Security Certificates

I recently had the need to send some secure email.  I was able to create and install a security certificate that allows me to send encrypted emails.  Here’s how that unfolded.

History

Back in the day, there was PGP – Pretty Good Privacy.  This was public key encryption software, developed as open source.  I learned about encryption, public key cryptography, and related material by installing and using PGP on my Mac.  PGP is still around, and still supported by the open source community.  Public key cryptography uses pairs of keys – a private key that remains in the owner’s possession, and a public key that is shared with the world.

PGP uses a network of key servers for distribution of public keys.  An enhancement of that concept is the public key infrastructure (PKI) that adds authentication of the key owner.  My employer issues a digital certificate to each employee so that confidential information can be exchanged worldwide over the internet, without being compromised.  I wanted a similar digital certificate for my personal email.  PKI has been more widely adopted than PGP, though both are based on public key cryptography.

Digital certificates are issued by a Certification Authority (CA).  The PKI market is dominated by for-profit companies and a certificate costs money.  However, in 2007 Thawte was issuing free email certificates.  These certificates could only be used for signing and encrypting email, and since that is what I was looking for, I picked some up.  The certificate integrated very nicely with OS X Mail.  Unfortunately, Thawte stopped issuing email certificates and mine expired in 2010.  For a fee, you can pick up an email certificate from Verisign, and probably other CAs.

I went searching for a source of free email certificates, and found CAcert, an open-source community that is a Certification Authority.  I went through the process of getting a new digital certificate and now my email has signing and encryption capability again.

How I Got a CAcert Digital Certificate

The process is not terribly difficult, and is explained step-by-step on their web site.  I was able to follow the instructions without difficulty, though there are some minor details that are different on my system.

The steps I followed to get an email certificate were:

  1. Import the site’s root certificate into my browser.  The site pages are secure, and cannot be accessed without CAcert’s root certificate.  Fortunately, the home page contains a link for installing the root certificate.  A single click there, and the certificate was installed in Firefox.
  2. Join the CAcert community.  Now that the browser had the proper digital certificate installed, I could access the page.  After filling out the form and submitting,  CAcert sent an email to me.  I clicked on the link in the email and this verified my email address.  I am now a community member.
  3. I now added all the email addresses I want included in the certificate.  For each address, an email was sent containing a link on which to click.  Clicking the link verified each email address.
  4. Now I applied for a new client certificate.  A certificate is good for specific purposes, and I applied for one that is good for email messages.  I specified that the certificate would apply to each of the email addresses that had been verified in the previous step.  I specified a high-grade (4096-bit) key.  My key pair was created fairly quickly — just a few seconds — and the new certificate was installed into Firefox.
  5. Now I backed up the certificate to a file on an external hard drive.  Here my experience differed from the instructions on the CAcert site.  Rather than Preferences/Advanced/Security/Certificates/Manage Certificates, my version of Firefox has the Certificate Manager at Preferences/Advanced/Encryption/View Certificates.  I backed up my new certificate to a .P12 file, selecting a password in the process.  I recorded the password in my password manager app, which is Web Confidential for now.
  6. The next step was to import my certificate into OS X, using Keychain Access.  A double-click on the .P12 certificate backup brings up Keychain Access.  I entered the password for the file and imported the certificate to my login keychain.  In the process I chose to trust the CAcert Signing Authority.
  7. To test, I created a new message to myself at my employment email address.  The new message window now contains buttons for signing and encrypting the email.  I can sign any email using my private key.  In order to send an encrypted email, I need to know the public key of the addressee.  My login keychain contains the certificate issued by my employer, with my public key.  I successfully sent a signed, encrypted message to myself at the office.  Unfortunately, I forgot to reply with an encrypted message to my home email address to check the other direction.  However, this has worked in the past and don’t anticipate any problems.

My new digital certificate identifies me as CAcert WoT User.  This is because the only thing that is verified is my email address.  In order to have my real name included in the certificate, I must meet a CAcert authenticator in person and show acceptable ID.  Then my certificate will be allowed to show my real name, as the face-to-face meeting authenticates who I am and that I own the email address in question.  I’m currently trying to set up such a meeting.

How Do I Use Digital Certificates?

  • I default all my emails to be signed.  A signed email contains my public key, which allows the recipient to detect whether the message has been altered.
  • Both OS X Mail and Windows Outlook save the certificate with the sender’s public key that is contained in a signed message.  Outlook stores the key in Contacts, while Mail stores it in the login keychain.
  • Once the public key is in the keychain, I can send encrypted messages that can only be decrypted to the addressee’s private key.  I encrypt messages that contain financial or medical data, as the data is protected should anyone try to hack my email at the ISP or intermediate servers.