How to digitally sign and encrypt your email

[designoahu]

After many failed attempts I finally got everything working to digitally sign and encrypt email messages in Thunderbird with S/MIME. I hope this saves someone the trouble. To follow this tutorial you should be browsing with Firefox. The first step is to obtain an X.509 Certificate. The best one I have found without having to pay a fee is the <a href="http://www.thawte.com/secure-email/personal-email-certificates/" target="_blank">Thawte Personal E-Mail Certificate</a>. What is great about this certificate is that the Thawte root certificate is already included as an Authority by default in Thunderbird (Thawte Personal Freemail Issuing CA). It is pretty straightforward to obtain the certificate, just follow the link to obtain your certificate, agree to the terms, and answer a few questions about yourself. Once you have verified your email, and are logged in navigate to Certificates -> Request a certificate and click the request button for the X.509 certificate. After checking your email address, accept the default extensions, then select 2048 (High Grade). After the certificate has been issued navigate to Certificates -> View certificate status and click on the text “Navigator”. It will then display the information for the certificate and at the bottom there will be a button to “Fetch”, click the button to install the certificate in Firefox. Now we must make a backup of the certificate in Firefox, so that we can import it in Thunderbird. In Firefox2, you do this by going to Tools -> Options -> Advanced (icon) -> Encryption (tab) -> and click the View Certificates button. Under the Your Certificates tab, select the freshly installed cert named “Thawte Freemail Member”. Now click the Backup button and save this certificate as a PKCS12 file somewhere you won’t forget. You will also need to select a password to be used when importing the certificate.

Now for Thunderbird. We first need to import the certificate. In Thunderbird1.5 go to Tools -> Options -> Privacy (icon) -> Security (tab) and click the View Certificates button. With the Your Certificates tab open click the Import button. Find the cert you saved, you may be required to create a master password if you haven’t already done so, then you will be asked for the password you used when backing up the cert from Firefox. Now that it is installed you will need to assign it to the specific account it was created for. Go to Tools -> Account Settings and in the left pane select Security under the correct email account. Under Digital Signing select the certificate, you will be prompted to use the same cert for encryption, go ahead and select OK. Enable the checkbox to digitally sign messages (by default). You are now all setup and ready to digitally sign your emails. Now when you send out emails, the recipient receives an email that they know has not been tampered with. This does not mean that someone who is piggybacking your network has viewed the message, but it does mean that they have not altered the message. The recipient will also receive a copy of your public key. In Thunderbird, when you receive a digitally signed email the senders public key is saved. You can view the saved public keys by going to Tools -> Options -> Privacy (icon) -> Security (tab), then select the View Certificates button, and then navigate to the Other Peoples’ tab. You are able to send encrypted email messages to any email on this list.

[Lotus4669]

great post, worked like a charm! Thanks for taking the time to write this.