S/Mime Mail

S/MIME allows you to send and receive signed mail, as well as encrypt mail. See Send Signed Email for a short comparison between S/MIME and GPG/PGP (which allows you to both sign and encrypt mail).

Extract and verify a received S/MIME mail

 * 1) Download the mail
 * 2) Determine the signer certificate
 * 3) Verify the mail with openssl

Determine the signer (CA) certificate
First, download the message. Then with smime, extract the message and the (yet unverified) user certificate, outputing the message, and writing the user certificate to user.pem:

openssl smime -in signed-mail-message.eml -verify -noverify -signer user.pem

Then check the CA certificate of the user certificate:

openssl x509 -in user.pem -noout -issuer

Depending on the answer, make sure you have this certificate somewhere. For example, if the answer is C=NL, O=NIKHEF, CN=NIKHEF medium-security certification auth, it is the DutchGrid certificate authority, and you can download the CA certificate at: wget http://certificate.nikhef.nl/medium/cacert.pem

It should be stressed that there is no automated way to determine were to download the CA certificate by just looking at the name. That is intentional: you really have to trust the CA certificate. Look at it. Do you trust it enough to download it from that source? You may even just want to get it on USB key from a real person.

Verify the mail with openssl
Assuming that the CA file is called cacert.pem:

openssl smime -verify -in mail.eml -CAfile cacert.pem

Note that you need the final root certificate, not the intermediate certificate.

Sending S/MIME Mail
Instead of using S/MIME, you may consider using PGP or GPG instead. Note that S/MIME and PGP/MIME can not be used together, though it may technically be possible to use S/MIME with in-line PGP. However, client support may be non-existant.

If you use S/MIME, you are recommended to use Thunderbird, since that has built-in support for S/MIME.

Steps to send S/MIME signed emails using Thunderbird:


 * 1) Get a certificate (not explained here)
 * 2) convert certificate + keys to pcks12 format
 * 3) Import pcks12 certificate + keys in Thunderbird
 * 4) Enable signed email for account
 * 5) Send mail

Get a certificate
Make sure that the certificate you obtain contains your email address.

Convert certificate + keys to pcks12 format
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out userkey+cert.pcks12

make sure this new file is only readable by yourself. After all, it contains your key as well!

chmod go-r userkey+cert.pcks12

Import pcks12 certificate + keys in Thunderbird
Go to Thunderbirds "Certificate Manager". Import the pcks12 file.

For correct usage, the CA that signed your certificate should be known in Thunderbird. You can import the PEM file. Since most CA's publish their certificate in PEM format, this should be relatively straightforward.