S/MIME Key Distribution

TL;DR

This guide shows how to automatically import and distribute private S/MIME keys to users for secure email communication. We’ll cover key generation, storage, automated distribution using a central server, and client-side installation.

1. Key Generation & Certificate Request

1. Generate a Key Pair: Use OpenSSL or a similar tool to create an RSA key pair. A 2048-bit or 4096-bit key is recommended.

   openssl genrsa -out user1.key 4096

2. Create a Certificate Signing Request (CSR): This request will be sent to your Certificate Authority (CA).

   openssl req -new -key user1.key -out user1.csr

   You’ll be prompted for information like name, organisation etc.

3. Get the Signed Certificate: Submit the CSR to your CA and receive a signed certificate (user1.crt).

2. Secure Key Storage

Never store private keys in plain text! Use a Hardware Security Module (HSM) or a secure key management system.

1. HSM: If using an HSM, follow the manufacturer’s instructions to import the key pair into the HSM.
2. Key Management System: Store the private key encrypted with a strong password and access control.
   • Consider using a dedicated key management service (KMS) like AWS KMS or HashiCorp Vault.
   • Implement robust auditing to track key usage.

3. Automated Distribution Server Setup

We’ll create a simple server that allows users to download their private keys securely.

1. Server Software: Use a web server (e.g., Apache, Nginx) with HTTPS enabled.
2. Directory Structure: Create a directory structure to store the encrypted key files for each user (e.g., /var/www/keys/user1.enc).
3. Encryption Script: Write a script that encrypts the private key using a unique password per user.

   #!/bin/bash
   # Example using OpenSSL for encryption
   pwd=$(openssl rand -base64 32)
   echo "$pwd" > /var/www/keys/user1.password
   openssl enc -aes-256-cbc -salt -in user1.key -out /var/www/keys/user1.enc -k $pwd
   

4. Download Script: Create a script that allows users to download their encrypted key and password.
   • Implement authentication (e.g., username/password, multi-factor authentication).
   • Log all downloads for auditing purposes.

4. Client-Side Installation

Guide users on how to install the private key into their email client or operating system.

1. Download Key Files: Users download their encrypted key file (user1.enc) and password from the distribution server.
2. Import into Email Client: Most email clients (e.g., Outlook, Thunderbird) have an import function for S/MIME certificates and keys.
   • Users will need to provide their password to decrypt the key file during import.
   • Ensure users understand how to select the correct certificate in their email client settings.
3. Import into Operating System: Windows and macOS have built-in tools for managing S/MIME certificates.
   • Windows Certificate Manager (certmgr.msc)
   • macOS Keychain Access

5. Security Considerations

1. Password Management: Users must choose strong, unique passwords for their key files.
2. Key Rotation: Regularly rotate S/MIME keys to minimize the impact of a potential compromise.
3. Revocation: Implement a mechanism for revoking compromised certificates.
4. cyber security Auditing: Continuously monitor key usage and download activity.