slaxworkshop

Creating a self-signed Certificate for use with S/MIME e-mail

Updated: Updated and Validated the Thunderbird instructions.

The tool that you will be using is the excellent encryption package called OpenSSL. You can get more information about OpenSSL from www.openssl.org.

There is a utility that provides a GUI to guide you through this process. It is located here: www.slax.org/modules.php?id=1418

Creating a certificate

1) You need to create your own random key.

a) Execute the following command:

b) Enter Your Passphrase:

2) You need to create the certificate.
After you enter your password you'll be asked for more information. You need to provide the correct information for your organization and host.

a) Execute the following command:

b) Enter Your Passphrase and Answer the questions.

NOTE: use a real @ symbol in place of the above AT (posting blocks on email addresses prevented me from using the proper form)


3) You will need a PKCS12 compatible certificate for your email client (MozMail or Thunderbird) This is a single file containing both Certificate and Private Key.

a) Execute the following command:

b) Enter Your Passphrase each time it asks you for a passphrase.

There you go. You now have 3 files: personal.p12, usercert.pem, and userkey.pem, in the current working directory.


4) Now you need to set you master password in your Mailer.

For Mozilla Mail "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Change Password".

For Thunderbird 1.5: "Edit -> Preferences -> Privacy -> Passwords -> Change Master Password".

5) You need to import your Certificates: The Trusted CA certificate and your own certificate. They are the same cert just in different forms: usercert.pem (The CA cert) and personal.p12 (the PKCS12 cert)

For Mozilla Mail:
a) go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates... -> Authorities"
b) Select "Import", select the file usercert.pem
c) Select the purpose "Trust this CA to identify email users." and Click "OK"
d) The Certificate should now be installed as a self signed Certificate Authority

For Thunderbird:
a) go to "Tools -> Options -> Advanced -> Certificates -> Manage Certificates... -> Authorities".
b) Select "Import", select the usercert.pem file you saved above, and click "Open".
c) Select the purpose "Trust this CA to identify email users." and Click "OK"
d) The Certificate should now be installed as a self signed Certificate Authority.


6) Now you need to import the same Certificate in its PKCS form.

For Mozilla Mail:
a) go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".)
b) Click the "Your Certificates" tab.
c) Click on "Import".
d) Select the PCKS12 cert that you created, personal.p12
e) It will ask you for the master password for the software security device. Enter your master password and click "OK".
f) Next, it will ask you for the password protecting your personal certificate. Enter this password and click "OK".

For Thunderbird:
a) go to "Edit -> Preferences -> Privacy -> Security -> View Certificates
b) Click the "Your Certificates" tab.
c) Click on "Import".
d) Select the PCKS12 cert that you created, personal.p12
e) It will ask you for the master password for the software security device. Enter your master password and click "OK".
f) Next, it will ask you for the password protecting your personal certificate. Enter this password (your cert's passphrase) and click "OK".


7) Now you need to set the emailer up use the certs:

For Mozilla Mail:
a) go to "Edit -> Mail and Newgroups Account SetttingsTools." Then choose "Security" from under the account whose e-mail address matches the corresponding certificate and Select the certificate you just installed. Select which ever Digital Signature and Encryptions that you wish.

For Thunderbird
a) go to "Edit -> Account Settings..." Then choose "Security" from under the account whose e-mail address matches the corresponding certificate and select the certificate you just installed. Select which ever Digital Signature and Encryption Certificate that you wish.


Remember to save your emailer changes via whatever method you use: configsave, webconfig, or the changes= cheatcode.

A Warning on Installing other people's self-signed certificates

Only install personally self-signed certificates from people you know and trust. Otherwise you can be tricked into installing and trusting a bogus cert.

When you give out your Cert, it is the usercert.pem file. DO NOT give anyone your userkey.pem or personal.p12 files because they contain your key. People still would need your passphrase/password but it is much easier to compromise your security if those files fall into the wrong hands.

When you wish to send encrypted mail to someone using their self-signed certificate, they will need to send you their public key as a ".cer" or a ".pem" file that you will then install into your emailer. Since Neither Mozilla Mail nor Thunderbird will import a self-signed certificate in the "Other People's" tab it MUST be under the "Authorities" tab. A self-signed certificate will not appear in the "Other People's" tab, it will only appear in the "Authorities" tab.

posted by TheGuardian  # 7:01 AM