!

Using Digital Certificates for Email Messages

Overview

This document explains how to apply for a digital certificate through the University’s Manage My Account Web site and then how to use that digital certificate to sign and encrypt email messages. A digital certificate is a security tool that can be attached to an email message to verify that the sender of the message is who he or she claims to be and that the message has not been altered since it was sent. It can also be used to encrypt email messages.

Apply for a Digital Certificate

Apply for your digital certificate via the Self Service page at my.pitt.edu. You will need a University Computing Account username and password. You must also have secure access to a personal computer to ensure the security and integrity of your digital certificate. After your application has been approved, you will receive an email with a Personal Identification Number (PIN) for retrieving your digital certificate.

Important: You must use the same computer and Web browser to retrieve your digital certificate as you did to apply for your certificate. You also cannot apply for a digital certificate from the campus computing labs.

Note: If your advertised email address ends in “.pitt.edu” (for example, dept.pitt.edu), then that will be the address used for your digital certificate. If your advertised email address is blank, then your username@pitt.edu email address will be used for your digital certificate. You can change your advertised email address by logging in to my.pitt.edu, selecting Profile, clicking Self-Service, and then clicking Contact Information.

To apply for a digital certificate, complete the following steps. Approval of your digital certificate application may take 24 hours or longer.

1. Log in to my.pitt.edu with your University Computing Account username and password.

2. Select Profile in the upper right hand corner and click Self Service.

3. Select Certificate Request.

4. If the message below displays at the top of your Web browser prompting you to run the add-on titled “Microsoft Certificate Enrollment Control”, then click the message and select run ActiveX Control.

Using Digital Certificates for Email Screenshot 1

5. Enter a challenge phrase that will be used to protect your digital certificate against unauthorized use. Read the Digital ID Subscriber Agreement and click Accept.
Using Digital Certificates for Email Screenshot 2

6. A pop-up window will display asking if you want to request a certificate now. Click Yes. A Digital ID Services pop-up window will display prompting you to look in your email Inbox for further instructions.
Note: Approval of your digital certificate may take 24 hours.
Using Digital Certificates for Email Screenshot 3

7. Once your application has been approved, an email will be sent to your official University email address from helpdesk+certificate@pitt.edu. This email will contain a Personal Identification Number (PIN) required to retrieve your digital certificate.

8. Go to the Web site listed in the confirmation email using the same computer and Web browser that you used to apply for the digital certificate. Enter your PIN where prompted and click Submit.
Using Digital Certificates for Email Screenshot 4

9. A pop-up window may display asking if you want to add a certificate to your computer. Click Yes.
Using Digital Certificates for Email Screenshot 5

10. A confirmation screen will display indicating that your digital certificate has been successfully installed. Using Digital Certificates for Email Screenshot 6

Export Your Digital Certificate from Internet Explorer 7

Your digital certificate was installed on the Internet browser that you used when applying for it (in this case, Internet Explorer 7). To digitally sign email messages with your certificate, you need to export a copy of the certificate from Internet Explorer 7 and then import it into the email application that you will use. Complete the following instructions to export your digital certificate.

1. Launch Internet Explorer 7. Click the Tools menu and select Internet Options.

2. The Internet Options window displays. Click the Content tab and then click the Certificates button.
Using Digital Certificates for Email Screenshot 7

3. Click the Personal tab, select the certificate you are going to export, then click the Export… button.
Using Digital Certificates for Email Screenshot 8

4. The Certificate Export Wizard launches. Click Next.

5. Click the radio button next to Yes, export the private key, then click Next.
Using Digital Certificates for Email Screenshot 9

6. On the Export File Format window, select the radio buttons next to Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT SP4 or above). Click Next.
Using Digital Certificates for Email Screenshot 10

7. On the Password window, select and enter a password where prompted and click Next. You will use this password later when you import the certificate into your email application.
Important: Please be sure to remember your password. If you forget it, you will need to delete the file and export the certificate again.
Note: CSSD recommends that you use a password that is eight or more characters long consisting of some combination of letters, numbers, and special characters (for example, !, *, #, or $).
Using Digital Certificates for Email Screenshot 11

8. On the File to Export window, enter a file name in the File name text field and then click Next.
Note: You can click the Browse button if you also want to change the location in which the file is saved.Using Digital Certificates for Email Screenshot 12

9. A Complete the Certificate Export Wizard displays with the settings that you selected during the export process.
Note: Please take note of the File Name row, which lists the location of the certificate file. This is the location from which you will import your digital certificate. It also serves as a backup copy of your digital certificate.
Using Digital Certificates for Email Screenshot 13

10. Click the Finish button. A window will display informing you the export was successful. Click OK.

11. Close the Certificates window and then close the Internet Options window.

Sign and Encrypt Emails in Outlook 2007

Import Your Certificate into the Windows Certificate Store

First, follow the instructions in this document to export your digital certificate.  Then import your certificate into the Windows Certificate store by completing the following steps.

1. Locate the certificate file that you exported. Double click the.pfx file.
Using Digital Certificates for Email Screenshot 14

2. A Certificate Import Wizard window displays. Click Next.

3. The file you selected displays in the File Name text field. Click Next.

4. Note: If the file does not display in the text field, click the Browse button to locate it.Using Digital Certificates for Email Screenshot 15

5. The Password window displays. Enter the password you used when exporting the certificate. Check the Enable Strong Private Key protection checkbox. Decide whether you want to Mark this key as exportable, and then click Next.

Note: Marking the key as exportable means you can export your public and private keys from Outlook at a later time. If you saved the digital certificate you exported from your Web browser in a safe location that you will remember, then there is no reason to make it exportable from Outlook.
Using Digital Certificates for Email Screenshot 16

6. The Certificate Store window displays. Make sure the radio button is selected next to Automatically select the certificate store based on the type of certificate. Click Next.
Using Digital Certificates for Email Screenshot 17

7. The Certificate Import Wizard displays a summary of the settings. Click Finish.

8. At the Importing a new private exchange key window, leave the default Security level set to Medium. Click OK.
Using Digital Certificates for Email Screenshot 18

9. A Certificate Import Wizard window may display informing you that the import was successful. Click OK.

Sign and Encrypt Emails in Outlook 2010

Now that you have imported your certificate into the Windows Certificate store, complete the following steps to enable Outlook to digitally sign and encrypt messages.

1. Launch Outlook 2007. From the Tools menu, select Trust Center.
Note: If you are using Outlook 2003, click the Tools menu, select Options, and click the Security tab.

2. Click the E-mail Security section. Select the checkboxes next to Add digital signature to outgoing messages and Send clear text signed messages when sending signed messages. Click OK.
Note: Do not select the option Encrypt contents and attachments for outgoing messages. It is best to manually choose encryption for individual email messages.
Using Digital Certificates for Email Screenshot 19

3. Send an email to yourself as a test. Your message should display the following icon:
Using Digital Certificates for Email Screenshot 20
Note: Each time you launch Outlook, you should be prompted to grant access to your private key the first time you attempt to send a message. Click OK to grant access to your key.
Using Digital Certificates for Email Screenshot 21

4. To manually encrypt an email, start a new message and click the encryption icon before sending your message. Using Digital Certificates for Email Screenshot 22
Using Digital Certificates for Email Screenshot 23

Note: You can send an encrypted message only if you have the recipient's public key. To obtain a recipient’s public key, open a digitally signed message sent to you by your intended recipient. Right-click the name in the From field and add that person to your Outlook Contacts. Their public key certificate is stored with your contact entry. You can now send encrypted messages to this person.
Note: If you selected the Add digital signature to outgoing messages option in step 3, Outlook will include your public signing certificate in your outgoing messages so that others have the ability to send you encrypted messages.

Sign and Encrypt Emails in Mozilla Thunderbird

First, follow the instructions in this document to export your digital certificate. Then complete the following steps to encrypt and sign emails in Mozilla Thunderbird.

1. Launch Thunderbird. Click the Tools menu and select Account Settings.

2. Click the Security option for your University Computing Account.
Using Digital Certificates for Email Screenshot 24

3. In the Certificates section, click the View Certificates button.
Using Digital Certificates for Email Screenshot 25

4. If your certificate does not display, click Import and browse for the certificate that you exported in the first section of this document.
Using Digital Certificates for Email Screenshot 26

5. A File Name to Restore window appears. Use it to locate the key that you wish to import. When you have selected your file, click the Open button.

6. You may be prompted to enter a master password. Enter your password where prompted and click OK.
Using Digital Certificates for Email Screenshot 27

7. You will be prompted to enter the password you set when exporting this certificate. Enter your password and click OK.
Using Digital Certificates for Email Screenshot 28

8. An alert window will display indicating that you have successfully restored your security certificate and private key. Click OK.
Using Digital Certificates for Email Screenshot 29

9. Your University of Pittsburgh certificate will now display in the Certificate Manager window. Click OK to close the Certificate Manager window.

10. At the Security section, click the Select button below Digital Signing.
Using Digital Certificates for Email Screenshot 30

11. Select the certificate you just imported and click OK.

12. You will be prompted to use the same certificate to encrypt and decrypt messages sent to you. Click OK.
Using Digital Certificates for Email Screenshot 31

13. Your certificate will display in the Digital Signing section and the Encryption section. Make sure to select the checkbox next to Digitally sign messages (by default).
Note: Make certain the Never option is selected under Default encryption setting when sending messages. It is best to manually choose encryption for individual email messages.
Using Digital Certificates for Email Screenshot 32

14. Click OK to close the Account Settings window. All email messages that you send from Thunderbird will now be signed with your digital certificate.

15. To manually encrypt an email, start a new message, click the Security icon, and select Encrypt This Message .
Using Digital Certificates for Email Screenshot 33
Note: You can send an encrypted message only if you have the recipient's public key. In Thunderbird, when you receive a digitally signed email, the sender’s public key is saved. You can view the saved public keys by clicking the Tools menu, selecting Options, clicking the Privacy icon, and then clicking the Security tab. Select the View Certificates button and click the Other Peoples’ tab. You can send encrypted messages to any email address on this list.
Using Digital Certificates for Email Screenshot 34

Sign and Encrypt Emails in Microsoft Entourage for Mac

Import Certificates into Your Mac Personal Keychain

First, follow the instructions in this document to export your digital certificate. Then import your certificate into your Mac personal keychain by completing the following steps.

1. Launch the Microsoft Cert Manager application located in the Office folder.
Using Digital Certificates for Email Screenshot 35

2. Click on the Import icon.
Using Digital Certificates for Email Screenshot 36

3. Navigate to your certificate file and click Open.
Using Digital Certificates for Email Screenshot 37

4. Enter the password you used to protect your digital certificate and click Import.
Using Digital Certificates for Email Screenshot 38

5. You should see a message window that indicates that the certificate was successfully imported along with a list of the certificate’s contents. Click OK.

6. Your digital certificate should be displayed in the Certificates window under the Digital Identities keychain.
Using Digital Certificates for Email Screenshot 39

7. Close the Microsoft Certificate Manager.

Sign Emails in Mac Entourage 2008

Next, set up your University email account to use your digital certificate by completing the following steps.

1. Launch Microsoft Entourage. Click the Tools menu and select Accounts. Double click your University email account.
Using Digital Certificates for Email Screenshot 40

2. The Edit Account window will open. Click the Mail Security tab.
Using Digital Certificates for Email Screenshot 41

3. Click the Select button under Signing Certificate.
Using Digital Certificates for Email Screenshot 42

4. Select the digital certificate you want to use and click OK.
Using Digital Certificates for Email Screenshot 43

5. Your certificate will now display in the Digital Signing section. Make sure to check the box next to Digitally sign outgoing messages by default. The remaining two options should be checked by default.
Using Digital Certificates for Email Screenshot 44

6. Click the Select button under Encryption .
Using Digital Certificates for Email Screenshot 45

7. Select the digital certificate you want to use and click OK.
Using Digital Certificates for Email Screenshot 46

8. Your certificates will now display in the Edit Account window. Any email that you send from Entourage will now be signed with your digital certificate.

Note: Make certain the option Encrypt outgoing messages and attachments by default is unchecked. It is best to manually choose encryption for individual email messages.
Using Digital Certificates for Email Screenshot 47

9. Click OK to close the Edit Account window.

Encrypt Emails in Mac Entourage 2008

1. You can use Entourage to send an encrypted email message to someone, but you first need to save a copy of that person's digital certificate key to your address book. In order for you to do this, they must first send you a digitally signed message. To obtain an individual’s public key, open the digitally signed message and select View Details.

Using Digital Certificates for Email Screenshot 48

2. Make sure the General tab is selected and click Add To Contacts.
Using Digital Certificates for Email Screenshot 49

3. Click OK. The digital certificate is stored with your contacts entry for this person. You can now send encrypted email messages to this individual.
Using Digital Certificates for Email Screenshot 50

4. To manually encrypt an email, start a new message, click the Message menu, select Security, and select Encrypt Message.
Using Digital Certificates for Email Screenshot 51