In today’s post, I would like to tell you about the S/MIME certificate. I will explain what we can use it for. I would like to show you how to generate such a certificate for free and then add it to Outlook using the Yubikey key. Welcome
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a digital certificate that we can use to encrypt and sign email messages. Using such a certificate allows the recipient of the message to verify the identity of the sender and ensure that the message received has not been tampered with during transmission. You have to pay for generating such a certificate, but there are also services that offer free certificates. For the purposes of this post, we will use the service belonging to the Italian certification office Actalis to generate the certificate.
To generate an S/MIME certificate, we will need an email address for which the certificate is to be generated.
- Open a web page : https://extrassl.actalis.it/portal/uapub/freemail?lang=en
2. Also, enter your email address, prove that you are a human, and click “send verification email”.
3. Then we will receive an email that will look like this:
4. In the next step, we need to enter the received code into the field displayed on the page, also select the agreements and click “Submit”.
5. At this point, the system will generate a certificate for us and a password for this certificate will appear on our screen. We should receive the certificate itself at the email address provided in the form. It’s worth keeping this password in a safe place.
6. In the next step, we will receive a generated PKCS#12 certificate in pfx format to our email address. To open it, we need to know the password that we received earlier. Additionally, in the email, we will receive data to log into the client area. There we can revoke the certificate in case we lose it – that’s why it’s worth saving it in 2 places – for example on 2 hardware keys.
Alright, we already have the certificate, now we need to save it somewhere so we can use it. We can import it to the computer, but then there is a problem, for example, when changing several computers or when it gets infected because we can lose the certificate. It would be worth saving it in a place that is safe and where we are sure that no one will steal it. Such a place can be a Yubikey hardware key. In my case, it will be the Yubikey 5 NFC key. To save the certificate on the key, you first need to install the YubiKey Manager application from the link: YubiKey Manager | Yubico
Now I will present step by step how we can import the certificate.
- Go to the PIV application
2. Before we import the certificate to the key, let’s set the PIN, PUK, and Management codes for the PIV module.
3. We go to digital signature and click import and select the downloaded certificate:
4. We enter the password received by email:
5. We enter the PIN for the PIV module:
6. The certificate has been imported.
7. From this moment on, our key will serve as a carrier of the certificate. It can be used with various email programs.
Now you need to configure this certificate in Outlook and designate it as the certificate for signing messages. To do this, open Outlook and click File > Options > Trust Center > Trust Center Settings.
In the new window, click on Email Security and select the option “Add a digital signature to outgoing messages” and “Send clear text signed message when sending signed messages”
In the same window, click “Settings”, enter the name of the security profile, select the certificate that we will use for the signature. It is important that the key is connected to the computer at this moment. Then we choose encryption algorithms – preferably SHA512 and AES256. We confirm everything with the OK button and that’s it 😊