česky | english
HowTo: e-Mail Client Software
See also ImportRootCert | FAQ/BrowserClients
This HowTo tells you how you can manually import the CAcert Root Certificate, and *.p12 / *.pfx files containing your client certificates with your corresponding private keys), in your e-mail client software.
Expected Result: You can use S/MIME or PGP/GPG siganture and encryption using CAcert-issued certificates.
Android
DJIGZO
DJIGZO has two separate key stores: "Certificates & Keys" for your personal keys (and intermediary certificates). But CA root certificates go into "Root certificates". So when your CA certificate is a (self-signed) root certificate, you have to add it to "Root certificates", choosing "Store to import to: root". This is in contrast to your (intermediary or end-user) certificates which are signed by a CA; they go into "Certificates & Keys" by choosing "Store to import to: certificates".
see also here: https://lists.cacert.org/wws/arc/cacert/2012-12/msg00009.html
R2Mail2
For S/MIME encryption and/or signing, there is the Android app R2Mail2, which is a fully functional e-mail client. Unfortunately, it costs 4,80 Euros (for the license; otherwise you only see 5 messages per folder for demo). R2Mail2 is still being developed and further improved. I already find it much better than the default Android mail client. It does not have as many features as K-9 mail, but it fully supports S/MIME (and to some more limited degree also PGP).
see also here: https://lists.cacert.org/wws/arc/cacert/2012-12/msg00009.html
FairEmail
This client is available on Google Play and is able to sign and encrypt messages. The program supports both S/MIME and PGP. PGP encryption is for free.
However, the encrypted mail sending function for S/MIME belongs to paid functions to be purchased for about € 7.35 ($ 8.60 - 2021)
The client needs you to install your certificate with the corresponding private key, preferably from the backup file *.p12 / *.pfx (file icon: fingerprint) and, certainly, to install CAcert root certificates (these may also be in the same file).
Installing these files into the Android system of higher versions (5+) is described elsewhere; links are presented at the beginning of this article. If you receive mail from the same source on multiple devices, you must ensure that your *.p12 / *.pfx file contains the same private key and the corresponding certificate you are using in email clients elsewhere. Certificate and private key are installed automatically, when you download or open the file. If you have more than one (private key & certificate) in Android system installed, you will need to select, which one the client should use to encrypt a message to send.
To decrypt the received message, you may need to press the lock icon in the header.
As with other email clients, it is also necessary to receive one unencrypted, but signed message from the person with whom you want to exchange encrypted messages. Signature (Scribar Icon) is marked in the message header and the client saves it automatically. After pressing the icon, FairEmail shows you who signed the message and other details.
iOS (iPhone, iPad)
The advantage of S/MIME is that it's built into Mail in iOS. To enable this feature, you have to go into the Settings > Account > Advanced for each e-mail account, and then enable S/MIME.
PGP/GPG in (Apple) Mail
Česky | Dansk | Deutsch | English | Espanol | Français | Nederlands | Polski | Portugês
Mail accesses the public key certificate using one of two methods, depending on whether the recipient is in the Exchange environment.
If the recipient is a user in the same Exchange environment, iOS will retrieve the necessary certificate for message encryption. iOS will consult the global address list (GAL) and your contacts. Notice the lock and Encrypted designation at the top. When Mail finds a certificate, a lock icon appears to the right of the recipient's contact name, highlighted in blue.
If the intended recipient is outside the sender's Exchange environment or if the sender is not using an Exchange account, the recipient's certificate must be installed on the device. Click on the link above for details.
Linux
PGP/GPG in Thunderbird
S/MIME in Thunderbird
MacOS (Macintosh)
Mac OS X includes Keychain, a built-in key and password manager, which stores user passwords, user and server certificates, and keys. Certain applications use this centralized Keychain for storing and retrieving certificate information in lieu of maintaining their own, separate certificate repositories.
The advantage of S/MIME is that it's built into Mail on the Mac.
To import your certificate-key pair:
Open the Keychain Access utility (Applications -> Utilities)
Choose File -> Import items…
- Browse to the location of your CAcert certificate and click Open. You will be prompted for your key pair's export password.
Once imported, your certificate-key pair will appear under both the Certificates and Keys categories in the Keychain Access utility.
Apple Mail
install the "Mac GNU Privacy Guard" from here: http://macgpg.sourceforge.net/de/index.html#files and copy the GPG keychain into the Applications folder.
- Launch the GPG Keychain.app and import the certificate.
download and install the GPGMailPlugin from here: http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html#Download
S/MIME in (Apple) Mail
S/MIME in Entourage
Thunderbird
see Linux
Outlook for OS X
From the Outlook menu, select Preferences > Accounts. Select your email account, click Advanced, and then select the Security tab.
- In the "Digital signing" section, select your certificate from the drop-down menu.
- For "Signing algorithm", the default value of SHA-256 is appropriate for most situations.
- For the best usability enable all three checkbox options:
- Sign outgoing messages
- Send digitally signed messages as clear text
- Include my certificates in signed messages
- In the "Encryption" section, select your certificate from the drop-down menu.
- Click OK to save your changes and exit Outlook Preferences.
Windows
S/MIME in Outlook 2003
S/MIME in Outlook 2007
S/MIME in Outlook 2010
see: HowToDocuments/Outlook 2010
S/MIME in Outlook 2016 & 2019
Prerequisites:
- Both participants are using Outlook 2016 or 2019.
- Each participant has their email certificate and corresponding private key installed in Outlook. Ideally, import from a backup P12 (.p12, .pfx) file. (I recommend that the file be labeled with a name containing the email address for which the certificate is issued and the certificate serial number.)
- In Security Center, File - Options - (dialog) - Security Center panel - Security Center Settings - (dialog) - in the "Email Security" panel, you need to open under S/MIME "Default Settings", the Settings... button. (in the next dialog) select the signing certificate and hash algorithm (e.g. SHA256), then the encryption certificate and encryption algorithm (e.g. AES 128-bit) - the maximum for the certificate. The certificate can be the same for both functions. Note that when selecting, the certificate you select will not be shown, but the first one that the system has "in line", and you can select another (or the first one) by clicking on the "More options" link. Finally, close all the dialogs one by one with about three OKs.
This complexity, discouraging the use of encryption, is probably there on purpose by MS!
Procedure:
One of the participants (let's call her Alice) initiates the encrypted connection by sending a message to her partner (Bob) signed with her public key (Alice's entire certificate is also sent). The message should include, in addition to explanatory or other text, a cryptographic fingerprint of Alice's public certificate.
The other participant (Bob) receives this message, his Outlook checks for integrity and saves the certificate. Now it is his (Bob's) turn to send Alice a similar signed message with his public certificate.
For complete (paranoid) security, they should both validate each other's cryptographic fingerprints of their certificates, intended for email message exchange, using another channel (e.g., telephone).
Now Alice can continue the conversation by replying to Bob's signed message. The reply needs to be opened in a separate window (not just the "Concept" from the received message preview), where under the "Options" header she selects both the message encryption and the message signature.
Bob receives the message and his Outlook decrypts it, again it is better to open it in a separate window. The conversation can then continue in the same way.
New Start
If a participant is starting another encrypted conversation after a long pause, the recipient should be selected from the address book or confirm "whisper". If you use an entry directly in the To: field or even an insertion from the mailbox, the encryption will fail and report an error. (The recipient's certificate was not retrieved; this may also be an Outlook error.)
When this happens, find the unencrypted signed message again (or request one again and check the cryptographic fingerprint) and reply to it encrypted.
Thunderbird
see also Linux
Thunderbird v.78.12.0
Prerequisites:
- Certificates with their private keys are installed in the program: hamburger icon - Options - Privacy and Security - last in the panel - Certificates - Manage certificates - (dialog) - Personal - Import. Since Thunderbird has its own certificate store, you need to ensure that CAcert root certificates are installed under "Authorities". Importing under Authorities requires PEM (.crt) and other files, importing client certificates under Personal requires P12 (.p12, .pfx) format files.
- The encryption system settings are done for each account (email address) separately. Click on the account name to get a series of links in the top right panel. Use "End-to-end Encryption". The settings dialog will open. The top part is for openPGP, the bottom for S/MIME. At the very bottom is the setting of the preferred encryption technique.
- Under S/MIME you can first of all select the appropriate certificates for digital signature and for encryption (you can select the same certificate for both functions). You can also choose to encrypt messages by default. The Certificate Manager can be started directly. Neither the hashing nor the encryption algorithm is set.
For openPGP, a suitable pre-generated key must be selected (AddKey button). You can also directly start the OpenPGP Key Manager.
Procedure:
For S/MIME it is similar to Outlook, just without the complications of selecting the recipient or the separate window.
One of the participants (let's call her Alice) initiates the encrypted connection by sending a message to her partner (Bob) signed with her public key (Alice's entire certificate is also sent). The message should include, in addition to explanatory or other text, a cryptographic fingerprint of Alice's public certificate.
The other participant (Bob) receives this message, his Thunderbird checks for integrity, and saves the Alice's certificate. Now it is his (Bob's) turn to send Alice a similar signed message with his certificate. For complete (paranoid) security, they should both validate each other's cryptographic fingerprints of their certificates, intended for email message exchange, using another channel (e.g., telephone).
Now Alice can continue the conversation by replying to Bob's signed message. In the message header under "Options", she selects the message encryption, the encryption type (PGP or S/MIME) and the message signature.
Bob accepts the message and his Thunderbird decrypts it. The conversation can then continue in the same way.
Of course, it is possible for each of the partners - the participants in the encrypted conversation - to have a different email client, provided that they agree on the type of encryption and that both client programs handle the agreed encryption type.
New Start
There are no problems with Thunderbird starting a new conversation.
CategoryCommunity CategoryConfiguration CategoryGuide CategorySoftware CategorySupport