S/MIME Email encryption

Using S/MIME to secure your emails on Computer and Smartphone

Posted on Posted in Technology

How to get, install and use your free Comodo E-Mail S/MIME Certificate in order to secure your emails by signing and encrypting them

The second technology besides PGP for making email secure is S/MIME. Here you have a step by step instruction manual how to get it done.
The advantage of S/MIME is it’s integrated mobile device compatibility. Disadvantage: You need to apply for a certificate from a Certificate Authority (“CA”), and usually renew every year. You may choose other CAs, some offer paid certificates with validities up to two or three years.

This manual is written for Firefox / Thunderbird / Ubuntu  &  iPhone/iPad with iOS 9 or 10
It should be valid / very similar for other Operating Systems.

PART I … GET YOUR CERTIFICATE
  1. Visit https://www.comodo.com/home/email-security/free-email-certificate.php
  2. Fill in some details about you and your e-mail address. You should set a revocation password and save it securely.
  3. Click the “collect my certificate” link in the email.
  4. The certificate is installed into your standard web browser (Firefox in my case)
  5. Go to Edit / Preferences / Advanced / View Certificates
  6. Under the Tab “Your Certificates” you see your fresh Comodo Certificate (contains your private key!)
  7. Backup this Certificate to your local drive, assign a backup password and don’t loose it.
  8. Use PKCS12 format when asked for a backup file format.
  9. Delete your Comodo E-Mail certificate from Firefox. Click “Delete” in the “Your certificates” section.
PART II … INSTALL IT INTO YOUR E-MAIL CLIENT PROGRAM

Now you would want to import the Certificate into Thunderbird and after that into your iPhone.

  1. Go to Menu Edit / Account Settings and click on Security below the Account we are securing
  2. Click View Certificates – and under the Tab “Your Certificates” import the .P12 file which you backuped from Firefox.
  3. Enter you backup&restore pass-phrase and confirm. Your certificate (private key and public key) are now imported into Thunderbird.
  4. Click OK to return to the Security Settings of your email account.
  5. “Select” the Signing and Encryption certificates and possibly check the boxes “Digitally sign by default” and/or “Encryption required”, as you wish.
PART III … USE IT
  • In order to sign email messages you don’t need to do anything else now. You can send email messages to anybody, and “sign” them using your certificate. The recipient will see that the message is signed (means it has not been tampered with).
  • For encrypting you need to obtain the public key (S/MIME Signature) of the other party first.
    It is a good practice to send a Signed message to the other party, informing them that this is a signed message from you, and they shall import your certificate into their email client program AND of course shall they please reply with a signed email message, so your client program can import the certificate.
  • Usually your email client program would collect received certificates automatically. To check other peoples certificates on your computer (inside your Thunderbird) go to Edit / Preferences / Advances / Certificates / View Certificates / “People”.

Now you can communicate encryptedly via S/MIME via e-mail.

PART IV … SECURE EMAIL ON YOUR IPHONE

You will need to email your .P12 Certificate backup file to yourself, so make sure the email account you will be using connects via SSL/TLS to the mail server.

  1. Email the file from your computer to yourself. No, you can’t just save it as a draft.
  2. On your iPhone tap on the .P12 attachment to install it into the phone, you will need to enter your phone’s pass-phrase and the certificate backup password.
  3. Delete the SENT mail in your computer’s mail program and delete the received email in your iPhones Mail inbox.
  4. Empty the Trash folders for that email account on your PC and iPhone.
  5. Again, you need to exchange emails with other people first by only signing emails, before you can go encrypted. (see part III above)

-> Congratulations!

Remark: In case you are not using a Email client program on you PC, yes there are add-ons for GMail and possibly other web-mail services. I won’t go into detail for these as I’m not using these.


P.S. You knew what S/MIME stands for? — “Secure / Multi-purpose Internet Mail Extensions” !
You can read much more about it here.

Renewing your S/MIME Certificate after a year? The procedure is the same! Just make sure you keep the old certificate inside your Thunderbird so you can still decrypt old messages. And you will need to send signed messages to your contacts so they get your now certificate – otherwise they can’t email you encryptedly.

The term “certificate” is often used confusingly, even here in my little tutorial. Even S/MIME works based on “private key + public key” same as PGP. They just automate the process and hide it from the user a bit more. So you have to keep your “.P12” certificate file and it’s backup password very confidential because it contains your private key. It is imported into your email program on the computer or the phone. (So your PC and phone should use disk encryption and access control features!).
When emailing people, your private key (the full contents of the .P12 file) never leave your computer, only a public key does. The other party will still see your “S/MIME public key” as a “imported other peoples’ certificate”. Don’t be too confused by this. They just try to keep it simple for the layman user!
And I bet it’ still a bit confusing 😉

2 thoughts on “Using S/MIME to secure your emails on Computer and Smartphone

  1. Hi there! Do you use Twitter? I’d like to follow you if that would be ok.
    I’m undoubtedly enjoying your blog and look forward to new posts.

Leave a Reply

Your email address will not be published. Required fields are marked *