Protecting Messages with Digital Signatures

Outlook 2007 supports the use of digital signatures to sign messages and validate their authenticity For example, you can digitally sign a sensitive message so that the recipient can know with relative certainty that the message came from you and that no one is impersonating you by using your e-mail address. This section of the chapter explains digital certificates and signatures and how to use them in Outlook 2007.

Understanding Digital Certificates and Signatures

A digital certificate is the mechanism that makes digital signatures possible. Depending on its assigned purpose, you can use a digital certificate for a variety of tasks, including the following:

• Verifying your identity as the sender of an e-mail message

• Encrypting data communications between computers-between a client and a server, for example

• Encrypting e-mail messages to prevent easy interception

• Signing drivers and executable files to authenticate their origin

A digital certificate binds the identity of the certificate’s owner to a pair of keys, one public and one private. At a minimum, a certificate contains the following information:

• The owner’s public key

• The owner’s name or alias

• A certificate expiration date

• A certificate serial number

• The name of the certificate issuer

• The digital signature of the issuer

The certificate can also include other identifying information, such as the owner’s e-mail address, postal address, country, or gender.

The two keys are the aspect of the certificate that enables authentication and encryption. The private key resides on your computer and is a large unique number. The certificate contains the public key, which you must give to recipients to whom you want to send authenticated or encrypted messages.

Think of it as having a “read content key” and a “create content key:” one key (the private key) lets you create encrypted content, and the other key (the public key) lets others read the content encrypted with the first key.

Outlook 2007 uses slightly different methods for authenticating messages with digital signatures and for encrypting messages, as you’ll see later in the chapter. Before you begin either task, however, you must first obtain a certificate.

Obtaining a Digital Certificate

Digital certificates are issued by certificate authorities (CAs). In most cases, you obtain your e-mail certificate from a public CA such as VeriSign or Thawte. However, systems based on Windows servers running Certificate Services can function as CAs, providing certificates to clients who request them. Check with your system administrator to determine whether your enterprise includes a CA. If it doesn’t, you need to obtain your certificate from a public CA, usually at a minimal cost. Certificates are typically good for one year and must be renewed at the end of that period.

If you need to obtain your certificate from a public CA, point your Web browser to the CA Web site, such as www.verisign.com or www.thawte.com. Follow the instructions provided by the site to obtain a certificate for signing and encrypting your e-mail (see Figure 24–5, for example). The certificate might not be issued immediately; instead, the CA might send you an e-mail message containing a URL that links to a page where you can retrieve the certificate. When you connect to that page, the CA installs the certificate on your system.

Figure 24–5: You can use the Web to request a digital certificate from a public CA.

If you’re obtaining a certificate from a CA on your network, the method you use depends on whether the network includes an enterprise CA or a stand-alone CA.

If you’re using Windows Vista as a domain client on a network with an enterprise CA, follow these steps to request a certificate:

1. Select the Windows button; in the Start Search box, type MMC. Click OK.

2. In the Microsoft Management Console (MMC), choose File, Add/Remove Snap-In.

3. In the Add Standalone Snap-In dialog box, select Certificates, and then click Add. 04

4. In the Certificates Snap-In dialog box, select My User Account, and then click Finish.

5. Click OK to return to the MMC.

6. Expand the Certificates-Current User branch.

7. Expand the Personal branch, right-click Certificates, and choose All Tasks, Request New Certificate. You can also right-click the Personal branch and choose All Tasks, Request New Certificate.

8. Follow the prompts provided by the Certificate Request Wizard and the enterprise CA to request your certificate. The certificate should install automatically.

To request a certificate from a stand-alone CA on your network (or if your computer is part of a workgroup), point your Web browser to http://<server>/certsrv, where <server> is the name or IP address of the CA. The CA provides a Web page with a form that you must fill out to request the certificate (see Figure 24–6). Follow the CA prompts to request and obtain the certificate. The site includes a link that you can click to install the certificate.

Figure 24–6: A Windows-based CA presents a Web form that you can use to request a certificate.

Copying a Certificate to Another Computer

You can copy your certificate from one computer to another, which means that you can use it on more than one system. The process is simple: you first export (back up) your certificate to a file, and then import the certificate into the other system. The following sections explain how to export and import certificates.

Backing Up Your Certificate

Whether you obtained your certificate from a public CA or from a CA on your network, you should back it up in case your system suffers a drive failure or if the certificate is lost or corrupted. You also should have a backup of the certificate so that you can export it to any other computers you use on a regular basis, such as a notebook computer or your home computer. In short, you need the certificate on every computer from which you plan to digitally sign or encrypt messages. To back up your certificate, you can use Outlook 2007, Internet Explorer, or the Certificates console (available in Microsoft Windows 2000, Microsoft Windows XP, and Windows Vista). Each method offers the same capabilities; you can use any one of the three.

Follow these steps to use Outlook 2007 to back up your certificate to a file:

1. In Outlook 2007, choose Tools, Trust Center, and then click the E-Mail Security page.

2. Click Import/Export to display the Import/Export Digital ID dialog box, shown in Figure 24–7.

   
   Figure 24–7: You can export certificates in the Import/Export Digital ID dialog box.

3. Select the Export Your Digital ID To A File option. Click Select, choose the certificate to be exported, and click OK.

4. Click Browse and specify the path and file name for the certificate file.

5. Optionally, you can enter and confirm a password (using a password is a good idea because you are also exporting your private key).

6. If you plan to use the certificate on a system with Internet Explorer 4, select the Microsoft Internet Explorer 4.0 Compatible (Low-Security) check box. If you use Internet Explorer 5 or later, clear this check box.

7. If you want to remove this Digital ID from this computer, select the check box next to Delete Digital ID From System.

8. Click OK to export the file. The Exporting Your Private Exchange Key dialog box is displayed. Click OK to complete the export process.

If you want to use either Internet Explorer or the Certificates console to back up a certificate, use the Certificate Export Wizard, as follows:

1. If you’re using Internet Explorer, begin by choosing Tools, Internet Options. Click the Content tab, and then click Certificates. In the Certificates dialog box, shown in Figure 24–8, select the certificate you want to back up and click Export to start the wizard. If you’re using the Certificates console, begin by opening the console and expanding Certificates-Current User/Personal/Certificates. Right-click the certificate to export, and then choose All Tasks, Export to start the wizard.

   
   Figure 24–8: You can use the Certificates dialog box to export a certificate.

2. In the Certificate Export Wizard, click Next.

3. On the wizard page shown in Figure 24–9, select Yes, Export The Private Key; then click Next.

   
   Figure 24–9: This wizard enables you to export the private key.

4. Select Personal Information Exchange; if other options are selected, clear them unless needed. (If you need to include all certificates in the certification path, remove the private key on export, or export all extended properties, and then select that option.) Click Next.

5. Specify and confirm a password to protect the private key and click Next.

6. Specify a path and file name for the certificate and click Next.

7. Review your selections and click Finish.

Troubleshooting

You can’t export the private key.

To use a certificate on a different computer, you must be able to export the private key. If the option to export the private key is unavailable when you run the Certificate Export Wizard, it means that the private key is marked as not exportable. Exportability is an option you choose when you request the certificate. If you request a certificate through a local CA, you must select the Advanced Request option to request a certificate with an exportable private key. If you imported the certificate from a file, you might not have selected the option to make the private key exportable during the import. If you still have the original certificate file, you can import it again-this time selecting the option that will enable you to export the private key.

Installing Your Certificate from a Backup

You can install (or reinstall) a certificate from a backup copy of the certificate file by using Outlook 2007, Internet Explorer, or the Certificates console. You must import the certificate to your computer from the backup file.

The following procedure assumes that you’re installing the certificate using Outlook 2007:

1. In Outlook 2007, choose Tools, Trust Center, and then click the E-Mail Security page.

2. Click Import/Export to display the Import/Export Digital ID dialog box, shown earlier in Figure 24–7.

3. In the Import Existing DigitalID From File section, click Browse to locate the file containing the backup of the certificate.

4. In the Password box, type the password associated with the certificate file.

5. In the Digital ID Name box, type a name by which you want the certificate to be shown. Typically, you’ll enter your name, mailbox name, or e-mail address, but you can enter anything you want.

6. Click OK to import the certificate.

You can also import a certificate to your computer from a backup file using either Internet Explorer or the Certificates console, as explained here:

1. If you’re using Internet Explorer, begin by choosing Tools, Internet Options. Click the Content tab, click Certificates, and then click Import to start the Certificate Import Wizard. If you’re using the Certificates console, begin by opening the console. Right-click Certificates-Current User/Personal, and then click All Tasks, Import to start the wizard.

2. In the Certificate Import Wizard, click Next.

3. Browse and select the file to import, and then click Open. (If you don’t see your certificate file, check the type of certificates shown in the Open dialog box by clicking the drop-down list to the right of the file name field.) After your certificate is selected in the File To Import dialog box, click Next.

4. If the certificate was stored with a password, you are prompted to enter the password. Provide the associated password and click Next.

5. Select the Automatically Select The Certificate Store Based On The Type Of Certificate option and click Next.

6. Click Finish.