signing and/or encrypting e-mails with office · pdf filesigning and/or encrypting e-mails...
TRANSCRIPT
SIGNING AND/OR ENCRYPTING E-MAILS
WITH OFFICE OUTLOOK 2016 USING SK CERTIFICATES
Overview
1
CONTENTS Introduction ....................................................................................................... 2
Making required changes ........................................................................................ 3
Adding intermediate certificates ........................................................................... 3
Single user/computer ...................................................................................... 3
Domain environment ....................................................................................... 7
Allowing different e-mail address in certificate ......................................................... 7
Single user/computer ...................................................................................... 7
Domain environment ....................................................................................... 8
Sending digitally signed e-mails ............................................................................. 10
Setting signing configuration .............................................................................. 10
Sending signed e-mail ...................................................................................... 12
Encrypting e-mails ............................................................................................. 14
2
INTRODUCTION By default, there are bunch of requirements for making digital operations with e-mails in
Microsoft Office Outlook 2016 and not all of those requirements are fulfilled by default. We need
to make following changes to computer configuration to support digital e-mail signing with SK
certificates in Windows environments:
1. Add intermediate certificate to intermediate certificates store;
2. Allow certificates with different e-mail address to sign e-mails.
And of course, ID card software must be installed on computer! And you need to be local
administrator on the computer to make changes in system configuration!
After all requirements are fulfilled you can send digitally signed e-mails using SK smart card
certificates!
Note. Current document describes what to do with Office 2016. The configuration is also
supported in older versions of Offices and in Office 365, but it can need minor changes for other
versions.
3
MAKING REQUIRED CHANGES
Adding intermediate certificates Download and save intermediate certificates1 to folder c:\temp:
1. EstEID-SK 2011 as EEICA2011.cer
2. EstEID-SK 2015 as EEICA2015.cer
SINGLE USER/COMPUTER
Method 1 – adding certificates from command prompt From administrative command prompt run command: “certutil -f -addstore CA
c:\temp\EEICA2011.cer”:
Drawing 1 - adding intermediate certificate to store!
Repeat the step for EstEID-SK 2015 certificate: “certutil -f -addstore CA c:\temp\EEICA2015.cer”.
You can control certificate existence in intermediate store buy running command
“certutil -viewstore ca”.
Method 2 – adding certificates using GUI Open downloaded certificates and install those to intermediate certificates store. Here is
example based on EstEID-SK 2015 certificate:
1. Open and select install certificate:
1 Actually, you need to add only one certificate, which one is your personal certificate issuer. But there is nothing bad to support both currently active intermediate certificates in corresponding store!
4
Drawing 2 - select install certificate
2. Selecting store, if possible prefer Local Machine:
Drawing 3 - store selection
3. Click Yes on user account control dialog:
5
Drawing 4 - allowing change
4. Select intermediate authorities store and click Next:
Drawing 5 - selecting intermediate authorities store
5. Click Finish to confirm import:
6
Drawing 6 - completing procedure
6. You’ll get confirmation that everything is fine, click OK:
Drawing 7 - import succeeded!
To verify the configuration, you can open your SK certificate and see if full chain is built:
7
Drawing 8 - full chain is built and certificate is OK!
DOMAIN ENVIRONMENT In domain environment, you can distribute intermediate certificates through group policy!
Allowing different e-mail address in certificate
SINGLE USER/COMPUTER To support different e-mail address in certificate we need to add registry key to our
configuration.
Method 1 – using command prompt From administrative command prompt run “Reg add
HKCU\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security /v supressnamechecks /t
REG_DW ORD /d 1”:
Drawing 9 - add registry key and value
You can control the registry key and value existence by running command „Reg query
HKCU\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security /v supressnamechecks“.
Method 2 – importing registry file Alternative way is to copy following text (and text only please) into notepad and save the file as
SuppDiffEMail.REG. It can by useful if you want easily to share configuration with others.
8
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security]
"supressnamechecks"=dword:00000001
Run the reg file and click Yes on user account control dialog:
Drawing 10 - standard dialog
In next dialog window, be sure you want to continue and click Yes:
Drawing 11 - yes, you are sure
Now you’re notified that information was added to registry:
Drawing 12 - confirmation
DOMAIN ENVIRONMENT In domain environment, you can use Office 2016 user policy “Policies/Administrative
Templates/Microsoft Outlook 2016/Security/Cryptography/Do not check e-mail address against
address of certificates being used”:
9
Drawing 13 - configuring systems with group policy
10
SENDING DIGITALLY SIGNED E-MAILS
Setting signing configuration • Open Outlook, select Options from File menu!
• In options window select Trust Center and click on Trust Center Settings, select Email
Security:
Drawing 14 - trust center, email security
• Click Settings, select Choose (for signing certificate) and select your ID card
authentication certificate, set other options as shown on following figure and click OK!
11
Drawing 15 - selecting signing certificate and setting other options
• Certificates and Algorithms fields are now filled. You must also set name your settings!
Click OK!
• In trust center / email security window you can configure the system to add digital
signatures to your e-mails automatically, if you like:
Drawing 16 - can change default configuration
• Click OK twice to return to outlook.
Your signing configuration is ready now!
12
Sending signed e-mail • Open outlook and select New mail.
• Prepare your e-mail as usual, then select Options tab and select Sign!:
Drawing 17 - mark sign for digital signature!
• Click Send!
• Outlook will ask for PIN to sign the e-mail. Enter PIN and click OK!
Drawing 18 - asking PIN to get access to private key
• Recipient will get digitally signed e-mail:
13
• You can see that:
o E-mail is signed!
o Digital signature is valid and trusted!
o Details of the signature!
o Signature information!
o …and you can also open the certificate for further verification!
14
ENCRYPTING E-MAILS E-mail encryption allows you to encrypt e-mail content with recipient’s public key. As a result,
the only person in the world who can open encrypted e-mail is the person who has private key
to decrypt the e-mail. In our case, we use SK certificates on smart cards where public keys are
public information and private key stays always on smartcard (ID card)! So, to decrypt e-mail
(and view its content) encrypted with SK public key recipient need private key (accessible with
PIN 1) on ID card!
To send encrypted e-mail to recipient the recipient must be in your Outlook contacts and ID card
certificate (public key) must be associated to this contact! To add certificate open Outlook
Contacts, select Certificates and click import. Browse to contact certificate file and import it!
Drawing 19 – adding certificate to contact
(How to get recipient certificate?:
• Ask for SK authentication certificate from recipient or
• Import it from SK LDAP (you need personal identification number for that) or
• Ask for signed e-mail for recipient (where certificate is attached).)
Now you can use encryption option when sending e-mail to contact!
15
Drawing 20 - sending encrypted e-mail
Note. You can add signature also to the e-mail in addition to encryption if you like!
Recipient will now get your e-mail and she or he needs ID card and pin to open it:
Drawing 21 - decrypting e-mail wit PIN (private key)
After entering PIN recipient decrypts the e-mail and can see its content!