How to use a Certificate to Encrypt and Digitally Sign Emails in Apple Mail

Published Wednesday, February 24, 2010 11:31 AM

Email is something we use pretty much every day. Keeping your email secure is important especially if you are passing sensitive information in them. Even if you are using a SSL connection the data is sent to the server encrypted but is decrypted after arriving. So your emails are sitting on the server in plain text which is where the the insecurity comes in.

There are several ways you can go about encrypting an email. You can use a program like Axcrypt, 7-Zip, oven GnuPG to encrypt the message and place it as an attachment to the email. This is secure but you still have to give the other person the key to decrypt the message. They also have to have the program used to encrypt the message. So you can see that it might be cumbersome to do it this way.

You could also use a PGP/GPG Based Encryption. This is how this method works.

- Two really large numbers, A and B, are created that share a special relationship
- Anything encrypted with "A" can only be decrypted by "B", and anything encrypted with "B" can only be decrypted by "A".
- You make one of them, either A or B, public and keep the other one private.

Let's say I make my "A" number public (which I have), and keep the "B" number private - only I have it.
You can now encrypt a message to my using my public key "A". Only I can decrypt it with my private key "B".
Conversely, I can encrypt (or sign) a message using my private key "B", and anyone can decrypt it - but since they can, they know beyond any doubt (as long as I've kept my private key private) that only I could have created the message.

Using a Certificate to Encrypt and Sign a Message
The Method I have been playing with is using a certificate based system much like what websites uses to encrypt webpages to protect credit card information and private data. You can acquire a free email certificate from Comodo that allows you to send emails that are encrypted and digitally signed. A digital signature allows the recipient of a message to verify that the message was not changed in-route to them and that the person sending it is the holder of the certificate.
The encryption is designed so that only the holder of the certificate can decrypt the message. It works much like the PGP system but the certificates hold the private key and your signed message has the public key attached to it. So when you send a message to your friend signed he gets your public key and he then can send you messages encrypted with your certificate. If you want to send a message to someone encrypted they have to get a certificate and send a signed message to you so you can save it in your address book and them use theirs to send messages to them.

All this sounds confusing but just know that you and the person you want to email need a certificate to exchange encrypted emails back and forth in this way. Once you do you're golden and the process of encrypting and decrypting messages is seamless without the need for a program to decrypt every email.

How to set it up Email Certificates

Getting your Certificate
1. First you will need a certificate which you can get free at Comodo here. You will want to use IE, Firefox, Opera and Flock to do the next couple steps. In the middle of the page you will see the “get it free” button click it and fill out the form. The email address you enter is the email address that will have the certificate so don't put a junk email address. Each certificate is specific to every email address so if you have several you will have to repeat this process for each email address.

2. Once you fill out the form you will receive an email with a link to get your certificate. I would ignore the big red button in the email and click the link below it, the button caused me problems. You will be asked for your email address and collection passsword, which is in the email. After you submit the form you should get a message saying that you have successfully stored the certificate.
Installing the Certificate

Your browser is now storing your certificate, and you need to go and export it so you can open it in the keychain app. To do this in Firefox open the preferances>>advanced>>Encryption then click “View Certificates” and click “Your Certificates”. The certificate should be under the USERTRUST Network and you should see one there that has your name on it. Click it and hit the “Backup...” button. Save it to your desktop and you will be prompted to give it a password so that it can't be opened without it. Once you have saved it double click it and it should open the keychain application. If you go to the “My Certificates” category you should see your certificate there. Double click it and click the triangle by the word “trust”. In the drop box next to the words “when using this certificate” select “always trust”. The installation is complete.
Using it in Apple Mail

Now that you have your certificate installed all you have to do is restart Mail if it was running while you installed your certificate. When you compose a new email, with the account you made the certificate for, you should see a little padlock and check mark icons. Those are the encryption and signature icons respectively. Know that you can only send encrypted message to people who have sent their public key to you in a signed email. You can send signed messages to anyone but until you have their certificate you can't send them encrypted messages. Once both parties have each others public keys, which is sent in a signed message, they will be able to send and receive encrypted messages back and forth very easily.

You're done happy Emailing :)
Add to Bloglines Add to Add to digg Add to Facebook Add to Google Bookmarks Add to Newsvine Add to reddit Add to Stumble Upon Add to Shoutwire Add to Squidoo Add to Technorati Add to Yahoo My Web