Using S/MIME in Microsoft Outlook - Dartmouth College



Using S/MIME in Microsoft Outlook

| |Software Versions Used in This Document |

|OS |Microsoft Windows XP Professional, Version 2002, Service Pack |

|Application |Microsoft Outlook 2002 (10.4712.4219) SP-2 |

This document provides a tutorial/demonstration of using S/MIME with Microsoft Outlook. It assumes the user already has Outlook configured and working with normal email. It also assumes the user already has a PKI certificate and private key suitable for S/MIME use already in the Windows/Internet Explorer key store.

Configure Your Personal Email Certificates 1

Send a Signed Message 6

Read a Signed Message 6

Check the Credentials of a Signed Message 6

Send an Encrypted Message 6

Read an Encrypted Message 6

Get Certificates for Other Users 6

Troubleshooting 6

Configure Your Personal Email Certificates

1. In the main Outlook window, choose the menu item “Tools -> Options…”.

[pic]

2. Click on the “Security” tab.

[pic]

3. Make sure “Send clear text signed message when sending signed messages” check box is checked as shown above. This improves interoperability with other mail readers. You can choose other default actions here by checking more boxes, but you are probably best off starting with just the one box checked and adding more later after you know what you want.

4. Click on the “Settings…” button.

[pic]

5. Make sure all check boxes are checked as above. The bottom one ensures that others getting signed messages from you will also get your certificate. This makes it easier for them to send you encrypted messages later.

6. Click on the upper “Choose…” button.

[pic]

7. Select the appropriate certificate, and click the “OK” button.

[pic]

8. Make sure the “Encryption Certificate” information is filled in now too, or you can select a different one now if you have separate signing and encryption certificates.

9. Click the “OK” button.

10. Click the “OK” button on the “Options” window. You now have your certificate(s) configured for signing and encryption.

Send a Signed Message

1. Compose a message normally.

[pic]

2. In the message composition window, choose the menu item “View -> Options…”. To make this a little more convenient, you can add “Options…” to the toolbar. Instructions on how to make toolbar changes are beyond the scope of this document.

[pic]

3. Click on the “Security Settings…” button.

[pic]

4. Make sure the “Add digital signature to this message” and “Send this message as clear text signed” check boxes are checked as shown above. We recommend checking the “Send this message as clear text signed” as it avoids the “opaque signature” mode of Outlook which is likely to be unreadable in other mail readers. Note: the defaults for the top four check boxes are controlled by the settings in the security options dialog box in the previous section.

5. Click on the “OK” button.

6. Click on the “Close” button in the “Message Options” window.

7. Send the message normally.

8. Provide your PKI certificate/keystore passwords if requested.

Note: At least Outlook 2003 (10.4712.4219) SP-2 sometimes (but not always) crashes when signing messages with enclosures. If it doesn’t crash, the message is sent fine. If you are signing messages with enclosures, you should save a draft before sending.

Read a Signed Message

1. Receive a new message. Note that there is unfortunately no indication that it is signed (yet). This may be due to an interaction with IMAP.

[pic]

2. Open the message normally.

[pic]

3. Notice that there is a small red ribbon on the message window. This is Outlook’s way of telling you that the message is signed. In fact, there is now an even smaller red ribbon in the “Inbox” window too.

[pic]

Check the Credentials of a Signed Message

1. Open a signed message.

[pic]

2. Click on the red ribbon.

[pic]

3. Notice the “Description:” box states the message is signed and “OK”. This means Outlook was able to validate that the message’s signature is valid, the contents of the message haven’t changed since the signature was made, and that the signer’s certificate was issued by a certificate authority whose root certificate is in the Windows trusted root certificate store.

4. Click on the “Signer:” line.

[pic]

5. Notice that this line identifies the sender’s email address and that the “Description:” box now provides the time and date of the signature (this is usually just the time and date on the signer’s computer, so keep in mind that it could be inadvertently or deliberately wrong).

6. Click on the “View Details…” button.

[pic]

7. Click on the “View Certificate…” button. This invokes the normal Windows certificate viewer on the sender’s certificate.

[pic]

8. You can browse through this certificate’s information in this dialog window. A separate document describes how to do this (see the View a Particular Certificate section of Using the Windows Certificate Viewer).

9. Click on the “OK” button to close the “View Certificate” window.

10. Click on the “Close” button to close the “Signature” window.

11. In the “Message Security Properties” window, click on the “Edit Trust…” button. This is really just a shortcut to the “Trust” tab in the same “View Certificate” window.

[pic]

12. If you don’t have the sender’s root certificate in the Windows trusted root store, you can choose to trust the certificate in the future anyway (so the signature will not be marked as suspect because you don’t trust the sender’s certificate). Or you can choose to never trust a certificate even if it has a trusted root. Normally you will have the proper root certificate installed, so you will just use the “Inherit Trust from Issuer” option without having to do anything. Installing the trusted root certificate is covered in a separate document. [MJF: add a link here].

13. Click the “OK” Button to close the “View Certificate” window.

14. Click on the “Close” button to close the “Message Security Properties” window.

Send an Encrypted Message

1. Compose a message normally.

[pic]

2. Choose the menu item “View Options…”.

[pic]

3. Click on the “Security Settings…” button.

[pic]

4. Make sure the “Encrypt message contents and attachments” check box is checked as above.

5. Click on “OK”.

6. Click the “Close” button in the “Message Options” window.

7. Send the message normally.

8. Provide your PKI certificate/keystore passwords if requested.

Read an Encrypted Message

1. Receive an encrypted message.

[pic]

2. Notice that again Outlook doesn’t give any initial indication that this message is special.

3. Open the message.

[pic]

4. Notice that there is a small blue padlock on the message window. This is Outlook’s way of telling you that the message is encrypted. There is now also a tiny blue padlock in the “Inbox” window now too.

[pic]

5. You can click on the blue padlock in the message window, but this usually doesn’t provide very interesting information unless there is a problem. What you really care about in an encrypted message is that you were able to decrypt it. And you already know that it was encrypted with your own certificate or you wouldn’t be able to decrypt it.

Get Certificates for Other Users

You need certificates for others if you want to send them encrypted email. If you don’t have a certificate for a particular user, Outlook will either refuse to send them the message or allow you to override the encryption and send it unencrypted.

You have several alternatives for getting certificates from other users:

1. Have them send you a signed email and put their certificate in your address book.

2. Get their certificates automatically from an LDAP directory.

3. Import their certificate from a .cer file into your address book.

Have them send you a signed email and put their certificate in your address book.

1. Request that the other person send you a signed message. Their mail program will probably include a certificate with the resulting message.

2. Open the signed message when you get it. Note: I’m using a message I sent to myself here to avoid exposing someone else’s email address. You don’t need to import your own certificate into the address book.

[pic]

3. Click on the sender’s address in the message window so it is highlighted.

[pic]

4. Right click on the highlighted address and select “Add to Contacts…” from the menu.

[pic]

5. Click on the “Certificates” tab.

[pic]

6. Verify that the user’s certificate is there. You can invoke the Windows certificate viewer on this certificate if you want to by clicking on the “Properties…” button, but this is not necessary.

7. Click on “Save and Close” to save (or update if you already have one for this person) the address book entry with the certificate. Outlook will now find the certificate for this user when you send mail to them using the address book entry. Note: if you have multiple entries for the same person, finding the one with the certificate can be confusing and annoying.

Get their certificates automatically from an LDAP directory.

For this option to work, there must be an LDAP directory server for the users to whom you wish to send encrypted mail. You must configure Outlook to use that LDAP server (directory configuration is out of the scope of this document). Once configured properly, Outlook does a very good job of automatically finding certificates in the directory when you send encrypted email. When working, this is by far the most convenient and automatic way to get certificates for others.

Handy hint:

There is an “interaction” between Outlook and some LDAP servers which can make LDAP lookups fail. At Dartmouth, we found that applying the following registry change worked like magic to fix this problem. Before you apply the patch, make sure you don’t have LDAP lookups working already, and then make sure you have at least SP-2 for Outlook 2002. Then paste the following:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\LDAP]

"NoDisplayNameSearch"=dword:00000001

into a file with a name ending in .reg and double click the file. This worked well at Dartmouth, but your mileage may vary (and your LDAP lookups may fail for different reasons anyway).

Import their certificate from a .cer file into your address book.

Most users probably won’t use this technique, but there is an “Import…” button in the “Certificates” tab in the “Contact” window (see above) which allows you to manually import a certificate for a user if you have a .cer file that contains it.

Troubleshooting

Here are some common causes of S/MIME troubles in Outlook:

• Certificate not valid

• Certificate not trusted

• Mismatched sending email address and email address in the certificate

As we get more “real user” experience with Outlook and S/MIME, we will add more specific information in this section.

Modified: 12/8/2003

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download