I am a cybersecurity consultant, tech writer, and regular columnist for Savvy Security.
In this article, we will cover how to install a S/MIME i.e., email signing certificate on Outlook, and how to encrypt an email in it.
Before moving towards how to install a S/MIME certificate on Outlook, let's have a quick look at the benefits it provides.
1) End-to-End Encryption: If you are thinking - when all the email clients provide encryption, why would I need a S/MIME certificate? Here’s the truth. All the email clients like Gmail, Yahoo, Hotmail, etc. provide TLS encryption, meaning that your message reaches their (client’s) server first and then is forwarded to the recipient. These clients store cryptographical keys on their server and if their employees want, they can read your email contents (there are some legal provisions to it, though.) Or if hackers break into a client’s database, they can also access all your communication. S/MIME enables end-to-end protection, meaning that all your communication will reach directly to your recipients without any mediators. It is a highly safe practice for businesses that send and receive confidential information via emails.
2) Digital Signature: You can add your digital signature on all outgoing emails using S/MIME. These signatures are protected with cryptographic keys. No one can copy, remove, or manipulate them. The recipients will make sure emails are coming from the same person as it claims to be. It is one of the best ways to prevent email phishing scams.
3) Anti-temper Facility: S/MIME uses hashing function to protect the integrity. In the worst-case scenario, if someone breaks the Internet channel and tampers with the email content, its hash value changes, and the recipients will be notified that the email is not in the same condition as it was originally sent and not to trust its content and attachment. So, if a hacker has inserted malware like viruses in your attachment, changed the text, or added corrupted links, the recipients will be warned immediately before it’s too late.
First of all, you need to buy an email signing certificate from a trusted company. The email signing certificates generally range from $10 to $150. Some companies like Comodo sells dual types of the certificate which you can use as S/MIME and personal authentication certificate as well.
Please note that you need separate S/MIME certificates for each of your employees. So, make a careful decision and choose a budget-friendly option. There are also two popular types of S/MIME certificates which include individual verification and enterprise verification.
Step-1: Once you place your order for an email signing certificate, you will receive an email on your registered email ID with a link. This registered ID must have a business domain name like @hackernoon.com, @apple.com, @anybusiness.com instead of a generic domain like @gmail.com, or @yahoo.com.
Click on the given link to verify your email address.
Step-2: When you click the given link, you will be redirected to a browser (generally Firefox or Internet Explorer), where you’ll see an agreement related to the S/MIME certificate and asked to set up a password. This password will protect your private key, so make sure you set a strong password and remember it for future use. Once you do it, click on the Accept the agreement. As soon as you accept it, you will see a prompt asking your permission to perform a digital certificate operation. You just need to click on Accept or Yes tab.
Step-3: You will see that a file has been downloaded on your system with a .p12 extension. Click on Open.
Step-4: A new window will popup. You will see two options.
Choose the appropriate storage location among these two and click on Next. You will be asked to choose a path and the exact location of your certificate i.e. p12 file. It by default will show you the Download folder but you can browse and change this storage location if you want.
Step-5: You will be asked to provide the password which you set earlier (in step-2). You will get options to choose how you want to use your private key. You need to choose to get an alert prompt every time the private key is used to curb unauthorized use. Also, decide whether you want to keep the private key local to that particular machine only or have any plans to export it to some other machine in the future. Click Next once you select your options.
Step-6: The next prompt asks you to choose in which certificate store you want to save this certificate. Please note that the certificate store is different than its storage location that we decided in step-4. Certificate stores are the system areas where all types of digital certificates are stored. You can let the system automatically select the certificate store for you (highly recommended) or manually suggest a certificate store.
Step-7: You’ll see the final prompt with all the certificate information. Once you verify that everything is okay, click Finish. You will see a prompt “The import was successful”.
Congratulations! You have successfully installed the S/MIME certificate on your system.
Important note: If you have bought an enterprise-level email signing or individual signing certificate, the initial verification process might take up to 5 business days. In general, along with verifying your business email address, the certificate authority will call on your office phone number, vet your physical address, pull out your business's records from government directories, and if required, it will also ask for your bank statements or other authentication documents.
Once you successfully import the S/MIME certificate into your computer, you still need to install it on your Outlook manually to send encrypted and signed emails. In this installation guide, we have used Outlook 2016.
Step-1: Open Outlook. Go to File from the left-hand side on the top.
Step-2: Click on Options. A new window will popup.
Step-3: Select Trust Center from the bottom and click on Trust Center Settings tab.
Step-4: Click on Email Security from the left side menu. Click on Import/Export tab under Digital IDs (certificates) section.
Step-5: A new window will open up. Under the Import section, browser the certificate (.p12 file) which you have installed. Insert the password. If the credentials match, your certificate will get imported to Outlook.
Step-6: Now, you will be led back to the previous Trust center dialogue box. From here, now select Settings from the Encrypted email section.
Step-7: Give your certificate a name. Give anything; it doesn’t matter. Now, in the Signing Certificate and Encryption Certificate, click on Choose individually and upload your S/MIME certificate .p12 file.
Generally, the signing certificate and encryption certificate tend to be the same email signing certificate. (Although a rare practice, but if you have a different S/MIME certificate for digital signature, you need to choose and upload it in the Signing Certificate field.) Click Ok after completing the upload.
Step-8: Now go back to the Trust center prompt. Under the Encrypted email section, in front of the Default Setting filed, you will be able to see the S/MIME certificate which you just uploaded. If you have added more than one certificate, you will get a scroll-down option to choose your certificate and the settings related to it.
Now, select all four options in these sections.
1) Encrypt contents and attachments for outgoing messages: By enabling this, all your email text and attachment will get end-to-end encryption. That means, no one (including the email client itself) will be able to decrypt your email messages.
2) Add digital signature to outgoing messages: Digital signature means, your recipients will be able to see an extra column of "Signed by firstname.lastname@example.org". No one can delete, copy, or manipulate this one. If you have taken an enterprise-level certificate, it will attach your email@example.com, first name, last name, company name, company address in each outgoing email.
3) Send clear text signed message when sending signed messages: If you know that your recipients don't have a S/MIME certificate but you trust them and want them to read the message, you can select this check box.
4) Request S/MIME receipt for all S/MIME signed messages: That means, after sending an email, you will get a confirmation receipt in another email containing information such as, the message is delivered uninterrupted, and unaltered, and showing who opened it, and when.
Although all your outgoing messages will be signed and encrypted if you have selected the relevant checkboxes in the previous step. But, you can also manually choose if you don’t want to send a signed or encrypted message to a particular recipient.
Go to your inbox and click on New Email.
Choose Options from the top menu.
You will be able to see options of Encrypt and Sign. Click on it to enable or disable it as per your requirement.
Create your free account to unlock your custom reading experience.