UW Digital ID (Personal Certificate) - Configuring My Email Client (Windows)
This document will guide you through configuring your personal certificate to digitally sign emails on Windows.
Before Configuration
Before you start configuring your email client, you should make sure that you have downloaded and installed your certificate.
Download Instructions:
Installation Instructions: 69131
Configuring Outlook 2010
Choose "File" tab in the Outlook menu bar
Choose "Options"
Choose "Trust Center"
Choose the "Trust Center Settings..." button
Choose "E-mail Security"
Click the "Settings..." button
Security Settings
You will need to define your default security settings before you can digitally sign or encrypt emails. You should see the following screen:
You can create different security settings and give these separate names. You can define the following settings:
- Secure Message Format (type of e-mail)
- Digital Signature Settings
- Encryption Settings
- Security Setting Preferences (setting defaults)
The first step is to give your setting a name, this you can choose yourself:
The "Digital Signature" settings allow you too choose the certificate you wish to use for signing your emails. If you click the "Choose..." button you will be presented by an overview of your personal certificates:
You can view each certificate by first selecting a certificate and then clicking on the ‘Click here to view certificate properties’ link. You will now have a screen which gives an overview of the certificate:
When you find the certificate you want to use select it and click "OK":
The certificate will now be added to both the "Signing Certificate" and "Encryption Certificate" box for this security setting.
Click "OK" to save this Security Setting.
Using a Certificate with Outlook 2010
The first step to securing your e-mail messages is to sign them using your digital certificate.
Open a new email window. In the Options ribbon in the Permission section you will see two Mail Security icons, the red signing icon and selecting this will sign your email with the chosen certificate, the second is the blue encrypting icon and selecting it will encrypt your email (note: you will need the public key of your recipient before you can encrypt your email).
Your digital signature enables the recipient of your message to verify that you actually sent the message and that it was not altered along the route. Digitally signing your email will also give the recipient a copy of your public key, this will allow the recipient to send you encrypted emails in the future.
When you digitally sign your message, it does not mean that no one can intercept or read your message. Digitally signing a message does not affect the contents of the message in any way or protect the message from being intercepted and read by someone other than the intended recipient.
To ensure that only the recipient can read a message, you must also encrypt the message.
If the recipient of your digitally signed message does not use an S/MIME-enabled e-mail client, they can still read your message. However, your digital signature appears as an "smime.p7s" attachment and you will be unable to encrypt or decrypt messages with this person.
If the recipient of your digitally signed message does use an S/MIME-enabled e-mail client, the message will appear with an icon indicating that the message was digitally signed in for example in Outlook it appears with a ribbon.
Status Icons
The signed icon shows that the received message was signed:
The untrusted signature icon shows that the received message was signed by a certificate which was issued by a CA which you do not trust yet (because you have not installed its root certificate or it has been revoked).
You can setup Outlook to always digitally sign your messages each time you send and you can configure your security settings (as described previously) to sign using a specific certificate.
Reference: Microsoft Office Support
Configuring Outlook 2013
The screeenshots shown are from Office 2010, however, the steps are fundamentally the same.
Choose "File" tab in the Outlook menu bar
Choose "Options"
Choose "Trust Center"
Choose the "Trust Center Settings..." button
Choose "E-mail Security"
Click the "Settings..." button
Security Settings
You will need to define your default security settings before you can digitally sign or encrypt emails. You should see the following screen:
You can create different security settings and give these separate names. You can define the following settings:
- Secure Message Format (type of e-mail)
- Digital Signature Settings
- Encryption Settings
- Security Setting Preferences (setting defaults)
The first step is to give your setting a name, this you can choose yourself:
The "Digital Signature" settings allow you too choose the certificate you wish to use for signing your emails. If you click the "Choose..." button you will be presented by an overview of your personal certificates:
You can view each certificate by first selecting a certificate and then clicking on the ‘Click here to view certificate properties’ link. You will now have a screen which gives an overview of the certificate:
When you find the certificate you want to use select it and click "OK":
The certificate will now be added to both the "Signing Certificate" and "Encryption Certificate" box for this security setting.
Click "OK" to save this Security Setting.
Using a Certificate with Outlook 2013
The first step to securing your e-mail messages is to sign them using your digital certificate.
Open a new email window. In the Options ribbon in the Permission section you will see two Mail Security icons, the red signing icon and selecting this will sign your email with the chosen certificate, the second is the blue encrypting icon and selecting it will encrypt your email (note: you will need the public key of your recipient before you can encrypt your email).
Your digital signature enables the recipient of your message to verify that you actually sent the message and that it was not altered along the route. Digitally signing your email will also give the recipient a copy of your public key, this will allow the recipient to send you encrypted emails in the future.
When you digitally sign your message, it does not mean that no one can intercept or read your message. Digitally signing a message does not affect the contents of the message in any way or protect the message from being intercepted and read by someone other than the intended recipient.
To ensure that only the recipient can read a message, you must also encrypt the message.
If the recipient of your digitally signed message does not use an S/MIME-enabled e-mail client, they can still read your message. However, your digital signature appears as an "smime.p7s" attachment and you will be unable to encrypt or decrypt messages with this person.
If the recipient of your digitally signed message does use an S/MIME-enabled e-mail client, the message will appear with an icon indicating that the message was digitally signed in for example in Outlook it appears with a ribbon.
Status Icons
The signed icon shows that the received message was signed:
The untrusted signature icon shows that the received message was signed by a certificate which was issued by a CA which you do not trust yet (because you have not installed its root certificate or it has been revoked).
You can setup Outlook to always digitally sign your messages each time you send and you can configure your security settings (as described previously) to sign using a specific certificate.
Reference: Microsoft Office Support
Configuring Outlook 2016
Choose "File" tab in the Outlook menu bar
Choose "Options"
Choose "Trust Center"
Choose the "Trust Center Settings..." button
Choose "E-mail Security"
Click the "Settings..." button
Security Settings
You will need to define your default security settings before you can digitally sign or encrypt emails. You should see the following screen:
You can create different security settings and give these separate names. You can define the following settings:
- Secure Message Format (type of e-mail)
- Digital Signature Settings
- Encryption Settings
- Security Setting Preferences (setting defaults)
The first step is to give your setting a name, this you can choose yourself:
The "Digital Signature" settings allow you too choose the certificate you wish to use for signing your emails. If you click the "Choose..." button you will be presented by an overview of your personal certificates:
You can view each certificate by first selecting a certificate and then clicking on the ‘Click here to view certificate properties’ link. You will now have a screen which gives an overview of the certificate:
When you find the certificate you want to use select it and click "OK":
The certificate will now be added to both the "Signing Certificate" and "Encryption Certificate" box for this security setting.
Click "OK" to save this Security Setting.
Using a Certificate with Outlook 2016
The first step to securing your e-mail messages is to sign them using your digital certificate.
Open a new email window. In the Options ribbon in the Permission section you will see two Mail Security icons, the red signing icon and selecting this will sign your email with the chosen certificate, the second is the blue encrypting icon and selecting it will encrypt your email (note: you will need the public key of your recipient before you can encrypt your email).
Your digital signature enables the recipient of your message to verify that you actually sent the message and that it was not altered along the route. Digitally signing your email will also give the recipient a copy of your public key, this will allow the recipient to send you encrypted emails in the future.
When you digitally sign your message, it does not mean that no one can intercept or read your message. Digitally signing a message does not affect the contents of the message in any way or protect the message from being intercepted and read by someone other than the intended recipient.
To ensure that only the recipient can read a message, you must also encrypt the message.
If the recipient of your digitally signed message does not use an S/MIME-enabled e-mail client, they can still read your message. However, your digital signature appears as an "smime.p7s" attachment and you will be unable to encrypt or decrypt messages with this person.
If the recipient of your digitally signed message does use an S/MIME-enabled e-mail client, the message will appear with an icon indicating that the message was digitally signed in for example in Outlook it appears with a ribbon.
Status Icons
The signed icon shows that the received message was signed:
The untrusted signature icon shows that the received message was signed by a certificate which was issued by a CA which you do not trust yet (because you have not installed its root certificate or it has been revoked).
You can setup Outlook to always digitally sign your messages each time you send and you can configure your security settings (as described previously) to sign using a specific certificate.
Reference: Microsoft Office Support
Configuring Thunderbird
Open Thunderbird and select Tools | Account Settings | Security on the account you are modifying.
Click on the Manage Certificates button ("View Certificates" in newer versions).
In the "Your Certificates" tab, click on Import. If you are unable to click on Import, see the "Alternative Directions" section below.
Browse to your certificate, select it, and click Open.
Click OK. You should be back in the "Security" window.
Under "Digital Signing" click Select.
Choose your certificate and click OK.
You will be prompted with a message asking you if you want to use this same certificate for encryption. Click OK if you do (recommended).
Click OK and you should be back in Thunderbird.
Alternative Directions
Some Thunderbird users need to install a file before using a digital certificate. Technicians are looking into the problem, but have developed this workaround.
Open Thunderbird and select Tools | Account Settings | Security.
Click on the Manage Security Devices button.
Click on NSS Internal PKCS#11 Module.
Click Load and browse to the location of the file (the path is usually C:\WINDOWS\System32\eTpkcs11.dll). Select this file and click Open. Accept the default "Module filename." Click the remainder of the OK buttons.
Under "Digital Signing" click Select. eToken users will be prompted for your password, and then are presented with a screen allowing you to select a certificate. Select the UW-Madison certicate and click OK.
Continue with step 3 of the original instructions.
Unable to locate certificate
On occasion, Thunderbird is unable to find your certificate. If this happens, you should be able to export your certificate and import it directly into Thunderbird. You can follow these instructions to export your certificate: 69183
Using a Certificate with Thunderbird
To use your certificate, compose a message and go to the pull down menu under "Security." This menu allows you to sign and/or encrypt messages individual messages.