Sign and Encrypt Your Email

The Digital Certificate

An email certificate is used to verify that the sender of an email message is indeed the owner of the email address that the message is sent from. In other words, if you receive an email message from John.Doe@mail.com, the certificate doesn’t tell you who the owner of that email address really is; rather, it tells you that the owner of that email address is the person sending the message. There are several Certification Authorities that issue digital certificates.

We will use certificates from Thawte. Go to their enrollment page and create an account by filling out the form provided after you hit the Join button. Once the account is created, go ahead and log into the Thawte member site and request a certificate by filling out the form provided when you hit the Request button. Accept the default values on the four first pages of the form. On the fifth page, choose Accept Default Extensions. When moving past the sixth page, a key pair is generated and downloaded to your computer. Accept the last page of the form to send the request to Thawte. They will send you an email message confirming the next step in the process.

You can monitor and download your certificate on their Certificate Request Status page. Initially, the status of your new certificate is “pending.” When the process is finally complete, the certificate’s status changes to “issued.” When the certificate is issued, you can view the details of your certificate and click the Fetch button to download the certificate.

Note: You need a separate certificate for every email address you are using.

Return to Thawte to register additional email addresses and download certificates for each in turn, following the steps outlined in this section.

Signatures and Encryption in Mail

A signed message allows you to validate the integrity of the message (i.e., make sure it has not been tampered with since it was signed by the sender) and the identity of the sender. The message, however, is still delivered in clear text, unless it’s also encrypted. An encrypted message protects the body of the message from prying eyes, but it is not signed unless you explicitly sign it.

To send a signed email message, simply click the Sign button in the new message window. Similarly, to send an encrypted message, click the Encrypt button.

You should always select both buttons if they’re available, unless the recipient of the message has explicitly requested not to receive signed or encrypted messages. They might be using a mail client that doesn’t support encryption and signatures—a PDA or smartphone, for instance.

If you have a certificate, you can send signed messages to anyone, but you can send encrypted messages only when both you and all recipients of the message have certificates.

Your mail client needs the certificates to encrypt the outgoing message. If your mail client did not require that you, not only the recipients, need to have a certificate in order to be able to send encrypted email messages, you wouldn’t be able to read your sent encrypted messages later. The easiest way to let your mail client know that a recipient has a certificate, and to give your mail client access to that certificate, is to have that recipient first send you a signed message (not encrypted, just signed). Your mail client should automatically store the certificates it receives for future reference.

Once both you and your recipient have each other’s public certificates, you can sign and encrypt all correspondence between the both of you.