S/MIME Quick Start
Sign

This sample acts as a starting point and uses a generic certificate to sign outgoing messages. It is useful, because it brings you up and running in less than five minutes. Also this sample gives you a feeling about S/MIME and the way it works.

Once the setup is complete, all messages from youremail@yourdomain.com to someone@hotmail.com are signed. The next step would be that you use your own certificate rather then using the generic certificate.

download TLS/SSL Toolkit

extract CACert.pem into the CERT directory

extract sample@mydomain.com.pem into the CERT\PRIV directory

select Options->S/MIME->Sign and create a new record

Comment: Sign using a sample certificate
For messages from e-mail address: youremail@yourdomain.com
to e-mail address: someone@hotmail.com
use this certificate (file in PEM format): sample@mydomain.com.pem
Sign and encrypt using a user certificate
This sample is based on a traditional S/MIME configuration, where the certificate is stored in Windows on the local machine and Outlook uses the certificate to sign the message. The disadvantage of such a configuration is that a S/MIME message can't be checked using a traditional spam or virus blocker. Further handling roaming users is a nightmare, because the certificate are cluttered all over the users machines.

To overcome this limitations, XWall or CryptoFilter provide a central handling of certificates and even further, automatically certificate exchange, with little or no user intervention.

The sample assumes XWall or CryptoFilter at Site A using an e-mail address of @domainA.com and a second XWall or CryptoFilter at Site B using an e-mail address of @domainB.com.

Once the setup on both sites is complete, the automatic certificate exchange must be triggered. The simplest way is that one site starts sending a messages to the other site, which XWall will sign. The XWall at the receiving site will then extract the public key from the signed message and store it in the CERT\PUB directory. The reply to this message is then encrypted using the key that was previously extracted and the own public key is enclosed. At the end, both keys are exchanged and from then on every message is encrypted.

On Site A:

enable Options->S/MIME->Options->Collect the public certificate of the sender

copy all user certificates into the CERT\PUB directory

The name of the certificate file is the e-mail address, but with a .pem extension ( e.g. user@domainA.com.pem )

select Options->S/MIME->Sign and create a new record

Comment: Signing from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
use this certificate (file in PEM format): *

select Options->S/MIME->Verify and create a new record

Comment: Verify from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
Verify S/MIME signature: enable
Remove S/MIME signature: enable

select Options->S/MIME->Encrypt and create a new record

Comment: Encrypting from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
use this certificate (file in PEM format): *

select Options->S/MIME->Decrypt and create a new record

Comment: Decrypting from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
use this certificate (file in PEM format): *
Verify S/MIME encryption: enable
Remove S/MIME encryption: enable

On Site B:

enable Options->S/MIME->Options->Collect the public certificate of the sender

copy all user certificates into the CERT\PUB directory

The name of the certificate file is the e-mail address, but with a .pem extension ( e.g. user@domainB.com.pem )

select Options->S/MIME->Sign and create a new record

Comment: Signing from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
use this certificate (file in PEM format): *

select Options->S/MIME->Verify and create a new record

Comment: Decrypting from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
Verify S/MIME signature: enable
Remove S/MIME signature: enable

select Options->S/MIME->Encrypt and create a new record

Comment: Encrypting from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
use this certificate (file in PEM format): *

select Options->S/MIME->Decrypt and create a new record

Comment: Decrypting from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
use this certificate (file in PEM format): *
Verify S/MIME encryption: enable
Remove S/MIME encryption: enable
Sign and encrypt using a company certificate
This sample uses a single company certificate to sign and decrypt messages.

This sample assumes XWall or CryptoFilter at Site A using an e-mail address of @domainA.com and a second XWall or CryptoFilter at Site B using an e-mail address of @domainB.com.

There is one certificate for each site, the name of the private key file is cert-priv-DomainA.pem and cert-priv-DomainB.pem and the name of the public key file is cert-pub-DomainA.pem and cert-pub-DomainB.pem.

The private key file is a secrect and never leaves the site, but the public key file must be sent to the other site.

Once the setup on both sites is complete, all messages between the sites are immediately encrypted.

Note: For testing you can use the sample@mydomain.com.pem certificate from TLS/SSL Toolkit on both sites. Once the setup is working, you can then change the sample certificate to a real certificate.

On Site A:

copy cert-priv-DomainA.pem into the CERT\PRIV directory

copy cert-pub-DomainB.pem into the CERT\PUB directory

select Options->S/MIME->Sign and create a new record

Comment: Signing from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
use this certificate (file in PEM format): cert-priv-DomainA.pem

select Options->S/MIME->Verify and create a new record

Comment: Decrypting from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
Verify S/MIME signature: enable
Remove S/MIME signature: enable

select Options->S/MIME->Encrypt and create a new record

Comment: Encrypting from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
use this certificate (file in PEM format): cert-pub-DomainB.pem

select Options->S/MIME->Decrypt and create a new record

Comment: Decrypting from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
use this certificate (file in PEM format): cert-priv-DomainA.pem
Verify S/MIME encryption: enable
Remove S/MIME encryption: enable

On Site B:

copy cert-priv-DomainB.pem into the CERT\PRIV directory

copy cert-pub-DomainA.pem into the CERT\PUB directory

select Options->S/MIME->Encrypt and create a new record

Comment: Encrypting from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
use this certificate (file in PEM format): cert-priv-DomainB.pem

select Options->S/MIME->Decrypt and create a new record

Comment: Decrypting from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
Verify S/MIME signature: enable
Remove S/MIME signature: enable

select Options->S/MIME->Encrypt and create a new record

Comment: Encrypting from domainB.com to domainA.com
For messages from e-mail address: *@domainB.com
to e-mail address: *@domainA.com
use this certificate (file in PEM format): cert-pub-DomainA.pem

select Options->S/MIME->Decrypt and create a new record

Comment: Decrypting from domainA.com to domainB.com
For messages from e-mail address: *@domainA.com
to e-mail address: *@domainB.com
use this certificate (file in PEM format): cert-priv-DomainB.pem
Verify S/MIME encryption: enable
Remove S/MIME encryption: enable
Install a certificate

The program expects the certificate in PEM format.

PEM format is Base64 encoded and therefore you can open it with a text editor. The extension of the file is .pem.

Your certificates are private certificates and must have a private key section in the pem file. Private certificates are stored in the CERT\PRIV directory.

Your recipients certificates are public certificates and are stored in the CERT\PUB directory.

Convert a certificate

When you obtain certificate from an authority, they may send you a .p12 or .pfx file, which you need to convert to a .pem file.

Extract PKCS12_to_PEM.bat and OpenSSL.exe from TLS/SSL Toolkit into a directory of your choice.

Run PKCS12_to_PEM.bat and give it the name of your .p12 or .pfx file and a tlscert.pem file will be created.

Sample: PKCS12_to_PEM mycert.pfx

Or you can use the online converter at https://www.sslshopper.com/ssl-converter.html

Sometimes when you obtain certificate from an authority, they install the certificate direct into the certificate store of Windows.

To export the certificate to a .pfx file, start a MMC and select Add / Remove Snap-In -> Add -> Certificates -> My user account.

In the Snap-In select Certificates - Current User -> Personal and there you find the certificate.

Press the right mouse key and select All Task -> Export.

How to get a Certificate

Certificates usable for S/MIME are available from:

© 1996-2017 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
support@dataenter.co.at
2017-01-04 / Phone
2017-01-04 / Tablet
Changed: 2017-01-04
Server
Desktop
Copyright © 1996-2017 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 2020770
support@dataenter.co.at