Use S/MIME to encrypt and sign messages on OS X

Message security is especially noteworthy, and I've seen more than one complaint about a message leaking , tampering , or forgery , such as:

。

No matter what your occupation, learn to use encrypted mail and digitally sign the message to ensure that your message is not read or maliciously tampered with by someone other than the recipient , and is a skill that everyone should master. This article describes the use of S/MIME certificates on OS X to encrypt (encrypt) and digitally sign your messages (digital signing), which is more lightweight than using S/MIME certificates for encrypting and signing messages using GnuPG to send and receive encrypted messages, to G Additional plugins are installed for NUPG support. In addition, mobile devices are almost impossible to use GnuPG, and many people have the habit of sending and receiving mail on mobile devices, while IOS and Android-enabled mail clients also have S/MIME support built in.

About "I've seen more than one complaint about mail leaks , tampering , or forgery ", found a sub-archive:

The environment or tools mentioned in the article:

• OS X Mavericks
• Apple Keychain Access Utility 9.0
• Mozilla Thunderbird 31.3.0
• Apple Mail 7.3
• Google Chrome 39.x

Request an S/MIME certificate from a CA

If you already have an S/MIME certificate issued by a trusted CA, such as VeriSign or digisign, you can skip this section. In addition, self-signed certificates created with the Keychain Access tool can only be used for signing messages, not for encryption.

One thing you need to do before you start using S/MIME encryption and signing messages is to request an S/MIME certificate from a certification authority (Certificate Authority), and some commercial certification authorities provide services that issue S/MIME certificates to individual users for free, such as Comodo Limited etc., in this article, I will use the S/MIME certificate issued by Comodo Limited.

You can apply for an S/MIME certificate here for free.

Click on Get Now the button to populate the form:

The form requires you to fill in a few items,,,, First Name Last Name Email Address Country These items will appear in the certificate for you issued the properties (attributes), so be careful to fill in.

People who have used encryption software such as GnuPG may be familiar with Revocation Password this, and in GnuPG, when you think your private key is compromised, you can perform a revocation (revoke) operation on your own public key, and after you do that, The person who owns your public key will see that your public key has been revoked (usually with a revocation reason) after the state has been refreshed from the public key server, so that they know that the public key is compromised and is not secure. The revocation password of the S/MIME certificate is also useful in the future if you think that your certificate's security data (secret, such as the private key) has been compromised and can be revoked, in order to ensure that only you can perform the revocation operation, you need the revocation password. the revocation password must be based on a password that is completely different from the other services.

Finally, it is recommended not to select the Comodo Newsletter check box named, the commercial company's advertising mail is very annoying, you know.

Okay, after everything is confirmed, click Next and prepare to collect your own S/MIME certificate.

NextA similar page may appear after you click the button:

Do not worry, refresh your browser, Chrome will ask you "confirm resubmit the form", select Continue .

When the form is successfully submitted, you will see the page:

The certificate has been successfully applied, the download method is sent to the email you filled out in the form you just completed, check the e-mail inbox, you can see a message titled "Your Certificate is ready for collection!":

Click on the Big Red Click to Install Comodo Email Certificate button, then jump back to your browser and you can see:

"The client certificate issued by COMODO RSA client authentication and Secure Email CA has been successfully stored", indicating that the system has automatically stored the S/MIME certificate you issued to the local certificate database. On OS X, the certificate is stored in Keychain Services, and you can open Keychain Access, where you can see the S/MIME certificate you just signed in your own default keychain (default login on OS x):

Building a chain of trust for S/MIME certificates (chain)

You may have noticed that the evaluation of the S/MIME certificate just Applied (evaluate) resulted in "The certificate is signed by an unknown authority":

This is because the Intermediate certificate (intermediate certificates) or root certificate (root certificates) used to sign the S/MIME certificate is not in the certificate chain (certificates chain) . The complete chain of trust (chain) cannot be built.

In the case where a complete chain of trust cannot be built, the message cannot be encrypted with the certificate.

If your certificate evaluates to "This certificate is valid", then it is possible to skip this section if the necessary intermediate and root certificates for building the chain of trust are present in the keychain.

The trust chain that builds the S/MIME certificate as a leaf node requires at least three intermediate certificates, respectively:

• COMODO RSA Certification Authority

• COMODO RSA Client authentication and Secure Email CA

• COMODO Client authentication and Secure Email CA

You also need a root certificate:

• Add Trust External CA Root

Click the appropriate link to download the certificates, and then double-click them to automatically add them to the current keychain. The generic Add Trust External CA Root certificate is pre-installed in the system Roots, and you can search for the system root certificate list in Keychain Access, if there is no certificate, download, Add.

To ensure foolproof, it is recommended to download and install all of the above four certificates, if the certificate already exists in the keychain, then the installation action will be ignored.

When you are sure that you have installed these four certificates, you can see that the current evaluation results for your own S/MIME certificate that you just applied to become Green "This certificate is valid", and also show the structure of the entire certificate chain:

This means that a complete certificate chain has been built for your S/MIME certificate, and it is ready to begin its own work.

Use S/MIME certificates to encrypt and sign messages in OS X's own mail

Once you have built a complete chain of trust, you can begin encrypting and signing messages with that S/MIME certificate.

This section demonstrates the use of S/MIME certificates to encrypt and sign messages in Apple Mail, and if you are a Thunderbird user and you are not interested in Apple Mail, you can skip this section.

OS X comes with a mail application (because the mail name is too concise to cause ambiguity, so the name of Mail.app is referred to below), Mail.app has built-in support for S/MIME encryption, and the use of Mail.app to send and receive S/MIME encrypted mail good is: very easy, no additional configuration is required. But the price is that the customizable line is very low, because the Mail.app preferences (Preferences) Panel does not even have an S/MIME-related setting.

Anyway, Mail.app is undoubtedly the best choice for users who have a non-technical background and want to gain the benefits of encrypted mail.

Note: Because I have not successfully configured Openmailbox.org's mailbox in Mail.app, in this section I will use [email protected] This mailbox, and the S/MIME certificate used for this mailbox as a demonstration. Sender email is [email protected],receiver e-mail protected].

Create a new message in Mail.app and compose a message as usual:

Here you can main to, the red bezel on the three controls are grayed out state (disabled). This is because the current default keychain does not have an S/MIME certificate that matches the sender ([email protected]), and Mail.app automatically recognizes that the certificate should be used when encrypting the message according to the e-mail address in the S/MIME certificate, and there is no matching certificate at this time. So it can't be encrypted.

Now add my S/MIME to the keychain (you can add it to the keychain after you double-click the certificate file in OS X), restart Mail.app (this is a necessary step), and you can see that the S/MIME switch becomes a blue available state (enabled), The encryption and signing of two buttons also become available:

One thing to note here is that S/MIME used to encrypt and sign messages must have both a public and private key, that is, your own S/MIME certificate, and that you cannot encrypt a message for a certificate that has no private key (such as your friend's public key certificate) that only has a public key.

At the same time, if you want to be able to encrypt the message sent to the other side, you must have the other's S/MIME public key Certificate in the keychain, either after your friend exports it, or from the Internet. If there is no other public key certificate, then encryption is not possible, the small lock button will remain disabled, but can be signed. For these combinations, you can experiment with them yourself.

When the person receives the message, they will see:

The signed and Encrypted in the Security state are indicated to be encrypted and signed at the same time. Now you can log in to the Web version of your mailbox to see if you can't read these encrypted messages, and only use your own S/MIME certificate's private key on the mail client you're using to decrypt the messages.

Encrypt and sign messages using S/MIME certificates in Mozilla Thunderbird

Now to the most critical part, this part is also want to write this article the most important reason, because the author is Mozilla Thunderbird loyal user, but because of Firefox and Thunderbird in the design of some flaws, in order to be able to Thunderbird The use of S/MIME to encrypt mail, it really took a few twists.

Thunderbird is definitely the most powerful mail client, with the built-in support for S/MIME and the high level of customization. But Thunderbird, like its brother Firefox, has a widespread problem with users, especially OS X users: Thunderbird does not use OS X's Keychain service (Keychain services) to manage passwords and certificates, but to implement passwords and certificates by itself Manager. It's probably easier to re-implement the password and certificate manager than it is for cross-platform support, but it also poses a big problem: Thunderbird can't share passwords and certificates with other apps on OS X.

This is actually let me "quite a lot of trouble" reason, I fell into this trap, toss a long time to come out.

First, open the Account Settings panel for the current mailbox:

Select the entry for the current account Security :

As mentioned earlier, Thunderbird does not use Keychain Services to manage passwords and certificates, so we will have to put all the steps in the trust chain of the previous build certificate in Thunderbird's own certificate Manager (certificates Manager) again.

Select View Certificates Open Certificate Manager:

Add your own S/MIME certificate (first to export the certificate from Keychain Access, this is a simple step, not to repeat), and then import the certificate into the Your Certificates list:

Click 导入 :

Import succeeded:

You will also import the other's public key certificate into the People list:

However, it is not possible to re-import now, you can see this error:

This is due to a difference between Thunderbird's own certificates Manager and Keychain access: As seen earlier, Keychain access is free to import a certificate that is not trusted. But it will be written in red in the evaluation result:"The certificate was signed to an unknown authority", but Thunderbird Manager of certificate could not, The certificate to which you import must have a complete chain of trust in the current certificate database, that is, you must be able to trace from your certificate to the trusted (trusted) root certificate.

So before we import other certificates, we have to import the 3 intermediate certificates and 1 root certificates mentioned earlier into Thunderbird's own certificate manager:

To switch to the Authorities list:

Click the Import button and import the three intermediate certificates that were previously exported from Keychain Access:

All three options are checked:

At the same time you can look at the Authorities list of ' C ' items, see if you can find the Add Trust External CA root root certificate, if not found, and the above steps, export, import.

Now that we have built a complete chain of trust in Thunderbird's own certificates Manager for the personal S/MIME certificate issued by the free Comodo Limited, you can re-import the message recipient's public key certificate:

Successfully imported.

Another difference that you need to keep in mind and Keychain Access:

In Certificate Manager

• Your own S/MIME certificate must be imported to Your Certificates , and the Import dialog box for the list only supports importing the certificate format with the private key: PKCS12 (. p12);

• Each other's S/MIME certificate (containing only the other's public key) can only import the People list, and the Import dialog box for the list only supports importing a certificate format that contains only the public key: Certificate (. crt);

• The intermediate certificate must be imported into the Authorities list.

Keychain Access does not have so many distinctions that you can import any type of certificate into the same Keychain.

You can now use Thunderbird to encrypt and sign mail. First, the S/MIME certificate that is used by default when you set up a digital signature for your e-mail account (signing):

Select the S/MIME certificate you just requested:

Do you want to use the same certificate for encryption and signing? Select Yes:

The same certificate used for the digital signature operation has now been set for encryption (encryption):

As for whether to set up 默认加密 and 默认签名 , and the different combinations of the two, it depends on your taste.

Now write an e-mail as you normally would with Thunderbird:

Both Encrypt This Message the and Digitally Sign This Message options are selected to encrypt and sign the message at the same time. The status of the encryption and signing is displayed in the lower-right corner:

Click on two small icons to cancel or select.

Check inbox for [email protected]:

The two icons in the upper right corner indicate that the message was encrypted and signed before it was sent. Click on them to view the sender's certificate information, and you can view the status of the message's signature, that is, if the message was signed, whether it was maliciously or unintentionally tampered with:

When you want the other person to send you an S/MIME encrypted message, export the public key portion of your S/MIME certificate so that it is stored in its own certificate database. Regarding the public key exchange problem, in the GnuPG through the public key server this form to be easy to solve, but the S/MIME certificate in this aspect the solution, I was not quite clear, has not tried.

Use S/MIME on mobile devices

This article is dedicated to the use of S/MIME on OS X, about using S/MIME on IOS, refer to this article.

Summary

To test S/MIME encryption, I tested 15 OS X last night, 10 of the remaining Android and 2 mail clients on Windows.

In addition to Thunderbird and Windows Live Mail in Windows Essentials Suite, other clients are poorly or simply unsupported for S/MIME support. The Mail.app-led mail client on OS X, which is in this category, is designed to make S/MIME almost out-of-the-box, but it's very primitive and simple, and even in the Preferences panel there are no settings for S/MIME, the choice of the certificate when encrypting the message The choice also relies entirely on the attributes email domain of the certificate and the Mail sender's mailbox to match, the same, the use, not the same, can not be used. In Thunderbird, however, there are a number of customization features for S/MIME that you can customize to suit your tastes (rules), such as using a certificate with a different name for a mailbox, which is not available in Mail.app.

The author mentioned in the article two mail client, is the two design methods, the other client configuration on the same way.

In any case, it's important to encrypt and sign your email. Whenever and wherever you do, remember:Big Brother is watching.

Contact Me

I have used the articles in the package that can be downloaded here.

If you encounter any problems, you can send me an email: [Email protected] or DM me on Twitter: @NSTongG

If you use GnuPG, you can also send me encrypted data, my GNUPG public key is 0x67b9e95236924648, you can retrieve from the public key server.

Blog:http://nstongg.tumblr.com

Github:https://github.com/tongg

Use S/MIME to encrypt and sign messages on OS X