Using S/MIME in Microsoft Outlook

advertisement
Using S/MIME in Microsoft Outlook
OS
Application
Software Versions Used in This Document
Microsoft Windows XP Professional, Version 2002, Service Pack
Microsoft Outlook 2002 (10.4712.4219) SP-2
This document provides a tutorial/demonstration of using S/MIME with Microsoft
Outlook. It assumes the user already has Outlook configured and working with normal
email. It also assumes the user already has a PKI certificate and private key suitable for
S/MIME use already in the Windows/Internet Explorer key store.
Configure Your Personal Email Certificates ...................................................................... 1
Send a Signed Message ....................................................................................................... 6
Read a Signed Message ...................................................................................................... 8
Check the Credentials of a Signed Message ..................................................................... 10
Send an Encrypted Message ............................................................................................. 15
Read an Encrypted Message ............................................................................................. 18
Get Certificates for Other Users ....................................................................................... 20
Troubleshooting ................................................................................................................ 23
Configure Your Personal Email Certificates
1. In the main Outlook window, choose the menu item “Tools -> Options…”.
2. Click on the “Security” tab.
3. Make sure “Send clear text signed message when sending signed messages”
check box is checked as shown above. This improves interoperability with other
mail readers. You can choose other default actions here by checking more boxes,
but you are probably best off starting with just the one box checked and adding
more later after you know what you want.
4. Click on the “Settings…” button.
5. Make sure all check boxes are checked as above. The bottom one ensures that
others getting signed messages from you will also get your certificate. This
makes it easier for them to send you encrypted messages later.
6. Click on the upper “Choose…” button.
7. Select the appropriate certificate, and click the “OK” button.
8. Make sure the “Encryption Certificate” information is filled in now too, or you
can select a different one now if you have separate signing and encryption
certificates.
9. Click the “OK” button.
10. Click the “OK” button on the “Options” window. You now have your
certificate(s) configured for signing and encryption.
Send a Signed Message
1. Compose a message normally.
2. In the message composition window, choose the menu item “View -> Options…”.
To make this a little more convenient, you can add “Options…” to the toolbar.
Instructions on how to make toolbar changes are beyond the scope of this
document.
3. Click on the “Security Settings…” button.
4. Make sure the “Add digital signature to this message” and “Send this message as
clear text signed” check boxes are checked as shown above. We recommend
checking the “Send this message as clear text signed” as it avoids the “opaque
signature” mode of Outlook which is likely to be unreadable in other mail readers.
Note: the defaults for the top four check boxes are controlled by the settings in the
security options dialog box in the previous section.
5. Click on the “OK” button.
6. Click on the “Close” button in the “Message Options” window.
7. Send the message normally.
8. Provide your PKI certificate/keystore passwords if requested.
Note: At least Outlook 2003 (10.4712.4219) SP-2 sometimes (but not always) crashes
when signing messages with enclosures. If it doesn’t crash, the message is sent fine. If
you are signing messages with enclosures, you should save a draft before sending.
Read a Signed Message
1. Receive a new message. Note that there is unfortunately no indication that it is
signed (yet). This may be due to an interaction with IMAP.
2. Open the message normally.
3. Notice that there is a small red ribbon on the message window. This is Outlook’s
way of telling you that the message is signed. In fact, there is now an even
smaller red ribbon in the “Inbox” window too.
Check the Credentials of a Signed Message
1. Open a signed message.
2. Click on the red ribbon.
3. Notice the “Description:” box states the message is signed and “OK”. This means
Outlook was able to validate that the message’s signature is valid, the contents of
the message haven’t changed since the signature was made, and that the signer’s
certificate was issued by a certificate authority whose root certificate is in the
Windows trusted root certificate store.
4. Click on the “Signer:” line.
5. Notice that this line identifies the sender’s email address and that the
“Description:” box now provides the time and date of the signature (this is usually
just the time and date on the signer’s computer, so keep in mind that it could be
inadvertently or deliberately wrong).
6. Click on the “View Details…” button.
7. Click on the “View Certificate…” button. This invokes the normal Windows
certificate viewer on the sender’s certificate.
8. You can browse through this certificate’s information in this dialog window. A
separate document describes how to do this (see the View a Particular Certificate
section of Using the Windows Certificate Viewer).
9. Click on the “OK” button to close the “View Certificate” window.
10. Click on the “Close” button to close the “Signature” window.
11. In the “Message Security Properties” window, click on the “Edit Trust…” button.
This is really just a shortcut to the “Trust” tab in the same “View Certificate”
window.
12. If you don’t have the sender’s root certificate in the Windows trusted root store,
you can choose to trust the certificate in the future anyway (so the signature will
not be marked as suspect because you don’t trust the sender’s certificate). Or you
can choose to never trust a certificate even if it has a trusted root. Normally you
will have the proper root certificate installed, so you will just use the “Inherit
Trust from Issuer” option without having to do anything. Installing the trusted
root certificate is covered in a separate document. [MJF: add a link here].
13. Click the “OK” Button to close the “View Certificate” window.
14. Click on the “Close” button to close the “Message Security Properties” window.
Send an Encrypted Message
1. Compose a message normally.
2. Choose the menu item “View Options…”.
3. Click on the “Security Settings…” button.
4. Make sure the “Encrypt message contents and attachments” check box is checked
as above.
5. Click on “OK”.
6. Click the “Close” button in the “Message Options” window.
7. Send the message normally.
8. Provide your PKI certificate/keystore passwords if requested.
Read an Encrypted Message
1. Receive an encrypted message.
2. Notice that again Outlook doesn’t give any initial indication that this message is
special.
3. Open the message.
4. Notice that there is a small blue padlock on the message window. This is
Outlook’s way of telling you that the message is encrypted. There is now also a
tiny blue padlock in the “Inbox” window now too.
5. You can click on the blue padlock in the message window, but this usually
doesn’t provide very interesting information unless there is a problem. What you
really care about in an encrypted message is that you were able to decrypt it. And
you already know that it was encrypted with your own certificate or you wouldn’t
be able to decrypt it.
Get Certificates for Other Users
You need certificates for others if you want to send them encrypted email. If you don’t
have a certificate for a particular user, Outlook will either refuse to send them the
message or allow you to override the encryption and send it unencrypted.
You have several alternatives for getting certificates from other users:
1. Have them send you a signed email and put their certificate in your address book.
2. Get their certificates automatically from an LDAP directory.
3. Import their certificate from a .cer file into your address book.
Have them send you a signed email and put their certificate in your
address book.
1. Request that the other person send you a signed message. Their mail program
will probably include a certificate with the resulting message.
2. Open the signed message when you get it. Note: I’m using a message I sent to
myself here to avoid exposing someone else’s email address. You don’t need to
import your own certificate into the address book.
3. Click on the sender’s address in the message window so it is highlighted.
4. Right click on the highlighted address and select “Add to Contacts…” from the
menu.
5.
Click on the “Certificates” tab.
6. Verify that the user’s certificate is there. You can invoke the Windows certificate
viewer on this certificate if you want to by clicking on the “Properties…” button,
but this is not necessary.
7. Click on “Save and Close” to save (or update if you already have one for this
person) the address book entry with the certificate. Outlook will now find the
certificate for this user when you send mail to them using the address book entry.
Note: if you have multiple entries for the same person, finding the one with the
certificate can be confusing and annoying.
Get their certificates automatically from an LDAP directory.
For this option to work, there must be an LDAP directory server for the users to whom
you wish to send encrypted mail. You must configure Outlook to use that LDAP server
(directory configuration is out of the scope of this document). Once configured properly,
Outlook does a very good job of automatically finding certificates in the directory when
you send encrypted email. When working, this is by far the most convenient and
automatic way to get certificates for others.
Handy hint:
There is an “interaction” between Outlook and some LDAP servers which can make
LDAP lookups fail. At Dartmouth, we found that applying the following registry change
worked like magic to fix this problem. Before you apply the patch, make sure you don’t
have LDAP lookups working already, and then make sure you have at least SP-2 for
Outlook 2002. Then paste the following:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\L
DAP]
"NoDisplayNameSearch"=dword:00000001
into a file with a name ending in .reg and double click the file. This worked well at
Dartmouth, but your mileage may vary (and your LDAP lookups may fail for different
reasons anyway).
Import their certificate from a .cer file into your address book.
Most users probably won’t use this technique, but there is an “Import…” button in the
“Certificates” tab in the “Contact” window (see above) which allows you to manually
import a certificate for a user if you have a .cer file that contains it.
Troubleshooting
Here are some common causes of S/MIME troubles in Outlook:



Certificate not valid
Certificate not trusted
Mismatched sending email address and email address in the certificate
As we get more “real user” experience with Outlook and S/MIME, we will add more
specific information in this section.
Modified: 12/8/2003
Download