook 2016 in Windows 10 (as of 23.04.2020).
Please note
To solve the problem, you can change the display name of the certificate.
I. Importing your own .p12 file into the Windows certificate store
To be able to sign documents electronically or send signed or receive encrypted e-mails, you must first import your personal user certificate into the Windows certificate store.
To do so, please search fo the certificate file on your computer and execute it with a double mouse click:
This will launch the Certificate Import Wizard:
In the next step, you are to choose a certificate file. In your case, the file has already been chosen:
Next, enter the password you have set when creating the .p12 file.
Choose import options:
- We recommend that you do NOT select "strong private key protection". However, we do strongly urge you to make sure that at all times your computer can not be used by other persons.
- Should you wish to set "strong private key protection", be aware of the following complication. You will be asked (in three popups not shown here) to set a Windows CryptoAPI password to protect your private key. This password will need to be entered every time your email application or your document application creates a digital signature. In the long run this can grate on the most noble constitution.
- Choose "Mark key as exportable" to be able to generate a .p12 file from the Windows certificate store.
- This is optional, but a useful backup option were you to loose your.p12 file.
Choose a certificate store:
Click "Finish" to start the certificate import:
Click "OK" to complete the procedure:
II. Configure automatic signature
Please note
Before you can start configuring Outlook, you must import your personal user certificate into the Windows certificate store.
If you do not own a certificate, you can apply for one via the RA-Portal. For more information please visit "User certificates RA-Portal".
Digital signatures allow the recipient of an email to verify...
- the identity of a sender
- that an email has not been modified while being transmitted
Old certificates can also be replaced with new certificates.
Configuration
You can configure Outlook to automatically sign emails in the Trust Center. To open the Trust Center settings, click "File" → "Options" → "Trust Center" → "Trust Center Settings".
In the Trust Center, you can configure an automatic signature under the "Email Security" heading. With the settings shown below:
- Per default all outgoing e-mails will be digitally signed.
- Signed e-mails will be sent in plain text.
Click on "Settings" to continue.
Optional: If you have yet to import your certificate into Windows, you can do so with the "Import/Export" button. You must then search for your p12-File and enter the corresponding password.
You can replace an existing certificate by selecting "Settings" in the Email Security menu in the step above.
If Outlook is already configured to use a certificate, you can replace it with a new certificate (e.g. if the old certificate is expiring).
The new certificate must have been imported into the Windows certificate store. In the case of certificates for functional e-mail addresses, we recommend adapting the display name of the certificate.
By selecting "Choose" you can respectively choose the new certificate as your signing certificate and encryption certificate.
- If you have multiple email addresses, you can use the "New" Button, to create new Security Settings for a different email address. You can then switch between the settings using the "Security Settings Name" drop-down menu.
Set the hash algorithm and encryption algorithm:
- Tick the two boxes setting the default cryptography formats
- Select the hash algorithm SHA256
- Select the encryption algorithm AES (256-bit)
- Tick the box "Send these certificates with signed messages"
Send a digitally signed e-mail (optional)
If you have configured Outlook to sign automatically, the "Sign" option will be selected by default when sending an email.
You can verify the digital signature of a signed email by clicking on the signature icon
A "valid" signature means that the hash signature is correct, meaning that the content of the message was not modified in transmission.
A "trusted" signature means that the public RSA key of the sender was included in a user certificate issued by a certificate authority whose certificate chain is anchored in a root certificate included in Outlook's certificate store. It does not necessarily prove the identity of the sender!
You can view the identity of the sender by clicking on "Details..."
Select the signer and click "View Details".
You can view the certificate in the "General" tab. Click "View Certificate..." to show the certificate details.
In the "Certification Path" tab, you can see the certificates in the certificate chain and the sender's certificate at the end of the chain.
- T-TeleSec is the root certificate (preinstalled in Outlook)
- DFN-Verein are the two intermediates
- the sender's user certificate is at the bottom of the chain
In this example, the sender is using a group certificate, denoted by the "GRP" prefix. The field for their certificate displays the value for the Common Name in their certificate, this is the proof of identity part. This would usually be the sender's name.
III. Configure e-mail encryption (optional)
 | With this setting, Outlook attempts to encrypt all outgoing emails. Encryption is only possible if Outlook knows the recipient's public RSA key. This requires either a handshake (i.e. you have already received a signed email from the recipient) or you have saved the recipient's user certificate in Outlook using the PKI LDAP server. In both cases, the recipient must be explicitly saved as a separate “contact”. |
|---|
 | If “Encrypt” has been set via the Trust Center, “Encrypt” is already preselected. Otherwise you must select this for each email. |
|---|
 | This error message occurs when you are trying to send an encrypted message but Outlook doesn't know the recipient's public RSA key. Outlook can only "know" a public key, if you have stored the recipients data, including their user certificate as a private contact. It is not sufficient to have the recipient in your department's exchange address book etc. |
|---|
 | This is an example of a received e-mail, which has been
The Subject is never encrypted.The text can only be read if Outlook knows the private RSA key of the recipient. Click on the "lock" symbol. |
|---|
 | The e-mail is encrypted and signed. |
|---|
 | Encryption details |
|---|
IV. Configure DFN-LDAP as an address book (optional)
The DFN-PKI LDAP server is required to send an encrypted e-mail to a recipient whose public RSA key is not available.
The recipient must have received a user certificate from the DFN-PKI and have agreed to its publication in the LDAP.
 | You define a new Address Book. |
|---|
 | Your new address book is a LDAP Server. |
|---|
 | The Servername is "ldap.pca.dfn.de" |
|---|
 | This is just informing you that you need to restart Outlook, clicking on "OK" doesn't do it. You need to manually restart Outlook before you can use the new Address Book. |
|---|
 | This tells Outlook to use a secure connection to the LDAP Server. With "Anzeigename" you name your LDAP address book, e.g. "ldap-DFN-PKI".With "Anschluss" you define your TCP Port to the LDAP Server, the value "636" enforces a secure connection. |
|---|
 | Here you define the scope of your search within the LDAP (directory structure). Your widest search scope can be "ou=DFN-PKI,o=DFN-Verein,c=de". (Please do not select server support - "Suche aktivieren") |
|---|
If you have not yet restarted your system during configuration, please do so now.
2. Integrating user certificates in Thunderbird
The .p12 file, created with the DFN-PKI website, contains all needed certificate.
In case this file has been created with for example openssl, the CA-certificates "intermediatecacert.pem" and "cacert.pem" need to be downloaded.
You can import these certificates after the download:
- Open the certificate store to import your own certificate including the RSA key pair
- Eigenes Zertifikat importieren
- Check whether the import was successful
- Then close all open windows again
II. Configure automatic signature
Please note:
Before the configuration can begin, you must import your personal e-mail certificate into the certificate store.
If you do not yet have a certificate, you can apply for one via the RA portal. Further information can be found here.
open security settings for the account
Choose the previously imported certificate for signing (automatic) and encrypting
In the end close all opened windows
III. Configure DFN-LDAP as an address book (optional)
Please note:
Therefore, every user certificate should be published.
In Thunderbird select the "Burger Menu" (three stripes) on the right and choose settings:
- Open the "Composition" tab (1)
- Scroll to "Addressing" (2)
- Check "Directory Server" (3) and click on "Edit Directories..." (4)
Click on "Add" and make the following settings:
- Name: Name of the Address Book (e.g. ldap-DFN-PKI.)
- Hostname: ldap.pca.dfn.de
- Basis-DN: ou=DFN-PKI,o=DFN-Verein,c=de
- Port-number: 636
- Bind-DN: leave empty!
- Check "Use secure connection (SSL)"
When the settings are set, confirm the dialog by clicking on “OK”.
The address book can then be found under “Address book” in the menu bar
