Using Digital Certificates for Email Messages
This document explains how to apply for a digital certificate through the University’s Manage My Account Web site and then how to use that digital certificate to sign and encrypt email messages. A digital certificate is a security tool that can be attached to an email message to verify that the sender of the message is who he or she claims to be and that the message has not been altered since it was sent. It can also be used to encrypt email messages.
Apply for a Digital Certificate
Apply for your digital certificate via the Self Service page at my.pitt.edu. You will need a University Computing Account username and password. You must also have secure access to a personal computer to ensure the security and integrity of your digital certificate. After your application has been approved, you will receive an email with a Personal Identification Number (PIN) for retrieving your digital certificate.
Important: You must use the same computer and Web browser to retrieve your digital certificate as you did to apply for your certificate. You also cannot apply for a digital certificate from the campus computing labs.
Note: If your advertised email address ends in “.pitt.edu” (for example, dept.pitt.edu), then that will be the address used for your digital certificate. If your advertised email address is blank, then your email@example.com email address will be used for your digital certificate. You can change your advertised email address by logging in to my.pitt.edu, selecting Profile, clicking Self-Service, and then clicking Contact Information.
To apply for a digital certificate, complete the following steps. Approval of your digital certificate application may take 24 hours or longer.
1. Log in to my.pitt.edu with your University Computing Account username and password.
2. Select Profile in the upper right hand corner and click Self Service.
3. Select Certificate Request.
4. If the message below displays at the top of your Web browser prompting you to run the add-on titled “Microsoft Certificate Enrollment Control”, then click the message and select run ActiveX Control.
5. Enter a challenge phrase that will be used to protect your digital certificate against unauthorized use. Read the Digital ID Subscriber Agreement and click Accept.
6. A pop-up window will display asking if you want to request a certificate now. Click Yes. A Digital ID Services pop-up window will display prompting you to look in your email Inbox for further instructions.
Note: Approval of your digital certificate may take 24 hours.
7. Once your application has been approved, an email will be sent to your official University email address from firstname.lastname@example.org. This email will contain a Personal Identification Number (PIN) required to retrieve your digital certificate.
8. Go to the Web site listed in the confirmation email using the same computer and Web browser that you used to apply for the digital certificate. Enter your PIN where prompted and click Submit.
9. A pop-up window may display asking if you want to add a certificate to your computer. Click Yes.
10. A confirmation screen will display indicating that your digital certificate has been successfully installed.
Export Your Digital Certificate from Internet Explorer 7
Your digital certificate was installed on the Internet browser that you used when applying for it (in this case, Internet Explorer 7). To digitally sign email messages with your certificate, you need to export a copy of the certificate from Internet Explorer 7 and then import it into the email application that you will use. Complete the following instructions to export your digital certificate.
1. Launch Internet Explorer 7. Click the Tools menu and select Internet Options.
2. The Internet Options window displays. Click the Content tab and then click the Certificates button.
3. Click the Personal tab, select the certificate you are going to export, then click the Export… button.
4. The Certificate Export Wizard launches. Click Next.
5. Click the radio button next to Yes, export the private key, then click Next.
6. On the Export File Format window, select the radio buttons next to Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT SP4 or above). Click Next.
7. On the Password window, select and enter a password where prompted and click Next. You will use this password later when you import the certificate into your email application.
Important: Please be sure to remember your password. If you forget it, you will need to delete the file and export the certificate again.
Note: CSSD recommends that you use a password that is eight or more characters long consisting of some combination of letters, numbers, and special characters (for example, !, *, #, or $).
8. On the File to Export window, enter a file name in the File name text field and then click Next.
Note: You can click the Browse button if you also want to change the location in which the file is saved.
9. A Complete the Certificate Export Wizard displays with the settings that you selected during the export process.
Note: Please take note of the File Name row, which lists the location of the certificate file. This is the location from which you will import your digital certificate. It also serves as a backup copy of your digital certificate.
10. Click the Finish button. A window will display informing you the export was successful. Click OK.
11. Close the Certificates window and then close the Internet Options window.
Sign and Encrypt Emails in Outlook 2007
Import Your Certificate into the Windows Certificate Store
First, follow the instructions in this document to export your digital certificate. Then import your certificate into the Windows Certificate store by completing the following steps.
1. Locate the certificate file that you exported. Double click the.pfx file.
2. A Certificate Import Wizard window displays. Click Next.
3. The file you selected displays in the File Name text field. Click Next.
4. Note: If the file does not display in the text field, click the Browse button to locate it.
5. The Password window displays. Enter the password you used when exporting the certificate. Check the Enable Strong Private Key protection checkbox. Decide whether you want to Mark this key as exportable, and then click Next.
Note: Marking the key as exportable means you can export your public and private keys from Outlook at a later time. If you saved the digital certificate you exported from your Web browser in a safe location that you will remember, then there is no reason to make it exportable from Outlook.
6. The Certificate Store window displays. Make sure the radio button is selected next to Automatically select the certificate store based on the type of certificate. Click Next.
7. The Certificate Import Wizard displays a summary of the settings. Click Finish.
8. At the Importing a new private exchange key window, leave the default Security level set to Medium. Click OK.
9. A Certificate Import Wizard window may display informing you that the import was successful. Click OK.
Sign and Encrypt Emails in Outlook 2010
Now that you have imported your certificate into the Windows Certificate store, complete the following steps to enable Outlook to digitally sign and encrypt messages.
1. Launch Outlook 2007. From the Tools menu, select Trust Center.
Note: If you are using Outlook 2003, click the Tools menu, select Options, and click the Security tab.
2. Click the E-mail Security section. Select the checkboxes next to Add digital signature to outgoing messages and Send clear text signed messages when sending signed messages. Click OK.
Note: Do not select the option Encrypt contents and attachments for outgoing messages. It is best to manually choose encryption for individual email messages.
3. Send an email to yourself as a test. Your message should display the following icon:
Note: Each time you launch Outlook, you should be prompted to grant access to your private key the first time you attempt to send a message. Click OK to grant access to your key.
4. To manually encrypt an email, start a new message and click the encryption icon before sending your message.
Note: You can send an encrypted message only if you have the recipient's public key. To obtain a recipient’s public key, open a digitally signed message sent to you by your intended recipient. Right-click the name in the From field and add that person to your Outlook Contacts. Their public key certificate is stored with your contact entry. You can now send encrypted messages to this person.
Note: If you selected the Add digital signature to outgoing messages option in step 3, Outlook will include your public signing certificate in your outgoing messages so that others have the ability to send you encrypted messages.
Sign and Encrypt Emails in Mozilla Thunderbird
First, follow the instructions in this document to export your digital certificate. Then complete the following steps to encrypt and sign emails in Mozilla Thunderbird.
1. Launch Thunderbird. Click the Tools menu and select Account Settings.
2. Click the Security option for your University Computing Account.
3. In the Certificates section, click the View Certificates button.
4. If your certificate does not display, click Import and browse for the certificate that you exported in the first section of this document.
5. A File Name to Restore window appears. Use it to locate the key that you wish to import. When you have selected your file, click the Open button.
6. You may be prompted to enter a master password. Enter your password where prompted and click OK.
7. You will be prompted to enter the password you set when exporting this certificate. Enter your password and click OK.
8. An alert window will display indicating that you have successfully restored your security certificate and private key. Click OK.
9. Your University of Pittsburgh certificate will now display in the Certificate Manager window. Click OK to close the Certificate Manager window.
10. At the Security section, click the Select button below Digital Signing.
11. Select the certificate you just imported and click OK.
12. You will be prompted to use the same certificate to encrypt and decrypt messages sent to you. Click OK.
13. Your certificate will display in the Digital Signing section and the Encryption section. Make sure to select the checkbox next to Digitally sign messages (by default).
Note: Make certain the Never option is selected under Default encryption setting when sending messages. It is best to manually choose encryption for individual email messages.
14. Click OK to close the Account Settings window. All email messages that you send from Thunderbird will now be signed with your digital certificate.
15. To manually encrypt an email, start a new message, click the Security icon, and select Encrypt This Message .
Note: You can send an encrypted message only if you have the recipient's public key. In Thunderbird, when you receive a digitally signed email, the sender’s public key is saved. You can view the saved public keys by clicking the Tools menu, selecting Options, clicking the Privacy icon, and then clicking the Security tab. Select the View Certificates button and click the Other Peoples’ tab. You can send encrypted messages to any email address on this list.
Sign and Encrypt Emails in Microsoft Entourage for Mac
Import Certificates into Your Mac Personal Keychain
First, follow the instructions in this document to export your digital certificate. Then import your certificate into your Mac personal keychain by completing the following steps.
1. Launch the Microsoft Cert Manager application located in the Office folder.
2. Click on the Import icon.
3. Navigate to your certificate file and click Open.
4. Enter the password you used to protect your digital certificate and click Import.
5. You should see a message window that indicates that the certificate was successfully imported along with a list of the certificate’s contents. Click OK.
6. Your digital certificate should be displayed in the Certificates window under the Digital Identities keychain.
7. Close the Microsoft Certificate Manager.
Sign Emails in Mac Entourage 2008
Next, set up your University email account to use your digital certificate by completing the following steps.
1. Launch Microsoft Entourage. Click the Tools menu and select Accounts. Double click your University email account.
2. The Edit Account window will open. Click the Mail Security tab.
3. Click the Select button under Signing Certificate.
4. Select the digital certificate you want to use and click OK.
5. Your certificate will now display in the Digital Signing section. Make sure to check the box next to Digitally sign outgoing messages by default. The remaining two options should be checked by default.
6. Click the Select button under Encryption .
7. Select the digital certificate you want to use and click OK.
8. Your certificates will now display in the Edit Account window. Any email that you send from Entourage will now be signed with your digital certificate.
Note: Make certain the option Encrypt outgoing messages and attachments by default is unchecked. It is best to manually choose encryption for individual email messages.
9. Click OK to close the Edit Account window.
Encrypt Emails in Mac Entourage 2008
1. You can use Entourage to send an encrypted email message to someone, but you first need to save a copy of that person's digital certificate key to your address book. In order for you to do this, they must first send you a digitally signed message. To obtain an individual’s public key, open the digitally signed message and select View Details.
2. Make sure the General tab is selected and click Add To Contacts.
3. Click OK. The digital certificate is stored with your contacts entry for this person. You can now send encrypted email messages to this individual.
4. To manually encrypt an email, start a new message, click the Message menu, select Security, and select Encrypt Message.