This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Trying to set up encrypted mails but I'm confused about certificates and keys

  • 5 odgovori
  • 1 ima ovaj problem
  • 3 views
  • Posljednji odgovor poslao Zenos

more options

Hello all, My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:

He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.

I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?

As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.

Thanks in advance. Stuart.

Hello all, My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far: He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this. I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not? As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key. Thanks in advance. Stuart.

All Replies (5)

more options

Stuart, I am not an expert in that area, but I've been reorganizing some of the support articles and offer the following for further reading: https://support.mozilla.org/en-US/kb/configuration-options-security https://support.mozilla.org/en-US/kb/configuring-certificates

If those don't help, come back

more options

Hi Duggabe, Thanks for the reply (and for your work on Mozilla). Unfortunately no, those links didn't really help. If I knew what I was trying to do, they would help me to do it... but I haven't got to that point yet!

If you or anyone else can help further, that would be great.

Thanks. Stuart.

more options

Stuart,

I'm confused too ;)

Mark this as 'not helping'. Then if you don't get another answer soon, you might request that it be 'elevated'.

more options

In case it's useful to someone else... this blog post (http://iqsecur.blogspot.co.uk/2012/06/complete-guide-to-encrypting-and.html) was really useful!

more options

Stuart8, good find, that article.

I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.

Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.

Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.

Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.

I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.

Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )

In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(