Wikier

Secure email - Digitally sign and encrypt emails

On this page you will find information on how you as an employee at NTNU can sign and encrypt your e-mail.

Norsk side - Sikker e-post - Digital signering og kryptering

Topic page about Email and calendar | Pages labelled with email


On this page you will find information on how you as an employee can sign and encrypt your email.

Your IT department recommends that you adopt digital signing and encryption of email, because you get an extra layer of security while also verifying yourself as a sender.

The most used way of digital signature is an encryption where the signer is sitting on a secret privateencryption key. The authentication level of the signature, depends on the issuer of this encryption key.

Create a digital signature

A digital signature is a kind of stamp, like a physical signature, that links a person to a document, an e-mail or similar. To adopt digital signing and encryption, you must first create a personal sertificate. NTNU can through the service agreement with Sikt generate a personal sertificate at Sectigo:

  1. Tap https://cert-manager.com/customer/uninett/idp/clientgeant https://cert-manager.com/customer/uninett/idp/clientgeant
  2. Type Feide in the field for "Find Your Institution" and select Feide in the menu
  3. Select NTNU as your affiliation, if requested.
  4. Enter your feide username and password and press login
  5. Choose:
    • Certificate Profile: GÉANT Personal email signing and encryption
    • Term: 730 days
    • Check "Key Generation"
    • Key type: RSA 8192
  6. Create a secure and unique password in the "Password" field. You use the password to import the certificate in Outlook.
    • Select: key protection algorithm; Secure AES256-SHA256 (for Windows)
    • Select: Compatible TripleDES-SHA1 (for mac)
  7. Press Submit.
  8. Download the file (certs.p12).
  9. Choose a safe location and save the file.

Keep a copy

Make a backup copy of your certificate file before you start sending encrypted email. If you lose a certificate with the private key, you will not be able to read encrypted e-mail.

Make sure you store it in a secure area.

Add a digital ID on a Windows computer

  1. Open the file. The file will automatically open in the program "Certificate Import Wizard"
  2. Select "Current User" as "Store Location" and press "Next"
  3. Click next on "File Name". The file's name is already filled in.
  4. Type the password you entered when you created the certificate.
  5. Sett hake ved «Mark this key as exportable».
  6. La haken ved «Include all extended properties» stå.
  7. There is no need to tick "Strong private key protection".
  8. Velg «Automatically select the certificate store based on the type of certificate».
  9. Press "Finish"

Enable digital signature in Outlook

  1. Open Outlook
  2. Click File > Options > Trust Center
  3. Click Trust Center Settings…
  4. Choose Email Security on the left side.
  5. Under Encrypted e-mail, choose Settings
  6. Choose My S/MIME Settings (email address)...
    1. Click OK if your email address is shown under Security Settings Name
  7. Mark Add digital signature to outgoing messages under Encrypted email
  8. Click OK, followed by another OK

Deploy digital signing in Outlook for Mac

  1. Open the file, select Keychain: Login
  2. Open Keychain Access
  3. Press File -> Import
  4. Select the .pfx file and press Open, you will be prompted for a password.
  5. Check that the certificate has been added to the list
  6. Open Outlook.
  7. Select Tools > Accounts
  8. Select your NTNU account and press Advanced

Find the Security tab and select the certificate for both signing and encryption

Verify digital email signature

  1. Open Outlook
  2. Click New Email
  3. Click options-pane and check that Sign is checked under Permission
  4. Send a test email to someone that can verify that your digital signature is working.

If a red ribbon appears on your email to the recipient, you've done everything right.

Publish your digital ID to the Global Address List (GAL)

  1. Click File > Options > Trust Center
  2. Click Trust Center Settings
  3. Choose Email Security on the left side
  4. Click Publish to GAL...
  5. A dialogue window will appear with something like this Your certificate...success, click OK
  6. Close all windows. You’re done!

Encrypt e-mail

Encrypting your e-mail adds a layer of security effective against surveilliance and unauthorized access.

This procedure will only work if both you and your recipient have acquired and published your digital ID to the global address list (GAL).

  1. Create an e-mail as you normally would
  2. Select the tab Options and chose Encrypt
  3. Write your e-mail as you normally would and send it, if you get an error message there might be a problem with your or your recipients digital ID.

Use the same certificate on multiple PCs

To send signed email from multiple PCs, you only need one certificate per user.

Export the certificate from Outlook, and then import it on other PCs (you can move the certificate using a flash drive, for example). To export and import a certificate, follow these steps:

Export a certificate in Outlook

  1. Open Outlook
  2. Click File > Alternatives > Trust Center
  3. Click the button marked Settings...
  4. Choose Email Security
  5. Click Import/Export
  6. Select Export your Digital ID to a file
  7. Click Select and you will see a dialog window pop up with your certificate > Click OK
  8. Click Browse to choose where you want to save your certificate
  9. Choose a password, enter it twice > Click OK

You have now saved your certificate with password protection. You should save the certificate in a safe location. If you want to use it on another device, you can, for example, copy it to a pen drive.

Import a certificate in Outlook

  1. Locate your certificate that you have exported
  2. Right-click on it and choose Install PFX and an install wizard will start
  3. Choose Current User under Store Location
  4. Press Next until you are asked to enter a password
  5. Enter the password used when you exported your certificate
    - If you want to be notified whenever the certificate is to be used, choose Enable strong private key protection (not recommended)
    - If you want to be able to export the certificate for reuse, choose Mark this key as exportable (recommended)
  6. Press Next, followed by another Next and then press Finish to end this install wizard

You now need to enable the certificate in Outlook. Follow these steps:

  1. Open Outlook
  2. Click File > Options > Trust Center
  3. Click Trust Center Settings…
  4. Choose Email Security on the left side.
  5. Choose Settings under Encrypted e-mail
  6. Choose My S/MIME Settings (email address)...
    1. Click OK if your email address is shown under Security Settings Name
  7. Mark Add digital signature to outgoing messages under Encrypted email
  8. Click OK, followed by another OK

Your certificate should now be installed on your device.

Contact

Orakel Support Services can help if you have questions or if you encounter difficulties.

4291 Visninger
IT-info: digital sikkerhet Målgruppe: Medarbeidere