infra-docs

Edit

Email signing and encryption (S/MIME)

Signing and/or encrypting your mails requires that you obtain a certificate first.

History

  • Since August 2023 DFN PKI Global will no longer issue new user certificates.
  • Since Nov 2024 GEANT is no longer providing certificate services for h_da.
  • The current service provider is HARICA Greece

Obtaining a certificate

  1. Visit the enrollment website HARICA Greece.

  2. Use "academic login", sign in with your h_da account

  3. Click "Email" on the left side and select "Email-only"

  4. Verify your email address through the verification link in the received email

  5. Receive your certificate by clicking "Enroll your certificate"

  6. Save the p12 file (containing certificate and private key) for import into your mail program

    Important for macOS users: The password must consist of letters and numbers only. You must not use any special characters.

Using the certificate

How to use the obtained certificate is system-dependent. We try to provide a description for some common mail programs.

Thunderbird

A guide for setting up Thunderbird is available from the RRZE at Friedrich-Alexander-Universität Erlangen-Nürnberg.

Apple Mail (macOS)

  • double-click the p12 file to import it into the system keychain
  • restart Apple Mail to enable message signing/encryption

Outlook

This guide (again thanks to RRZE at FAU) describes configuration for Microsoft Outlook.

Other

If your preferred mail user agent is not listed above and you've succeeded in making S/MIME work, we'd be happy to include your solution on this site. Either create an issue that describes your solution or, if you're comfortable adjusting the sources yourself, provide your addition in the form of a Merge Request.

Troubleshooting

The following is a collection of known issues and their solutions.

Import of p12 certificate file fails on macOS

If your chosen password contains any special characters macOS cannot import the file (the result of a a known bug). In this case, you have to manually change the passphrase to letters and numbers only.

Open a terminal and enter following commands.

# extract private key
openssl pkcs12 -in <your keyfile name>.p12 -nocerts -out privateKey.pem

# extract public key
openssl pkcs12 -in <your keyfile name>.p12 -clcerts -nokeys -out publicCert.pem

# show friendly name of private key
cat privateKey.pem | grep friendlyName | awk ‘{print substr($0, 19, 150); exit}‘

# generate new p12 keyfile with new passphrase
openssl pkcs12 -export -out <choose new keyfile name>.p12 -inkey privateKey.pem -in publicCert.pem -name “<friendly name output>“ -legacy

# remove intermediate files
rm privateKey.pem publicCert.pem

Now you can import the new p12 certificate file.

Last updated on 5/2/2025 by Lars Seipel
Backups with resticNetbox