Dual SMIME Certificates: Setup Guide

TL;DR

This guide shows you how to create two SMIME certificates – one for signing emails and another for encrypting them. This improves security by separating these functions, making your email communication more robust.

Generating Dual SMIME Certificates

1. Install OpenSSL: If you don’t have it already, install OpenSSL on your system. On Debian/Ubuntu:

   sudo apt update && sudo apt install openssl

   On macOS (using Homebrew):

   brew install openssl

2. Create a Private Key for Signing: This key will be used to digitally sign your emails.

   openssl genrsa -out signing.key 2048

3. Create a Certificate Signing Request (CSR) for Signing: The CSR contains information about you that will be included in the certificate.

   openssl req -new -key signing.key -out signing.csr

   You’ll be prompted to enter details like your name, email address, and location. Fill these out accurately.

4. Create a Private Key for Encryption: This key will be used to decrypt emails sent to you.

   openssl genrsa -out encryption.key 2048

5. Create a Certificate Signing Request (CSR) for Encryption:

   openssl req -new -key encryption.key -out encryption.csr

   Again, fill in the details carefully. It’s best to use the same information as your signing CSR if possible.

6. Get Certificates Signed by a Certificate Authority (CA): You need a trusted CA to sign both CSRs.
   • Many email providers offer free SMIME certificates (e.g., StartSSL, Comodo).
   • Alternatively, you can use a commercial CA.
   • Submit your signing.csr and encryption.csr to the CA. They will provide you with signed certificates (usually in .crt or .pem format). Let’s assume you receive signing.crt and encryption.crt.
7. Combine Certificates and Keys: You now have four files:
   • signing.key (Signing Private Key)
   • signing.crt (Signing Certificate)
   • encryption.key (Encryption Private Key)
   • encryption.crt (Encryption Certificate)
8. Import into your Email Client: The process varies depending on your email client.
   • Thunderbird: Go to Account Settings > Security > Certificates. Import signing.key and signing.crt as a signing certificate, and encryption.key and encryption.crt as an encryption certificate.
   • Outlook: Go to File > Options > Trust Center > Trust Center Settings > Email Security. Import the certificates under ‘Digital IDs’.
   • Consult your email client’s documentation for specific instructions.
9. Configure Your Email Client: Enable SMIME signing and encryption in your email client settings.
   • Select the correct signing certificate for outgoing emails.
   • Select the correct encryption certificate for incoming emails (usually automatic).
10. Test Your Setup: Send a test email to yourself and verify that it is signed correctly. Also, send an encrypted email to another address using your new setup and confirm you can decrypt it.

Important Considerations

• Key Security: Protect your private keys (signing.key and encryption.key) at all costs! Store them securely, preferably with a strong password or hardware security module (HSM).
• Certificate Revocation: If a key is compromised, revoke the corresponding certificate immediately through your CA.
• Regular Renewal: SMIME certificates expire. Renew them before they do to avoid interruption of service.
• cyber security Best Practices: Always be cautious about phishing attempts and ensure you are sending encrypted emails only to trusted recipients.