detailed user guide - PKI-Contacts - Fraunhofer

detailed user guide - PKI-Contacts - Fraunhofer
Fraunhofer Competence Center PKI
PKI Contacts – PKI for
Fraunhofer Contacts
User manual for
communication partners of
the Fraunhofer-Gesellschaft
Author[s]:
Uwe Bendisch, Maximilian Gottwald
As at: 15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Document history
Document history:
VERSION
DATE
MODIFICATIONS
AUTHOR
1.0
23.01.2014
Final review
UB
0.9
15.10.2013
Creation of German version with English screen shots
MG, UB
Mailing list/target group:
This document is aimed at those communications partners of the Fraunhofer-Gesellschaft who
wish to use certificate-based authentication to protect their e-mail correspondence with
Fraunhofer-Gesellschaft employees and who do not yet possess certificates for the purpose.
Remarks/notes:
This document has been put together with great care and attention to detail, but sadly this does
not guarantee the absence of errors. Liability can be accepted neither for any errors that may
occur nor for their possible consequences. Please feel free to inform us of any mistakes found in
the document or to suggest alterations – if possible in the form of pre-formulated passages of text
– by e-mailing the Fraunhofer service desk at [email protected] We will do our very best
to take up every good idea we receive and to implement your suggested improvements.
Internal information:
File name:
Time:
Editor:
PKI-Contacts_Anleitung_Extern_EN (V 1.0).docx
24.01.2014
Uwe Bendisch
PKI Contacts – PKI for Fraunhofer Contacts
Contents
Contents
Introduction ........................................................................................ 1
Version 1.0
1
Obtaining a Fraunhofer employee’s certificate................... 2
1.1
Receiving a certificate by e-mail ........................................................... 2
1.2
Downloading a certificate from the PKI Contacts website .................... 2
2
Requesting your own personal certificate .......................... 6
2.1
Requesting your own personal certificate with Microsoft Internet
Explorer ............................................................................................... 7
2.2
Requesting your own personal certificate with Mozilla Firefox ........... 10
3
Exporting your own personal certificate from the
browser ............................................................................... 14
3.1
Exporting your own personal certificate from Microsoft Internet
Explorer ............................................................................................. 14
3.2
Exporting your own personal certificate from Mozilla Firefox ............. 22
4
Using certificates within an e-mail client .......................... 26
4.1
Preparing the e-mail client to use certificates ..................................... 26
4.1.1
Integrating the PKI for Fraunhofer Contacts root certificate ............... 26
4.1.1.1
Incorporating the PKI for Fraunhofer Contacts root certificate into
the Microsoft certificate store ............................................................ 28
4.1.1.2
Incorporating the PKI for Fraunhofer Contacts root certificate into
the Mozilla Thunderbird certificate manager ..................................... 31
4.1.2
Integrating the PKI for Fraunhofer Employees root certificate /
certificate chain ................................................................................. 33
4.1.2.1
Incorporating the PKI for Fraunhofer Employees root certificate /
certificate chain into the Microsoft certificate store ........................... 35
4.1.2.2
Incorporating the PKI for Fraunhofer Employees root certificate /
certificate chain into the Mozilla Thunderbird certificate manager ..... 36
15.10.2013
i
PKI Contacts – PKI for Fraunhofer Contacts
Contents
ii
4.2
Incorporating your own personal certificate into the e-mail client ...... 36
4.2.1
Incorporating your own personal certificate into the Microsoft
certificate store .................................................................................. 36
4.2.1.1
Configuring your own personal certificate in Microsoft Outlook
2010 ................................................................................................. 44
4.2.1.2
Configuring your own personal certificate in Microsoft Outlook
2007 ................................................................................................. 46
4.2.1.3
Configuring your own personal certificate in Microsoft Outlook
2003 ................................................................................................. 48
4.2.2
Incorporating and configuring your own personal certificate in
Mozilla Thunderbird .......................................................................... 51
4.3
Incorporating a Fraunhofer employee’s certificate into the e-mail
client ................................................................................................. 54
4.3.1
Incorporating a Fraunhofer employee’s certificate into Microsoft
Outlook 2010 .................................................................................... 55
4.3.2
Incorporating a Fraunhofer employee’s certificate into Microsoft
Outlook 2007 .................................................................................... 57
4.3.3
Incorporating a Fraunhofer employee’s certificate into Microsoft
Outlook 2003 .................................................................................... 60
4.3.4
Incorporating a Fraunhofer employee’s certificate into Mozilla
Thunderbird ...................................................................................... 62
4.4
Sending digitally signed and/or encrypted e-mails .............................. 64
4.4.1
Sending digitally signed and/or encrypted e-mails using Microsoft
Outlook 2010 .................................................................................... 65
4.4.2
Sending digitally signed and/or encrypted e-mails using Microsoft
Outlook 2007 .................................................................................... 66
4.4.3
Sending digitally signed and/or encrypted e-mails using Microsoft
Outlook 2003 .................................................................................... 66
4.4.4
Sending digitally signed and/or encrypted e-mails using Mozilla
Thunderbird ...................................................................................... 68
5
Revoking a personal certificate ......................................... 69
5.1
Requesting the revocation of a personal certificate by e-mail ............. 69
5.2
Permanently revoking a personal certificate using the revocation email ................................................................................................... 71
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Introduction
Introduction
This document describes how to establish secure e-mail communications with
Fraunhofer-Gesellschaft employees.
In order to establish encrypted e-mail communications, you and the Fraunhofer
employee you wish to communicate with must each be in possession of a digital
encryption certificate. Fraunhofer employees have for the most part already
been provided with encryption certificates.
To ensure you too are able to obtain a certificate for communicating with
Fraunhofer, the Fraunhofer-Gesellschaft – or rather its Public Key Infrastructures
Competence Center, to be precise – runs its own public key infrastructure (PKI)
that is completely separate from the PKI for Fraunhofer Employees. It is called
PKI Contacts (PKI for Fraunhofer Contacts), and issues certificates to external
communications partners of Fraunhofer employees.
You can use certificates issued to you to create signed e-mails, too. Recipients
of such e-mails can be certain that the message is actually from you, and that it
was not modified during transmission.
Please note that PKI Contacts can issue certificates only when prompted to do
so by a Fraunhofer-Gesellschaft employee.
Note: Unless otherwise indicated, the screenshots contained in this manual
were created using Mozilla Firefox and Thunderbird version 24 in Windows 7.
The appearance of individual dialog windows may differ depending on the operating system or browser used. Internal browser processes may also vary
slightly from product to product, particularly when it comes to selecting certificates or entering smartcard PINs.
Version 1.0
15.10.2013
1
PKI Contacts – PKI for Fraunhofer Contacts
Obtaining a Fraunhofer employee’s certificate
1 Obtaining a Fraunhofer employee’s certificate
In order to send a Fraunhofer employee an encrypted e-mail, you need his/her
digital encryption certificate. You can receive this certificate by e-mail or download it from this website: https://contacts.pki.fraunhofer.de.
1.1 Receiving a certificate by e-mail
In order to obtain a Fraunhofer employee’s digital encryption certificate by email, you need to request that they send you a signed e-mail. Once the root certificates and remaining certificates in the PKI for Fraunhofer Employees certificate chain are integrated correctly into your e-mail client (see chapter 4.1.2), the
Fraunhofer employee’s certificate will be available for secure communication by
e-mail. You can now answer the Fraunhofer employee’s e-mail directly with an
encrypted e-mail.
Note: The root certificate and the corresponding certificates from the PKI for
Fraunhofer Employees certificate chain need to be imported only once into your
e-mail program’s certificate store.
1.2 Downloading a certificate from the PKI Contacts website
If you wish to send an encrypted e-mail to a Fraunhofer employee who already
has a valid Fraunhofer PKI certificate that you are not yet in possession of, then
you can obtain this certificate from https://contacts.pki.fraunhofer.de.
Open the link in your browser and select Search Certificate of a Fraunhofer
Employee under the For Partners section of the menu (see Figure 1).
2
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Obtaining a Fraunhofer employee’s certificate
Figure 1: Screen with search field for looking up certificates of
Fraunhofer employees
Enter the surname of the Fraunhofer employee whose certificate you wish to
obtain and click on Start search.
Note: You do not have to enter the whole name. Entering part of the name will
produce a list of Fraunhofer employees whose surnames contain the part you
searched for.
Note: For reasons of data protection, the number of search results shown is
limited to three. Should the Fraunhofer employee you are searching for not be
listed, it may be worth refining your search by entering a name/part of a name
that contains more letters.
If the search finds a Fraunhofer employee whose name corresponds to the
name you entered, you will be presented with a window displaying that employee’s publicly available data as depicted in Figure 2. If this Fraunhofer employee is in possession of a digital encryption certificate, the details are shown
in the section entitled “Zertifikat” (Certificate).
Version 1.0
15.10.2013
3
PKI Contacts – PKI for Fraunhofer Contacts
Obtaining a Fraunhofer employee’s certificate
Figure 2: Results of search for a Fraunhofer employee’s certificate
To save a valid certificate on your computer, click on Download and select the
option Save File.
Now select the folder in which you want to save the certificate, and click on
Save. You can replace or change the suggested filename, but please ensure the
file extension .cer remains unchanged (see Figure 3).
4
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Obtaining a Fraunhofer employee’s certificate
Figure 3: Saving a Fraunhofer employee’s certificate
The process for integrating certificates into your e-mail client in order to use
them for secure communication varies depending on the e-mail client you use.
This process is described under section 4.3.
Version 1.0
15.10.2013
5
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
2 Requesting your own personal certificate
In order to establish secure e-mail communications with Fraunhofer you too
need a certificate that is assigned to your e-mail address. In case you don’t yet
have a personal certificate of your own, you can obtain a free one from the PKI
for Fraunhofer Contacts, PKI Contacts.
Certificates can be issued only once requested by a Fraunhofer employee who
knows you. Please ask your contact at Fraunhofer to apply for a certificate on
your behalf. It is then up to you to generate a key and request a certificate
yourself.
There is a secure part of the website https://contacts.pki.fraunhofer.de with protected access from which Fraunhofer employees can authorize the issuing of
certificates for communication partners.
During the course of the process you will receive an automatically generated email containing a link (see Figure 4) that takes you to a special PKI Contacts
website that leads you through the certificate application process. Click on the
link provided in the e-mail or copy the address bar into your browser.
Figure 4: E-mail with link for issuing a certificate
Note: Please be aware that for security reasons the link contains an identification feature that is valid only for you. Furthermore, the link must be used within
192 hours of the e-mail being sent. If you do not apply for a certificate within
this time, you must ask your contact at the Fraunhofer-Gesellschaft to make a
new request for authorization on your behalf.
6
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
2.1 Requesting your own personal certificate with Microsoft Internet
Explorer
Note: Screenshots were created using Microsoft Internet Explorer version 10.
The link contained in the automatically generated e-mail takes you to a website
that leads you through the certificate application process (see Figure 5).
Figure 5: Certificate issuance with Internet Explorer – user’s data check
and confirmation of having read the guidelines for issuing certificates
etc.
Now please check your personal information and confirm that it is correct.
Please also confirm that you acknowledge and comply with the remaining specified conditions and disclaimers, in particular confirming that you have understood and will comply with the guidelines for the issuance of certificates of the
PKI for Fraunhofer Contacts.
Click Proceed to key generation to be presented with a summary of the information you have entered and the confirmations you have given (see Figure
6). You also have the option to cancel the certificate generating process at this
stage. Doing so means you will not receive a certificate.
Version 1.0
15.10.2013
7
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
Figure 6: Issuing certificates with Internet Explorer – summary of
information entered by the user and the confirmations they have given
Click on Start key generation to generate a cryptographic key pair in your
browser and to transmit the public key to the web server that will use it to create your certificate. As this is a security-sensitive process, Internet Explorer issues
a caution warning you of the security risks involved, and asks you to confirm
that you wish to proceed (see Figure 7). Please confirm the security prompt by
clicking Yes and wait for a moment until the keys have been generated.
Figure 7: Issuing certificates with Internet Explorer – security prompt as
part of key-generation process
Once keys and certificate have been generated, you will receive a message that
the certificate is ready to be installed. To do so, click on the link Install your
8
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
certificate (see Figure 8). This installs the certificate in the Internet Explorer
certificate store (Microsoft certificate store).
Figure 8: Issuing certificates with Internet Explorer – confirmation that
the certificate was successfully issued
Internet Explorer uses the same caution message as shown in Figure 7 to warn
you of the potential security risk that installing the certificate poses. Please
confirm the security prompt by clicking Yes.
You will now receive a message informing you that the certificate has been
successfully installed in your browser (see Figure 9).
Figure 9: Issuing certificates with Internet Explorer – confirmation that
the certificate has been installed
In order to be able to use the certificate in your e-mail client, you may now have
to export it from your browser and import it into your e-mail client. This process
depends on the type of browser and e-mail client you use. Section 3.1 describes
how to export certificates from Internet Explorer, and chapter 0 describes how
to use your personal certificate in different e-mail clients.
Note: Please be aware that it is not necessary to export a certificate from Internet Explorer if you intend to use it with an e-mail client that also accesses the
Microsoft certificate store (such as Microsoft Outlook). In such cases it is enough
to configure the certificate in the e-mail client (see chapter 0).
Version 1.0
15.10.2013
9
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
2.2 Requesting your own personal certificate with Mozilla Firefox
The link contained in the automatically generated e-mail takes you to a website
that leads you through the certificate application process (see Figure 10).
Figure 10: Certificate issuance with Mozilla Firefox – user’s data check
and confirmation of having read the guidelines for issuing certificates
etc.
Now please check your personal information and confirm that it is correct.
Please also confirm that you acknowledge and comply with the remaining specified conditions and disclaimers, in particular confirming that you have understood and will comply with the guidelines for the issuance of certificates of the
PKI for Fraunhofer Contacts.
Click Proceed to key generation to be presented with a summary of the information you have entered and the confirmations you have given (see Figure
11). You also have the option to cancel the certificate generating process at this
stage. Doing so means you will not receive a certificate.
10
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
Figure 11: Issuing certificates with Mozilla Firefox – summary of
information entered by the user and the confirmations they have given
Click on Start key generation to generate a cryptographic key pair in your
browser and to transmit the public key to the web server that will use it to create your certificate.
If your computer has a smartcard reader attached with a card inserted in it, you
must select where you wish to save the key pair/certificate by choosing a token
from the drop-down list in the token dialog box (see Figure 12). Select Software Security Device and confirm by clicking OK.
Figure 12: Issuing certificates with Mozilla Firefox – selecting where to
save the key pair/certificate
Note: If your computer does not have a smartcard reader attached, or the
smartcard reader contains the wrong card, the dialog window referred to above
will not appear.
Version 1.0
15.10.2013
11
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
Note: If you have set your browser to require entry of a master password, you
will now be asked to enter this password in order to access your software security module. The password is required because your personal certificate will be
saved in the browser’s certificate store.
You will then receive a message informing you that your key is being generated
(see Figure 13).
Figure 13: Certificate issuance with Mozilla Firefox – Generating the key
pair
Once the keys have been generated and the certificate issued successfully, you
will receive a message informing you that you can now install the certificate.
Click on the Install your certificate link (see Figure 14). This process installs
the certificate in the Firefox certificate store.
Figure 14: Certificate issuance with Mozilla Firefox – Confirmation that
the certificate was issued successfully
Mozilla Firefox generates a separate window to notify you that installation of
the certificate was successful (see Figure 15). The system will issue an explicit reminder suggesting that you save a backup copy of the certificate. Confirm this
suggestion with OK.
12
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Requesting your own personal certificate
Figure 15: Certificate issuance with Mozilla Firefox – Confirmation that
the certificate was installed successfully
Before the certificate can be used in your e-mail client, it must first be exported
out of the browser and into your e-mail client. This process varies depending on
the type of browser or e-mail client you use. How to export certificates from
Mozilla Firefox is described in Section 3.2. How to use personal certificates in
different e-mail clients is described in Chapter 0.
Version 1.0
15.10.2013
13
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
3 Exporting your own personal certificate from the browser
This chapter describes how to export personal certificates out of the browser.
Exporting certificates and the keys that go with them is necessary in order to be
able to create local backup copies of the certificates. Furthermore, some combinations of browser and e-mail client require certificates (and private keys) to be
integrated into the respective e-mail client manually. The following sections deal
with the specifics of various possible combinations.
3.1 Exporting your own personal certificate from Microsoft Internet
Explorer
Note: If you use Internet Explorer in combination with Microsoft Outlook or any
other e-mail program that accesses the Microsoft certificate store, then it is not
necessary to export personal certificates/keys to enjoy secure e-mail communication. Users are however still recommended to make a backup copy of the certificate (and private key).
Open the Microsoft certificate store in Internet Explorer by going to Extras 
Internet Options  Content  Certificates (see Figure 16).
Figure 16: Opening the Microsoft certificate store in Microsoft Internet
Explorer
14
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Select the certificate you wish to export from the options listed under the Personal tab and click Export (see Figure 17).
Figure 17: Selecting the certificate that is to be exported from the
Microsoft certificate store
This opens the Microsoft certificate export wizard, which will take you through
the exporting process. Click Next (see Figure 18).
Version 1.0
15.10.2013
15
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 18: Microsoft certificate export wizard
Select the option Yes, export the private key in the dialog window that follows and confirm by clicking Next (see Figure 19).
16
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 19: Microsoft certificate export wizard – Selecting the option for
exporting the private key
You do not need to make any changes in the dialog windows that follow, and
can simply click Next (see Figure 20).
Version 1.0
15.10.2013
17
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 20: Microsoft certificate cxport wizard – Selecting the file export
format
Now enter a secure password1 to protect the key when it is exported (see Figure
21). The password will be required whenever you want to import your certificate into a program, and protects against unauthorized access. Confirm this dialog window by clicking Next.
1
18
The password should be at least twelve characters long and contain upper and lower case letters, numbers and symbols.
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 21: Microsoft certificate export wizard – Entering the transport
password for the backup certificate
Now click on Browse and select a location in which to save the certificate. Give
the certificate and key file names that aptly describe the content, click Save and
confirm the remaining dialog by clicking Next (see Figure 22).
Version 1.0
15.10.2013
19
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 22: Microsoft certificate export wizard – Selecting where to save
the backup certificate
The Certificate Export Wizard now presents you with another summary of the
settings you have chosen. Click on Finish to execute and complete the export
process (see Figure 23).
20
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 23: Microsoft certificate export wizard – Finishing the wizard
A message will appear to confirm that the export was carried out successfully.
Confirm it by clicking OK (see Figure 24).
Figure 24: Microsoft certificate export wizard – Message informing you
that certificate and private key were successfully exported
Version 1.0
15.10.2013
21
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
3.2 Exporting your own personal certificate from Mozilla Firefox
Note: Regardless of the e-mail program you use in combination with Mozilla
Firefox, secure e-mail communication is possible only if personal certificates/keys
are first exported out of the browser (and imported into the respective e-mail
program). The Mozilla Firefox certificate manager can be accessed only from
within the browser itself. Beyond this it also makes sense to export the certificate and private key in order to back them up.
Open the Mozilla Firefox certificate manager via Extras  Options  Advanced  Certificates  View Certificates (see Figure 25).
Figure 25: Opening the Mozilla Firefox certificate manager
22
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Next, select the certificate you wish to export from the options listed under the
Your Certificates tab and click on Backup (see Figure 26).
Figure 26: Selecting the certificate that is to be exported from the
Mozilla Firefox certificate manager
Now select a location in which to save the certificate. Give the certificate and
key file names that aptly describe the content, and then click Save (see Figure
27).
Version 1.0
15.10.2013
23
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 27: Selecting where to save the backup certificate in Mozilla
Firefox
Note: If you have set your browser to require entry of a master password, you
will now be asked to enter this password in order to access your software security module. The password is required because your personal certificate and the
private key that goes with it will be exported out of the browser’s certificate
manager.
Now enter a secure password2 to protect the key when it is exported (see Figure
28). The password will be required whenever you want to import your certificate into a program, and protects against unauthorized access. Confirm this dialog window by clicking OK.
2
24
The password should be at least twelve characters long and contain upper and lower case letters, numbers and symbols.
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Exporting your own personal certificate from the browser
Figure 28: Entering the transport password for the backup certificate
(Mozilla Firefox)
A message will appear to confirm that the backup process was carried out
successfully. Confirm by clicking OK (see Figure 29).
Figure 29: Message informing you that certificate and private key were
successfully backed up (Mozilla Firefox)
Version 1.0
15.10.2013
25
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4 Using certificates within an e-mail client
This section describes how to use your own personal certificate to communicate
securely with a Fraunhofer employee. To do you will first have to integrate both
the root certificate of the PKI for Fraunhofer Contacts and your own certificate
into your e-mail client/application.
A further requirement for setting up encrypted communication with a Fraunhofer employee is that you integrate their encryption certificate in your e-mail client. In exceptional cases it may also be necessary to integrate the root certificate, that is to say the PKI for Fraunhofer Employees certificate chain, into the email client as well. Instructions on how to proceed in such instances are also included in this section.
4.1 Preparing the e-mail client to use certificates
Different e-mail clients have to be prepared in different ways, so you must
follow the instructions applicable to the kind of e-mail client you use. This
section describes the process for applications that access the Microsoft
certificate store (such as Microsoft Outlook) as well as for applications that use
their own certificate store (such as Mozilla Thunderbird).
4.1.1 Integrating the PKI for Fraunhofer Contacts root certificate
First download the root certificate from the website at https://contacts.pki.
fraunhofer.de. Do so by clicking Load Root Certificate / Revocation List (PKI
for Fraunhofer Contacts) under the General menu heading. This opens another page. Right-click on the Download root certificate Certification authority for Fraunhofer Contacts link and select Save Link As from the context menu that appears (see Figure 30).
26
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 30: Downloading the PKI for Fraunhofer Contacts root certificate
Now select the file where you wish to save the certificate, and click Save (see
Figure 31).
Figure 31: Saving the PKI for Fraunhofer Contacts root certificate
Version 1.0
15.10.2013
27
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.1.1.1 Incorporating the PKI for Fraunhofer Contacts root certificate into the Microsoft
certificate store
If you use Microsoft Outlook for your e-mail communication, then the PKI for
Fraunhofer Contacts root certificate must be imported into the Microsoft certificate store that Microsoft Outlook also accesses.
To do so, open the Microsoft certificate store via Start Control panel 
Network and Internet  Internet options  Content  Certificates and
open up the Trusted Root Certification Authorities tab. Click on Import (see
Figure 32).
Figure 32: Screenshot showing the Microsoft certificate store’s Trusted
Root Certification Authorities
This opens the certificate import wizard. Confirm the first window by clicking
Next. Now click the Browse... button and select the root certificate that was
downloaded previously. Confirm the dialog window by clicking Open and then
on Next (see Figure 33).
28
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Note: If the PKI for Fraunhofer Contacts root certificate is not shown in the
‘Open’ dialog window, you must change the filter that determines the file types
shown from “X.509 Certificate (*.cer,*.crt)” to “All Files (*.*)”, the option that
shows all types of file.
Figure 33: Selecting the PKI for Fraunhofer Contacts root certificate
when importing it into the Microsoft certificate store
In the dialog windows that follow, simply assume the standard settings and
confirm them by clicking Next. Finish the certificate import wizard by clicking
Finish. At the end of the installation process you will be presented with a security warning (see Figure 34). After you have verified that the fingerprint cited in
the security dialog box is correct, please confirm by clicking Yes. Verify the fingerprint by carefully comparing the fingerprint shown in the security dialog box
with the root certificate fingerprint given on the website. Confirm by clicking
Yes only if all the characters (letters and digits) in both keys are absolutely identical.
Version 1.0
15.10.2013
29
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 34: Security warning when importing the PKI for Fraunhofer
Contacts root certificate into the Microsoft certificate store
A message will appear to confirm that the import was carried out successfully.
Close the window by clicking OK (see Figure 35).
Figure 35: Importing the PKI for Fraunhofer Contacts root certificate into
the Microsoft certificate store was successful
30
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.1.1.2 Incorporating the PKI for Fraunhofer Contacts root certificate into the Mozilla
Thunderbird certificate manager
If you use Mozilla Thunderbird for your e-mail communication, then the PKI for
Fraunhofer Contacts root certificate must be imported into the Mozilla Thunderbird certificate manager.
Note: Mozilla Firefox and Mozilla Thunderbird each use their own certificate
managers.
To import the root certificate into the Thunderbird certificate manager, open
the certificate manager via Extras  Options  Advanced  Certificates 
View Certificates and open up the Authorities tab. Click on Import (see
Figure 36).
Figure 36: Screenshot showing the Thunderbird Certificate manager’s
Certificate authorities
This opens a file selection dialog window. Navigate to the location where you
saved the PKI for Fraunhofer Contacts root certificate and select the root certificate that was downloaded previously. Confirm the dialog window by clicking
Open (see Figure 37).
Version 1.0
15.10.2013
31
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 37: Selecting the PKI for Fraunhofer Contacts root certificate
when importing it into the Thunderbird certificate manager
Now confirm the purpose for which you would like the certificate to be trusted.
Ensure that at least the Trust this CA to identify email users option is selected,
and close the dialog window by clicking OK after you have made sure that the
certificate’s SHA1 fingerprint precisely matches the root certificate fingerprint
given on the website (see Figure 38). To see the fingerprint for the certificate
that is to be imported, please click View. The SHA1 fingerprint is shown at the
bottom of the General tab. All the characters (letters and digits) must be absolutely identical to the fingerprint key given on the website.
32
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 38: Selecting the trust settings for the PKI for Fraunhofer
Contacts root certificate when importing it into Mozilla Thunderbird.
The PKI for Fraunhofer Contacts root certificate is now available in the certificate manager and can now be used by Mozilla Thunderbird to verify user certificates from the PKI for Fraunhofer Contacts.
4.1.2 Integrating the PKI for Fraunhofer Employees root certificate / certificate
chain
In order to be able to verify and use Fraunhofer employee certificates, you must
also trust the certification authority that issued the employee certificates. Unlike
the PKI for Fraunhofer Contacts, the Fraunhofer-Gesellschaft’s PKI for its employees consists of a multi-level hierarchy that has the Deutsche Telekom Root
CA 2 certificate as root certificate at the very top.
Note: In the great majority of cases, the Deutsche Telekom Root CA 2 root certificate is pre-installed as standard in operating systems, browsers and e-mail
applications. This means a separate import process is not usually necessary. Perform the import only if you encounter problems when verifying or using Fraunhofer employee certificates. In some individual cases it may be necessary to import the remaining certificates in the Fraunhofer PKI certificate chain in addition
to the Deutsche Telekom Root CA 2 root certificate, these being the Fraunhofer
Root CA 2007 certificate and the Fraunhofer User CA 2007 certificate.
You can download the PKI for Fraunhofer Employees root certificate and the
remaining certificates of the corresponding certificate chain from the https://
contacts.pki.fraunhofer.de page. Do so by clicking Load Root Certificate /
Version 1.0
15.10.2013
33
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Revocation List (PKI for Fraunhofer Employees) under the General menu
heading. This opens another page. Right-click on the Download Root Certificate Deutsche Telekom Root CA 2 link and select Save Link As from the
context menu that appears (see Figure 39).
Figure 39: Downloading the PKI for Fraunhofer Employees root
certificate
Now select the folder that you want to save the certificate in and click Save
(see Figure 40).
34
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 40: Saving the PKI for Fraunhofer Employees root certificate
Note: The Intermediate Certification Authorities certificates of the PKI for
Fraunhofer Employees (Fraunhofer Root CA 2007 certificate and Fraunhofer
User CA 2007 certificate) can be downloaded in exactly the same way.
4.1.2.1 Incorporating the PKI for Fraunhofer Employees root certificate / certificate
chain into the Microsoft certificate store
The method for integrating the PKI for Fraunhofer Employees root certificate
(Deutsche Telekom Root CA 2 certificate) into the Microsoft certificate store is
exactly the same as the method described in section 4.1.1.1.
If the Intermediate Certification Authorities certificates of the PKI for Fraunhofer
Employees are to be imported, these certificates (Fraunhofer Root CA 2007 certificate and Fraunhofer User CA 2007 certificate) should be imported into the
Intermediate Certification Authorities certificate store instead of the Trusted
Root Certification Authorities certificate store. Apart from this, integrating these
certificates is done in exactly the same way as the method described in section
4.1.1.1.
Version 1.0
15.10.2013
35
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.1.2.2 Incorporating the PKI for Fraunhofer Employees root certificate / certificate
chain into the Mozilla Thunderbird certificate manager
The method for integrating the PKI for Fraunhofer Employees root certificate
(Deutsche Telekom Root CA 2 certificate) or the Intermediate Certification Authorities certificates of the PKI for Fraunhofer Employees (Fraunhofer Root CA
2007 certificate and Fraunhofer User CA 2007 certificate) into the Mozilla
Thunderbird certificate manager is exactly the same as the method described in
section 4.1.1.2.
4.2 Incorporating your own personal certificate into the e-mail client
This section describes how to incorporate your personal certificate into your email client and configure it in order to be able to send digitally signed e-mails.
The process for incorporating and configuring personal certificates in your email client varies depending on the e-mail client you use. For this reason this
section describes the process for applications that access the Microsoft certificate store (such as Microsoft Outlook) as well as for applications that use their
own certificate store (such as Mozilla Thunderbird).
4.2.1 Incorporating your own personal certificate into the Microsoft certificate
store
If you use Microsoft Outlook for your e-mail communication, then your personal
certificate must be imported into the Microsoft certificate store that the different versions of Microsoft Outlook also access.
Note: If you used Internet Explorer to request your own certificate on your system, there is no need to incorporate your personal certificate into the Microsoft
certificate store. It will already have been added as part of the request process
(see section 2.1). In this case it is necessary only to configure the certificate, for
instance in Microsoft Outlook. The method for doing so is described in sections
4.2.1.1 ff.
Do so by opening the Microsoft certificate store via Start  Control Panel 
Network and Internet  Internet Options  Content  Certificates and
opening up the Personal tab. Click on Import (see Figure 41 ).
36
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 41: Screenshot showing Personal Certificates in the Microsoft
certificate store
This opens the certificate import wizard. Confirm the first window by clicking
Next. Now click the Browse button and select your certificate. Confirm the dialog window by clicking Open and then on Next (see Figure 42).
Note: To make sure your personal certificate is shown in the selection dialog
window, you must change the filter that determines the file types shown from
“X.509 Certificate (*.cer,*.crt)” to “Personal Information Exchange
(*.pfx,*.p12)”. Only then will you also be able to see files containing a corresponding private key as well as a certificate.
Version 1.0
15.10.2013
37
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 42: Selecting your personal certificate when importing it into the
Microsoft certificate store
When you created and saved the certificate you will have set a password for the
private key to prevent unauthorized access. Enter that password now. Select the
Mark this key as exportable option and, if applicable, the Enable strong
private key protection option in addition to the Include all extended properties option that is preselected by default (see Figure 43). By selecting Mark
this key as exportable you ensure that your certificate and private key can be
exported again later. Now click on Next.
38
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 43: Entering the password and setting the import options when
importing a personal certificate into the Microsoft certificate store
In the next dialog box, accept the default settings and confirm by clicking Next
(see Figure 44).
Version 1.0
15.10.2013
39
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 44: Selecting the certificate store to use when importing personal
certificates into the Microsoft certificate store
You will now be presented with the Completing the certificate import Wizard dialog window summarizing the settings you have specified. By clicking
Finish you give the final authorization for your personal certificate to be incorporated into the Microsoft certificate store. If you have selected the Enable
strong protection for the private key option (see Figure 43), you will now be
prompted to issue a password for instances when the private key is used in future. A series of dialog windows will assist you with this process. You will have
to enter this password later, for instance every time you sign or decrypt an email. Do this by first selecting Set Security Level… as shown in the dialog
window in Figure 45.
Note: If you have not selected the Enable strong private key protection option (see Figure 43), the four dialog windows shown below are not relevant.
40
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 45: Adjusting the security level for access to personal private keys
at a later point when importing personal certificates into the Microsoft
certificate store
First you will have to reconfirm that you wish to be prompted to enter a password every time you use the private key that goes with your certificate. To do
so, change the private key security level from Medium to High and then exit
the dialog window by clicking Next (see Figure 46).
Version 1.0
15.10.2013
41
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 46: Changing the security level so that a password is requested
whenever the user’s private key is accessed at a later point
You will now be prompted to set the password that you wish to be asked for
whenever the private key is used. For security reasons you must enter it twice.
Complete the dialog window by clicking Finish (see Figure 47).
Note: The password you set at this point will be requested whenever an application needs to access your private key (for instance when digitally signing or
decrypting e-mails). It does not have to be the same as the transport password
for the key and certificate file that you entered in Figure 43. If you decide to issue another password, please choose one that is secure3.
3
42
The password should be at least twelve characters long and contain upper and lower case letters, numbers and symbols.
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 47: Setting the password for later access to the user’s private key
Return to the dialog window that you are familiar with from Figure 45. The
security level should now correspond to the level you selected (see Figure 48).
Clicking OK imports your personal certificate and the private key associated
with it into the Microsoft certificate store. The message shown in Figure 49 will
appear to confirm the import. Confirm this dialog window by clicking OK too.
Your personal certificate is now available in the Microsoft certificate store and
can be configured for secure e-mail communication, for example in Outlook
(see Sections 4.2.1.1ff.).
Version 1.0
15.10.2013
43
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 48: Adjusting the security level for access to personal private keys
at a later point when importing personal certificates into the Microsoft
certificate store
Figure 49: Personal certificate and private key have been successfully
imported into the Microsoft certificate store
4.2.1.1 Configuring your own personal certificate in Microsoft Outlook 2010
In order to inform Microsoft Outlook 2010 of the personal certificate and private key it should use to sign/decrypt e-mails, you must first configure the certificate in the e-mail client.
44
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Begin by opening the Trust Center via File  Options  Trust Center 
Trust Center Settings …  E-mail Security. Now click on the Settings button under “Encrypted e-mail” (see Figure 50).
Figure 50: Outlook 2010 – Trust Center
This opens the “Change Security Settings” dialog window (see Figure 51). If
applicable, change the name entered under Security Settings Name to one
that matches your requirements, and click on the uppermost Choose button to
set the signing certificate. You will be presented with a list of all certificates that
have a “digital signature” function and for which you have a private key (as a
general rule there is only one certificate of this kind available on your system).
Select your own PKI for Fraunhofer Contacts personal certificate. This certificate
will also automatically be entered as an encryption certificate, as it also has an
encryption function. Now close all open dialog windows by clicking OK.
This concludes the process for configuring your own personal certificate in Microsoft Outlook 2010, meaning you are now able to send digitally signed emails and decrypt e-mails encrypted for your e-mail address.
Version 1.0
15.10.2013
45
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 51: Outlook 2010 – Configuring a personal certificate
4.2.1.2
Configuring your own personal certificate in Microsoft Outlook 2007
In order to inform Microsoft Outlook 2007 of the personal certificate and private key it should use to sign/decrypt e-mails, you must configure the certificate
in the e-mail client.
Begin by opening the Trust Center via Extras  Trust Center  E-Mail Security. Now click on the Settings button under “Encrypted e-mail” (see Figure
52).
46
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 52: Outlook 2007 – Trust center
This opens the “Change Security Settings” dialog window (see Figure 53).
Change or set the name entered under Security Settings Name to one that
matches your requirements if necessary, and click on the uppermost Choose
button to set the signing certificate. You will be presented with a list of all certificates that have a “digital signature” function and for which you have a private key (as a general rule there is only one certificate of this kind available on
your system). Select your own PKI for Fraunhofer Contacts personal certificate.
This certificate will also automatically be entered as an encryption certificate, as
it also has an encryption function. Unless already selected by Outlook as a default setting, select the options Default Security Setting for this cryptographic message format, Default Security Setting for all cryptographic
messages and Send these certificates with signed messages. Now close all
open dialog windows by clicking OK.
This concludes the process for configuring your own personal certificate in Microsoft Outlook 2007, meaning you are now able to send digitally signed emails and decrypt e-mails encrypted for your e-mail address.
Version 1.0
15.10.2013
47
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 53: Outlook 2007 – Configuring a personal certificate
4.2.1.3 Configuring your own personal certificate in Microsoft Outlook 2003
In order to inform Microsoft Outlook 2003 of the personal certificate and private key it should use to sign/decrypt e-mails, you must configure the certificate
in the e-mail client.
Begin by opening the Outlook S/MIME Options via Extras  Options. Now
select the Security tab and click on the Settings button under “Encrypted email” (see Figure 54).
48
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 54: Outlook 2003 – S/MIME options
This opens the “Change Security Settings” dialog window (see Figure 55).
Change or set the name entered under Security Settings Name to one that
matches your requirements if necessary, and click on the uppermost Choose
button to set the signing certificate. You will be presented with a list of all certificates that have a “digital signature” function and for which you have a private key (as a general rule there is only one certificate of this kind available on
your system). Select your own PKI for Fraunhofer Contacts personal certificate.
This certificate will also automatically be entered as an encryption certificate, as
it also has an encryption function. Unless already selected by Outlook as a default setting, select the options Default Security Setting for this cryptographic message format, Default Security Setting for all cryptographic
Version 1.0
15.10.2013
49
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
messages and Send these certificates with signed messages. Now close all
open dialog windows by clicking OK.
This concludes the process for configuring your own personal certificate in
Microsoft Outlook 2003, meaning you are now able to send digitally signed emails and decrypt e-mails encrypted for your e-mail address.
Figure 55: Outlook 2003 – Configuring a personal certificate
50
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.2.2 Incorporating and configuring your own personal certificate in Mozilla
Thunderbird
If you use Mozilla Thunderbird for your e-mail communication, then your personal certificate must be imported into the Mozilla Thunderbird certificate manager.
To import your personal certificate into the Thunderbird certificate manager,
open the certificate manager via Extras  Options  Advanced  Certificates  View Certificates and open up the Your Certificates tab. Click on
Import (see Figure 56).
Figure 56: Screenshot showing the Thunderbird Your Certificates
certificate manager
This opens a file selection dialog window. Navigate to the location where you
saved your PKI for Fraunhofer Contacts personal certificate and select it. Confirm the dialog window by clicking Open (see Figure 57).
Version 1.0
15.10.2013
51
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 57: Selecting your PKI for Fraunhofer Contacts personal certificate
when importing it into the Thunderbird certificate manager
Now enter the password that you set when saving the certificate and private
key to protect them against unauthorized access. Then click OK (see Figure 58).
Figure 58: Entering the password for your PKI for Fraunhofer Contacts
personal certificate when importing it into the Thunderbird certificate
manager
Once your certificate and private key have been successfully imported you will
receive a confirmation message (see Figure 59). Click on OK. This concludes the
process for importing your own personal certificate into Mozilla Thunderbird,
meaning you can now configure the certificate for secure e-mail communication
to then be able to sign and decrypt e-mails.
52
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 59: Personal certificate and private key have been successfully
imported into the Thunderbird certificate manager
Begin by opening S/MIME Security via Extras  Account Settings  Security (see Figure 60). Click on the uppermost Select button to set the signing
certificate.
Figure 60: Mozilla-Thunderbird – Selecting S/MIME settings
You will be presented with a list of all certificates that have a “digital signature”
function and for which you have a private key (as a general rule there is only
one certificate of this kind available on your system). Select your own PKI for
Fraunhofer Contacts personal certificate and close the dialog window by clicking OK (see Figure 61).
Version 1.0
15.10.2013
53
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 61: Mozilla Thunderbird – Setting up a signing certificate
You will then be asked whether you also wish to use this certificate to decrypt
e-mails. Confirm this by clicking Yes (see Figure 62).
Figure 62: Mozilla Thunderbird – Setting up a signing certificate
Now close all open dialog windows by clicking OK. This concludes the process
for configuring your own personal certificate in Mozilla Thunderbird, meaning
you are now able to send digitally signed e-mails and decrypt e-mails encrypted
for your e-mail address.
4.3 Incorporating a Fraunhofer employee’s certificate into the e-mail client
Note: As a general rule it is not necessary to incorporate a Fraunhofer employee’s certificate into the e-mail client, as this happens automatically as soon
as you receive and reply to a signed e-mail from a Fraunhofer employee. If you
have come by the certificate another way, you can import it into various e-mail
clients as described in the following subsections.
54
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.3.1 Incorporating a Fraunhofer employee’s certificate into Microsoft Outlook
2010
Begin by opening a new e-mail from the Start tab by clicking New E-mail. Enter the e-mail address of the Fraunhofer employee in the recipient field. Rightclick on this e-mail address and select “Add to Outlook Contacts” from the
context window (see Figure 63).
Note: If the Fraunhofer employee is already saved in your list of contacts, select
Look Up Outlook Contact and open their contact details.
Figure 63: Adding a Fraunhofer employee as a contact in Outlook 2010
You will now be shown the contact details for this contact. Select Certificates
in the Contact tab and click on Import (see Figure 64).
Version 1.0
15.10.2013
55
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 64: Importing the Fraunhofer employee’s certificate into Outlook
2010
Now go to the directory where you saved the Fraunhofer employee’s certificate
and select it. Click Open (see Figure 65).
Figure 65: Selecting the Fraunhofer employee’s certificate
56
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
The certificate has now been added to the certificate store. Now click on Save
& Close (see Figure 66).
Figure 66: Saving the certificate allocation in Outlook 2010
This concludes the process for integrating the Fraunhofer employee’s certificate
into Outlook 2010, meaning the certificate can be used for secure e-mail
communication.
4.3.2 Incorporating a Fraunhofer employee’s certificate into Microsoft Outlook
2007
Begin by opening a new e-mail from the Start tab by clicking New E-mail. Enter the e-mail address of the Fraunhofer employee in the recipient field. Rightclick on this e-mail address and select “Add to Outlook Contacts” from the
context window (see Figure 67).
Note: If the Fraunhofer employee is already saved in your list of contacts, select
Look Up Outlook Contact and open their contact details.
Version 1.0
15.10.2013
57
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 67: Adding a Fraunhofer employee as a contact in Outlook 2007
You will now be shown the contact details for this contact. Select Certificates
in the Contact tab and click on Import (see Figure 68).
Figure 68: Importing the Fraunhofer employee’s certificate into Outlook
2007
Now go to the directory where you saved the Fraunhofer employee’s certificate
and select it. Click Open (see Figure 69).
58
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 69: Selecting the Fraunhofer employee’s certificate
The certificate has now been added to the certificate store. Now click on Save
& Close (see Figure 70).
Figure 70: Saving the certificate allocation in Outlook 2007
Version 1.0
15.10.2013
59
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
This concludes the process for integrating the Fraunhofer employee’s certificate
into Outlook 2007, meaning the certificate can be used for secure e-mail
communication.
4.3.3 Incorporating a Fraunhofer employee’s certificate into Microsoft Outlook
2003
Begin by opening a new e-mail from the Start tab by clicking New E-mail. Enter the e-mail address of the Fraunhofer employee in the recipient field. Rightclick on this e-mail address and select “Add to Outlook Contacts” from the
context window (see Figure 71).
Note: If the Fraunhofer employee is already saved in your list of contacts, select
Look Up Outlook Contact and open their contact details.
Figure 71: Adding a Fraunhofer employee as a contact in Outlook 2003
You will now be shown the contact details for this contact. Select Certificates
in the Contact tab and click on Import (see Figure 72).
60
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 72: Importing the Fraunhofer employee’s certificate into Outlook
2003
Now go to the directory where you saved the Fraunhofer employee’s certificate
and select it. Click Open (see Figure 73).
Figure 73: Selecting the Fraunhofer employee’s certificate
Version 1.0
15.10.2013
61
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
The certificate has now been added to the certificate store. Now click on Save
& Close (see Figure 74).
Figure 74: Saving the certificate allocation in Outlook 2003
This concludes the process for integrating the Fraunhofer employee’s certificate
into Outlook 2003, meaning the certificate can be used for secure e-mail
communication.
4.3.4 Incorporating a Fraunhofer employee’s certificate into Mozilla Thunderbird
To embed the Fraunhofer employee’s certificate into Mozilla Thunderbird, begin
by opening the certificate manager found under Extras  Options  Advanced  Certificates  View Certificates and open up the People tab.
Click on Import (see Figure 75).
62
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 75: Importing a Fraunhofer employee’s certificate into Mozilla
Thunderbird
Now go to the directory where you saved the Fraunhofer employee’s certificate
and select it. Click Open (see Figure 76).
Figure 76: Selecting the Fraunhofer employee’s certificate
Version 1.0
15.10.2013
63
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
The certificate has now been added to the certificate store (see Figure 77), and
the process to integrate the Fraunhofer employee’s certificate into Thunderbird
is complete. Close the certificate manager by clicking OK. The certificate can
now be used for secure e-mail communication.
Figure 77: Thunderbird certificate manager featuring the Fraunhofer
employee’s certificate.
4.4 Sending digitally signed and/or encrypted e-mails
Signed e-mails that you send use your personal certificate, and do not require
recipients’ certificates. Your e-mail client calculates a checksum from the text in
your e-mail, and adds a digital signature to it using your certificate. The underlying mathematical process means the recipient is able to verify both the integrity of the e-mail (that it was not changed during transmission) and the authenticity of the sender (that the e-mail is indeed from you).
Encrypted e-mails that you send require the encryption certificates of all recipients. Using the encryption certificates, the message is encrypted in such a way
that only the person in possession of the private key that goes with the encryption certificate can read it. This guarantees confidentiality.
It therefore follows that to send a signed and encrypted e-mail you require both
your own personal certificate (sender’s certificate) and the certificates of all the
recipients of the e-mail.
64
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
The dialog windows and the steps in the process for sending signed and/or encrypted e-mails vary slightly depending on the e-mail client you use. For this reason the following subsections describe the process for different versions of Microsoft Outlook and Mozilla Thunderbird.
4.4.1 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook
2010
Create a new e-mail. You have the option to digitally sign the e-mail when
composing it by clicking on the Sign symbol in the Options tab (see Figure 78).
Figure 78: Adding a digital signature to an e-mail in Outlook 2010
To encrypt an e-mail, click the Encryption symbol in the Options tab (see
Figure 79).
Figure 79: Encrypting an e-mail in Outlook 2010
Version 1.0
15.10.2013
65
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.4.2 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook
2007
Create a new e-mail. You have the option to digitally sign the e-mail when
composing it by clicking on the Sign symbol found in the Options section of
the menu ribbon under the Message tab (see Figure 80).
Figure 80: Adding a digital signature to an e-mail in Outlook 2007
To encrypt an e-mail, click the Encryption symbol in the Options section of the
Message tab (see Figure 81).
Figure 81: Encrypting an e-mail in Outlook 2007
4.4.3 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook
2003
Create a new e-mail. You have the option to digitally sign the e-mail when
composing it by selecting the option Add digital signature to this message
in the message security properties, found under File  Properties in the Security tab (see Figure 82).
66
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
Figure 82: Adding a digital signature to an e-mail in Outlook 2003
To encrypt the e-mail, select the Encrypt message contents and attachments option under the Security tab, found under File  Properties for the
e-mail (see Figure 83).
Figure 83: Encrypting an e-mail Outlook 2003
Version 1.0
15.10.2013
67
PKI Contacts – PKI for Fraunhofer Contacts
Using certificates within an e-mail client
4.4.4 Sending digitally signed and/or encrypted e-mails using Mozilla
Thunderbird
Create a new e-mail. You have the option to digitally sign the e-mail when
composing it by selecting the Digitally Sign This Message option under the
Security header in the message Menu (see Figure 84). Open the S/MIME options by clicking on the little arrow next to the menu item.
Figure 84: Adding a digital signature to an e-mail in Mozilla Thunderbird
To encrypt an e-mail, select the Encrypt This Message option under the Security header (see Figure 85).
Figure 85: Encrypting an e-mail in Mozilla Thunderbird
68
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Revoking a personal certificate
5 Revoking a personal certificate
If you are already in possession of a certificate issued by the Certification Authority for Fraunhofer Contacts and wish to revoke it, you can request a revocation at https://contacts.pki.fraunhofer.de. Revoking a certificate may be necessary if:

your e-mail address has changed or will change,

you do not want to use the certificate for secure communication within
a Fraunhofer-related context anymore,

you no longer accept and/or fulfil the guidelines of the PKI for
Fraunhofer Contacts any longer, or

(especially if) abuse or compromise of the private key is suspected or has
occurred.
In order to prevent a third party from revoking your certificate, revocation is set
up as a two-stage process. First, the certificate that is to be revoked must be
identified. Please do so by providing us with the e-mail address named in the
certificate. An e-mail will be dispatched to this address containing a special link
– similar to the process for obtaining a certificate. This link then enables you to
revoke the certificate yourself.
5.1 Requesting the revocation of a personal certificate by e-mail
Please go to https://contacts.pki.fraunhofer.de and select Revoke a Certificate
in the For Partners section of the menu (see Figure 86).
Version 1.0
15.10.2013
69
PKI Contacts – PKI for Fraunhofer Contacts
Revoking a personal certificate
Figure 86: Requesting the revocation of a certificate
Now enter the e-mail address that is assigned to your personal certificate into
the E-mail address of certificate to be revoked field. Then click Request
revocation e-mail. Provided there are valid certificates available that were assigned to the e-mail address you entered, you will receive a message informing
you that a list of all valid certificates assigned to the e-mail address has been
sent out along with the option to revoke them (see Figure 87).
Figure 87: Message indicating that the user’s request for revocation was
successful
If this is not the case, a message appears informing you that an e-mail has not
been sent. This concludes the process for requesting a revocation e-mail. You
must now wait for the automatically generated revocation e-mail to appear in
your inbox before you can revoke the certificate (see Figure 88). This e-mail will
arrive after a short time.
70
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Revoking a personal certificate
Figure 88: Example of a revocation e-mail for revoking a certificate
5.2 Permanently revoking a personal certificate using the revocation email
In instances where several certificates have been issued for the e-mail address
given, the revocation e-mail will list all relevant certificates that are still valid and
give you the opportunity to individually select which certificates are to be revoked. To permanently revoke a certificate listed in the e-mail, click on the relevant link in the e-mail or copy it into the address bar in your browser (see Figure
89).
Figure 89: Selecting a certificate you wish to revoke from the list
provided in the revocation e-mail
The link takes you to a special PKI Contacts web page that will lead you through
the certificate revocation process (see Figure 90). Read through the text on the
web page carefully, making sure you understand that
Version 1.0
15.10.2013
71
PKI Contacts – PKI for Fraunhofer Contacts
Revoking a personal certificate

regardless of whether the revocation takes place, you should not destroy the private key that goes with the certificate, as without it you will
be unable to read i.e. decrypt e-mails that were encrypted for you using
the certificate in question. For this reason you should if applicable retain
a backup copy of your certificate along with its private key and keep it in
a safe place (such as an external hard drive). Alternatively, both certificate and private key are still available in the certificate store of the
browser you used to request the certificate in the first place. You can
use the method described in Chapter 3 to export it from here.

it is not possible to undo a revocation. If you realize after revoking a
certificate that you need it after all, you will have to request a new (different) certificate.
To revoke the certificate in question, please check the tick box by the selected
certificate entry and click Revoke certificate (see Figure 90).
Figure 90: Confirming the selection of a certificate that is to be revoked
You will now receive a message informing you that the revocation was carried
out and that a new revocation list will be published shortly (see Figure 91). You
will also receive an automatic e-mail informing you that the revocation has
taken place (see Figure 92). This successfully concludes the revocation process.
Note: The revocation list containing the serial number of the certificate that has
been revoked will appear on the PKI for Fraunhofer Contacts website no later
than 30 minutes after a successful revocation.
72
15.10.2013
Version 1.0
PKI Contacts – PKI for Fraunhofer Contacts
Revoking a personal certificate
Figure 91: Confirmation that your personal certificate has been revoked
Figure 92: E-mail confirming that your personal certificate has been
revoked
Version 1.0
15.10.2013
73
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement