RSS Feed


2nd November, 2012 by Daniel

I’ve been discovering lots about sending emails with digital signatures in the past couple of days and for lack of a better place I’ll write some things up here.

You can get a free certificate from Comodo (and probably other places). It lasts a year so you will need to get a new one after that. If you try to get a new one before the old one has expired you need to revoke the original one.

Outlook’s support for S/MIME signing is quite good and works without hassle. You install the certificate with the Import/Export button in Trust Center -> Email Security. There’s an option there to Publish to GAL. It says it did it, but I’m not sure how to verify the fact. If you’ve done it right then you get a little ribbon in the icon for messages you’ve sent (and of course encrypted messages are displayed, unencrypted!)
You can select whether you want to sign or encrypt by default or per message (Create a new message and click Options, it’s there in Permission whether to sign or encrypt). To Encrypt, as usual you need to have been sent a message by the person you are sending to with a digital signature.

iOS Signing
iOS Mail supports S/MIME albeit a little strangely but it does work which is the main thing. The best way to get the certificate onto the device is attach the .p12 file in an email to yourself. There’s lots of ways to export the certificate, easiest is probably find your certificates from your web browser settings.
You need to turn on S/MIME in the account under Advanced and select Sign and Encrypt according to your preferences. Then it will let you select the certificate you just installed. There’s no way to change these settings on a per email basis so I’ve left Signing on and intend to use Encryption when necesseary.
iOS does some odd checking to see whether it is able to Encrypt a message. If it’s an Exchange account it will check the GAL first with no fall back if it’s not there, which is an issue for GMail accounts set up through Exchange. I’ve swapped mine from Exchange to the standard Gmail connector. So S/MIME works but push email no longer will. I will see what I prefer on that one – I hope it’s something Apple and Google fix between them although I suspect it probably won’t get fixed due to the GMail solution being a nonstandard Exchange install (I suspect).

If all is set up correctly signed emails have a little tick next to the sender with a little lock if it’s encrypted.

Outlook Web Access does support it, but only on Internet Explorer 7 or 8. Which is a little disappointing if you use OWA when you’re not using something that is IE7/8. You probably need to have your certificates with you too so sending signed email on the move is probably best done from your mobile.

It’s a good idea to keep your certificates somewhere safe too, otherwise if something happens and they got deleted then you will be unable to read encrypted mail anymore.

I did also set up DKIM signing for my domain using Google Apps for your Domain but it’s kind of trivial to write up, just involves pasting in an SPF record in DNS that get’s generated for you.

Some useful links:

Despite both of these pages decribing iOS5, iOS6 is much the same process.

No Comments »

No comments yet.

Leave a Reply

Your email address will not be published. Required fields are marked *