E-Mail Certificates

You have the option to request a certificate for your GWDG account via the GWDG CA. With the help of this certificate - plus a private key - you can sign messages so that the receiver can ensure that the mail was sent by you. Also, other people have the opportunity to send you encrypted e-mails. The Apple Mail program has been able to handle certificates since Mac OS 10.3 (Panther), certificates are compatible with mac:Outlook and Thunderbird as well. The program “Keychain” handles the actual administration of the certificates and the private key. This guide explains how to apply for your own certificate with the browsers Safari or Firefox and how to integrate it into your system, so that you can have secure e-mail traffic with Apple Mail, Outlook or Thunderbird.

First, go to GWDG CA and click on “Apply for Certificates”, then select “for certificate request using a web browser” and enter your data. In the form, please state your e-mail address, your name and your department (each without umlauts!). Please note that in order to receive your certificate, you will need to use the same the computer on which you applied for the certificate! Thus to apply, use a computer which you always have access to. (After collection, the certificate can also be transferred to any number of other computers). Additionally, you can specify two additional e-mail addresses to be registered to your certificate, so that they can be used to send signed mails later. For the PIN, enter a password with at least eight digits, which you need for a possible future import or for blocking the certificate. Then click on “Next”. Please make sure all your details are correct before submitting your request. After submitting the request for a certificate, your key is generated by the browser - this might take some time, especially on older computers. Safari seems to “hang” with the typical rotating ball; do not exit the browser at this stage, otherwise it cannot generate the certificate. More detailed instructions for applying for the certificate can be found on the GWDG homepage. Now print the form, fill out all required fields and submit it in person with identification (ID) to the GWDG - this is the only way to ensure that no one applies for a certificate in your name. You can submit the application either to the Operating or directly to Mr. Hindermann:thinder@gwdg.de

After the application is processed, you receive an e-mail with information about your certificate. In addition to your personal certificate, the intermediate certificates of DFN and the GWDG must be imported into the keychain (the Telekom root certificate is already installed from 10.5 or later), because the certificates form a hierarchy (DFN → Telekom → GWDG → user). You will find the link both to your own as well as to these “CA certificates” in the mail. If you use the Safari browser, simply click on the button “DFN-PCA certificate” and “GWDG CA certificate” to import the CA certificates. The two certificates are then stored on your hard disk under the name “intermediatecacert.crt” and “cacert.crt”. If you are using Firefox, click Control + click (= right click) on the buttons and select “Save Target As”. Import the CA certificates with a double-click on each certificate file. Then select the keychain category “Login” in the appearing window. After importing the cerificates, “DFN-Verein PCA Global G01” and “GWDG CA” should be present and appear as valid in the keychain “Login”. (Possibly, a restart of Keychain is required).

Now click on the other link in the email that links to your personal certificate. Please note - as mentioned above - that you absolutely must do this on the same computer and with the same browser that were used to apply for the certificate earlier! Now click on the button “Import Certificate”. When using Safari, your certificate is now stored under the name “pki” on your computer. Rename this to “pki.crt” and import it by double-clicking into the keychain “Login”. If you are using Firefox, the certificate will be imported only into the browser itself. For exporting the certificate, select the Firefox menu, select “Settings”, then “Advanced” and “Security” tab. Click on “View Certificates”. Under “Your Certificates”, you will find your certificate, which can be saved by clicking “Save” (the file then has the extension “.P12”). Your private key here is protected by a password that you have to specify. You then import this file by double clicking on the keychain, and retyping the password to decrypt it. You should now have both your certificate and your private key in your keychain „Login“. Also, your certificate should be displayed as valid (you may have to restart the Keychain if necessary). The certificate is now ready to use.

When you create a new mail in Apple Mail with a return address that is included in your certificate, two new icons will appear next to your account names: the lock icon to encrypt and a “wheel” for signing. The lock icon can only be activated when you import the certificate from the recipient of the mail. With GWDG addresses, you can search for certificates at ca.gwdg.de “Manage Certificates” and - if available - download and import them into the keychain (on Safari, once again, renaming it to pki.crt is necessary).

In Outlook go to Settings → Accounts → Advanced → Security, where you can select the certificate for signing and decrypting. Furthermore, you can select whether you want to sign and / or encrypt all mail by default. Now, when creating a new mail, you can sign it with the selected certificate by selecting “Options” → „Security“.

In Thunderbird, you can import the certificate by selecting it under Edit → Acount Settings → Security. After that, the certificate can be assigned to the appropriate group or mail account(s). Select the certificate for digital signature and/or encryption in the settings of the account under S/MIME security. When composing an email, it can be selected under “S/MIME”.

As we have seen above, your certificate consists of two parts: the public certificate, used by other users for sending encrypted messages to you, and the private key, used by you to sign and decrypt. This private key must never fall into the wrong hands, because everyone can use this private key to sign messages on your behalf or read your encrypted mails! Therefore it is useful to additionally encrypt the private key once again with a password.

To do this, open the Keychain Access application and select “File” ? “New Keychain”. Name this new keychain “Private Key”. You will then be prompted to enter a password for this keyring - this is the password which encrypts all objects you move to that keychain. So do not choose a password that is too simple! After you have created this new password-protected keychain, move your private key (not your certificate) into it. Your private key is now protected by the password. You will now be asked for the password first if any application (e.g. Apple Mail) wants to access that key for signing or decrypting email.

In order to avoid having to type the password every time, this keychain is opened up for a certain time by entering the password. The default is 5 minutes, but this period can also be changed in the menu under “Edit” ? “Settings for Keyring '. Additionally, there is the possibility to be alerted when a program tries to access your private key. To do this, double click on your private key, click “access” in the new window and select “Access only after warning”. You can also select programs that are allowed to access the private key without warning.

For a backup of your private key, select it under “File” → “Export”. You can now specify a file name, as the format is already preset to “p12”. Before saving, you will be prompted for a password securing the private key. You should choose a password as secure as possible. Now you can copy the saved file onto a USB stick, either as a backup or to install the private key on a different computer. As opposed to the private key, you do not need to specifically protect your public certificate, because it is public anyway – you can also export it as described, but in this case choose the format “cer” that works without additional password protection.