S/MIME Secure Email - A Beginners Guide
By: Mark Noble
This document was created based on about five years of using S/MIME digital signatures
and encryption in my day-to-day activities. It will serve as a primer for anyone
who wishes to insure the integrity of their online communications. I will focus
on two free digital ID providers, how to get started, my experiences in participating
in Thawte's "Web of Trust", and some drawbacks encountered with using S/MIME as
well. I will also discuss S/MIME security, and compare S/MIME to some other email
signing and encryption technologies in wide use today.
S/MIME (short for "Secure/MIME") is a version of the MIME protocol that supports
encryption of email messages and their contents by way of RSA's public-key encryption
technology. S/MIME was created in 1995 by a group of software vendors to prevent
interception and forgery of e-mail, and since it builds on the existing MIME protocol
standard, it can be easily integrated into existing e-mail and messaging products.
Since S/MIME was based on existing widely supported standards, it is likely to continue
to be widely implemented across a variety of operating systems and e-mail clients.
For this reason, it is possible for a Windows operating system user with the Outlook
email client to send a secure, digitally signed email to a Unix operating system
user with the Netscape Messenger email client (for example) without installing any
To start using S/MIME, you'll need to start by obtaining an email client that supports
S/MIME. Since most people seem to use Outlook and Outlook Express, I will focus
on these two email clients on the Windows operating system. I have also successfully
configured and used S/MIME with the Netscape Messenger (part of Netscape Communicator)
email client while using the Solaris operating system. Once you have installed your
email client, you are ready to select a digital ID provider.
S/MIME Supporting Email Clients
Some popular email clients that support S/MIME are:
- Microsoft Outlook (Windows)
- Microsoft Outlook Express (Windows)
- Mozilla Thunderbird (Linux, Mac OS X, Windows, Solaris)
- Netscape Communicator (Windows, Solaris)
- Mail (Mac OS X)
Free Digital ID Providers
There are two popular providers of digital ID's that offer free ID's for personal
use with email.
Since I have been using a Thawte digital ID for over a year now, I will focus on
configuring S/MIME using a Thawte ID and add detailed instructions for using an
InstantSSL ID later.
Certificates issued by Thawte say "Thawte Freemail Member" when opened, but by participating
in the Thawte Web Of Trust (WOT), users can have their name added to their digital
ID and included in their certificates for added trust and security. To do this,
Thawte uses a system of points to establish trust. The points are on a scale of
0 to 100 and are obtained by seeking out Thawte Notaries who will confirm your identity
and issue points to you via the Thawte website. Once a user obtains 50 points, new
certificates issued are signed with their name. By continuing the process, a Thawte
ID holder can become trusted enough to notarize ID's themselves. To achieve notary
status, a user must be verified by no fewer than three Thawte Notaries.
Obtaining Your Thawte ID
To request a Thawte ID, you will need to have a government issued photo ID or Passport.
Your government has verified your identity, and the Thawte WOT will build on that.
Each time you have your digital ID notarized, you will need to display your government
issued photo ID so that the notary can compare your appearance to the photo on the
ID and also examine the ID so they are reasonably ceartain that the photo ID is
legitimate. The person requesting the digital ID must also be at least 13 years
To set up your digital ID, start by visiting the Thawte website at the following
- Start at the
Thawte Personal Email Security web page.
- Select the "join" button on the left-hand side.
- Read the terms and conditions and click "next".
- Provide your Surname, Given Name, Date of Birth, and
Nationality, then click "next".
- Provide your national identification card number in
the field provided, and select the type of identification. Finally, enter your email
address. The email address you provide will serve as your Thawte username. Click
- Set your language and charset preference, then click
- After reading about password security, set your personal
password, confirm it, and click "next".
- After reading about phone numbers, enter a telephone
number where you can be reached in the event that you lose your password. Move on
to read about question and answer pairs (used for retrieving forgotten passwords),
fill out your answers, and click "next".
- Confirm your enrollment information, and click "next".
To complete the process, you will need to follow the instructions sent to you via
email by Thawte.
Requesting Thawte Certificates
After creating your Thawte ID, you are ready to request a certificate. This certificate
stems from your original Thawte ID, but is unique and applies only to one email
address, on one email client, on one computer.
- Start at the
Thawte Personal Email Security web page.
- Login (the button is on the left) using the username
and password you used to request your Thawte digital ID.
- In the menu on the left, select "My Emails"
- Next, select "New Email Address" on the left menu and
follow the instructions.
- Now select "Certificates" on the left.
- Select "Request A Certificate"
- Click the request button and follow the instructions.
- Select your email client and click “request”.
- Click next when asked to set employment information.
- Select the email addresses to be associated with this cert (for Outlook Express
compatibility, select only one address per cert) and click “next”
- Click “next” in the “Strong Extranet Identities” window.
- On the “Accept Default Extensions” screen, click “accept”.
- Select your certificate provider (I use the default) and click the “Next >” button.
- In some browsers, you will now see a warning that the web site is requesting a new
certificate for you – since this is to be expected, approve the request. In Internet
Explorer, you can do so by clicking “Yes”.
- You will see a pop-up window with a button labeled “Set Security Level…”, click
this button and select the “High” security level. Setting to High requires a password
each time the certificate is used. Click the “Next >” button.
NOTE: The default is low/medium security. By setting the security level of your
certificate to "high", you will be required to type your password every time an
email is encrypted or signed (after you get used to this, it really isn't as annoying
as it might seem - and it has saved me a few times from accidentally sending unfinished
- Now you must create a password for this certificate and type it into the provided
Password field. You will need to retype it in the Confirm field to ensure that you
have typed the password correctly.
- Click the “Finish” button.
- Next click the “OK” button.
- Finally click “finish”.
- Click “next” to return to the Certificate Manager page.
- Thawte will email you once your cert is ready for download
(it usually takes only a few minutes).
Installing Thawte Certificates
- The email should explain where to download it. Essentially
you go to the Thawte web site ("View Certificate Status" under the "Certificates"
menu when logged in - if you get lost) and click a link. A message box appears and
says it's installing the cert.
- Go into your mail client and compose an email. If you
are using Outlook, you can set the message security in the message options (there
is a button when composing). If you're using Outlook Express, it's in the Tools
menu. You should be able to send me a signed and encrypted message right off the
Configuring Your Mail Client
You may wish to make some small changes to your email client for a better S/MIME
Signing All Outbound Messages
- Tools > Options…
- Click the “Security” tab.
- Check the “Add digital signature to outgoing messages”
- Also check the “Send clear text signed message when
sending signed messages”.
Back-up your Certificates
- Click the “Import/Export…” button.
- Select the “Export your Digital ID to a file” radio
- Click the “Select…” button.
- Choose the Certificates you wish to export from the
list, then click the “OK” button.
- In the “Filename” field, type a filename for your exported
- To protect your exported certificates, enter a password
- Click the “OK” button again.
- You will need to enter the password for your certificate
at this time and click “OK” (do not check the “Remember password” checkbox – this
will defeat the “High” level of security on your certificate).
- Click the “OK” button.
Adding Buttons (Turn off Word as Editor)
- Go to Tools > Options > Mail Format (Tab)
- Uncheck “Use Word to edit email messages”
- Click “OK”
- Create a new email message…
- Right-click on the toolbar and click “Customize”
- Select the “Commands” tab, and select the “Standard”
category of commands.
- In the “Commands:” window, you will see two buttons
near the bottom.
- One is an envelope with a red seal, the other is an
envelope with a blue lock.
- Drag each of these into your toolbar (to a place you
like – I put mine just before the “Options” button.
- Click “Close”.
- You should now have two buttons on your toolbar.
Sending Signed Email by Default
- Go to Tools > Options > Security (Tab)
- Check “Add digital signature to outgoing messages”
- Check “Send clear text signed message when sending signed
(NOTE: If you do not send messages as cleartext signed, users without an S/MIME
supporting email client will be unable to read them – they will look like an encrypted
- Click “OK”
When a user sends their new cert after their old cert expires, you need to open
their contact, go to “Digital ID’s” and set their new cert as default – otherwise
the old cert will be used.
Drawbacks / Known Issues
Some people are Internet novices – yet they still have an S/MIME compliant email
client. Most clients make it easy to reply to signed and encrypted emails by setting
the reply message to be signed or encrypted by default.
If you try to reply by way of a signed message, even though you don’t have a digital
ID you’ll probably get a warning that you can’t send digitally signed messages.
In Outlook Express, the message is as follows:
Outlook Express Mail
“You cannot send digitally signed messages because you do not have a digital ID for this account.”
[Get Digital ID] [Cancel]
Some users will interpret this as “An Error Message” and that they “Cannot reply
to your emails”. If they use Outlook Express, they can reply to your message as
they normally would, but first they must go to “Tools” in the File menu and uncheck
the “Digitally Sign” option for the reply email.
- No Support for Certs with Multiple Email Addresses:
Normally, users would only need one certificate for each email client/computer combination
- but due to a problem with the way Outlook Express interperets digital ID's, it
is best to create a new one for each email address as well for maximum compatibility.
- Limited support for posting signed messages in NNTP
I had trouble with different versions of Communicator fighting each other in the
CIS Solaris environment. The net result was that digital ID's worked in the email
client version I configured first, but after upgrading to a newer version, it stopped
No Support for most web based email clients - but S/MIME email IS supported
in the latest version of Outlook Web Access.
"An error occurred in the underlying security system."
"An error occurred while trying to export security information."
While creating a new email, I must click on "Options..." in the toolbar and press
the "Security Settings..." button.
This opens a new window called "Security Properties" with a "Security Settings"
Under "Security setting:" is a dropdown box.
It has the options "<Automatic>", "<Default>", and "My S/MIME Settings
If I choose any of these and click the "Change Settings..." button, this opens a
window called "Change Security Settings".
Under "Certificates and Algorithms" in the "Signing Certificate:" field, there is
a "Choose..." button.
Clicking it opens a "Select Certificate" window - and here is the problem.
I see two Certificates. One is a new certificate I installed today, and the other
is an old certificate that I thought was deleted.
I found the solution though:
In Outlook 2003, go to Tools > Options > Security (Tab)
In the "Encrypted e-mail" tab, set the "Default Setting:" to "My S/MIME Settings
Click the "Settings..." button
A new window titled "Change Security Settings" will open
In the "Certificates and Algorithms" section, at the "Signing Certificate:" field,
click the "Choose..." button
Select the appropriate certificate
At the "Encryption Certificate:" field, click the "Choose..." button
Select the appropriate certificate
Microsoft's Page on Getting Digital ID’s
and digital signatures in Mail (Mac OS)