Email signing and encryption (S/MIME)
Signing and/or encrypting your mails requires that you obtain a certificate first. GÉANT TCS provides self-service certificate issuance to h_da and other DFN member organizations.
Note: DFN PKI Global will no longer issue new user certificates after August 30th, 2023. If your certificate was issued by DFN PKI Global and is due to expire, you won't be able to renew it following that date. Instead, follow the instructions on this page to obtain a new certificate from GÉANT TCS.
Obtaining a certificate
Visit the enrollment website at cert-manager.com using this link.
Sign in with your h_da account
You should be presented with a form titled Digital Certificate Enrollment
Important for macOS users: The password must consist of letters and numbers only. You must not use any special characters.
- the Name and Email fields should match your name and mail adress, respectively, and Organization is set to Hochschule Darmstadt
- as profile, choose GÉANT Personal Certificate
- pick a certificate life time from one of the options offered for the Term field
- most users should check Key Generation as the enrollment method (if you know what a CSR is and how to create one, you can use that too, of course)
- Key Type: RSA - 3072 is a safe choice
- Algorithm: Secure AES256-SHA256
Save the p12 file (containing certificate and private key) for import into your mail program
Using the certificate
How to use the obtained certificate is system-dependent. We try to provide a description for some common mail programs.
Thunderbird
A guide for setting up Thunderbird is available from the RRZE at Friedrich-Alexander-Universität Erlangen-Nürnberg.
Apple Mail (macOS)
- double-click the p12 file to import it into the system keychain
- restart Apple Mail to enable message signing/encryption
Outlook
This guide (again thanks to RRZE at FAU) describes configuration for Microsoft Outlook.
Other
If your preferred mail user agent is not listed above and you've succeeded in making S/MIME work, we'd be happy to include your solution on this site. Either create an issue that describes your solution or, if you're comfortable adjusting the sources yourself, provide your addition in the form of a Merge Request.
Troubleshooting
The following is a collection of known issues and their solutions.
Import of p12 certificate file fails on macOS
If your chosen password contains any special characters macOS cannot import the file (the result of a a known bug). In this case, you have to manually change the passphrase to letters and numbers only.
Open a terminal and enter following commands.
# extract private key
openssl pkcs12 -in <your keyfile name>.p12 -nocerts -out privateKey.pem
# extract public key
openssl pkcs12 -in <your keyfile name>.p12 -clcerts -nokeys -out publicCert.pem
# show friendly name of private key
cat privateKey.pem | grep friendlyName | awk ‘{print substr($0, 19, 150); exit}‘
# generate new p12 keyfile with new passphrase
openssl pkcs12 -export -out <choose new keyfile name>.p12 -inkey privateKey.pem -in publicCert.pem -name “<friendly name output>“ -legacy
# remove intermediate files
rm privateKey.pem publicCert.pem
Now you can import the new p12 certificate file.