Using Digital Certificates to Encrypt Email Messages

Overview

This document explains how to apply for a digital certificate through the University’s Accounts Self-Service website and how to use that digital certificate to sign and encrypt email messages. A digital certificate is a security tool that can be attached to an email message to verify that the sender of the message is who he or she claims to be and that the message has not been altered since it was sent. It can also be used to encrypt email messages.

Detail

Step 1 - Apply

Apply for your digital certificate via the Accounts Self-Service page. You will need a University Computing Account username and password. You must also have secure access to a personal computer to ensure the security and integrity of your digital certificate. After your application has been approved, you will receive an email with a Personal Identification Number (PIN) for retrieving your digital certificate.

Important: You must use the same computer and web browser to retrieve your digital certificate as you did to apply for your certificate. You also cannot apply for a digital certificate from the Student Computing Labs.

Note: If your advertised email address has a prefix between "@" and “.pitt.edu” (for example, dept.pitt.edu), then that will be the address used for your digital certificate. If your advertised email address is blank, then your username@pitt.edu email address will be used for your digital certificate.

To apply for a digital certificate, complete the following steps. Approval of your digital certificate application may take 48 hours.

1. Log in to Accounts Self-Service with your University Computing Account username and password.
2. Select Login & Security
3. Select Certificate Request
4. Check the boxes on the Digital Certificate Request form for Request Encryption Certificates and Request Signing Certificates, then click Submit Request.
5. Your request will be sent.

Step 2 - Collect

1. Once approved, an email with additional instructions will be sent. Click the link to create your digital certificate.
2. Fill out the Certificate Manager form, then click Submit.
   Note: The PIN is optional you enter twice but is used to import and install your digital certificate and key. Items marked with an asterisk (*) are required fields. The passphrase you enter twice is used if you need to revoke a certificate (before requesting a new one).

3. Click Download, select a location to save the file to such as a personal network drive or department-assigned drive, enter a File name (optional), and click Open.

Step 3 - Install

1. Locate the digital certificate and double-click it.

2. A wizard launches. Make sure Current User is selected, then click Next.
   

3. For File to Import, the file should appear in the File name field. Click Next.

4. For Private key protection make sure the following information is provided:

   Click Next.
   

    

   • For Password enter the PIN that you provided during the registration process. If you did not create a PIN, leave this field blank
   • Mark this key as exportable is checked.
   • Include all extended properties is checked.

5. For the Certificate Store, make sure Automatically select the certificate store based on the type of certificate is selected, then click Next.
   

6. Review your information. To import the certificate and close the wizard click Finish, then OK.
   

Step 4 - Verify

1. Launch Microsoft Outlook and make sure the file is selected so you can see Account Information. Click Options.
   

2. From the options along the left-hand column select Trust Center, then select Trust Center Settings...
   

3. From the Trust Center options along the left-hand column select Email Security, then from Encrypted email select Settings...
   

4. Look for the certificate information for Signing Certificate and Encryption Certificate If this information is populated to these fields, then the certificate has been added to the Trust Center. Click OK and skip the rest of this step.
   

   If the certificate information is not populated to these fields, click Choose... then do the following steps first for Signing Certificate then for Encryption Certificate:
        Click More choices > Select your certificate (it will be highlighted) > OK.
   

5. Click OK to confirm your changes to your security settings.

Step 5 - Export A Copy of the Public Certificate Key

A copy of your public key can be exported to the Global Address List directory (GAL) in Outlook. You can use this key to send and receive encrypted email communications with others who have shared public keys in the GAL. To save a copy of your public key to the GAL:

1. Click the Publish to Gal... option in the Outlook Trust Center.
   Note: You can access the Trust Center in Outlook by clicking File > Options > Trust Center > Trust Center Settings... > Email Security.
2. Click OK to confirm your decision to publish your public certificate key. Click OK when you see the message that the certificate key was published successfully.
   Note: It may take an hour before the public key is available for other users to download from the GAL.

Step 6 – Encrypt Email Messages

You can send and receive encrypted email communications with others who have published digital certificates in the GAL.

Encrypt email from Outlook 2016

1. Launch Outlook, then select New Email.
2. Select Options > More Options > Security Settings.
3. Check the Encrypt message contents and attachments box.
   
4. Compose your message, and select Send.
5. Each recipient with a published digital certificate will be able to read your email and send an encrypted reply.

Encrypt email from Pitt Email (Outlook)

1. Log in to My Pitt, and select Pitt Email.
2. Select New > Email Message > … (More Actions) > Show message options...
   
3. Check the Encrypt this message (S/MIME option) box, then select OK.
   
4. Compose your message and click Send.
5. Each recipient with a published digital certificate will be able to read your email and send an encrypted reply.