This website uses cookies:
• from Cloudflare to identify trusted web traffic and protect this website. [__cfduid][read more]
• from Google Analytics to generate statistical data on how visitors uses this website (with IP anonymization). [_ga][read more]
• from Google AdSense (third party vendors, including Google) to deliver ads based on user prior visits to this website or other websites. [NID][read more]
Do you accept personalized website ads? AdSense cookies will be enabled/disabled based on your decision. You can change your mind at any time by accesing the ePrivacy button located at the bottom of every page. Enjoy your visit!

Free email digital signing and encryption

In one of my previous articles, I told you about the importance of digital email signatures, but not the way it can be accomplished.

There are few providers that can provide you free digital certificates to sign and encrypt your email communication, some of them even without requiring you to create an account.

For this cause (email digital signature and encryption), my provider of choice is StartCom ( with their StartSSL certificates.

timeline You may also be interested in: Thunderbird, how to use the free secure email certificate from Comodo for email ..., a new, five minutes method for email signing and encryption.
Designed by Freepik
I have chosen StartCom because of their long term certificates validity and the possibility to create certificates (websites/email/code) in a professional way, using own CSR (certificate signing request).
You should have a linux shell at your fingers (but in this days, you have linux shell even in Windows, precisely in Windows 10 is Bash, an Ubuntu distro natively integrated)

Step 1: Sign in or create an account on StartCom/StartSSL website:

Use your real email address for that, email confirmation is required.

Step 2: Go to Certificates Wizard tab and click on Email S/MIME certificate red link (latest column)

- your email should appear as valid,  use it in the "Email" field
- submit your own CSR;
The CSR generation it's easy, they also provide the shell command for it, and even a Windows tool :), but let's stay with our Linux shell for now :).

Step 2.1 - the CSR generation

I recommend to create a work folder, and to issue all commands from within this folder.

mkdir smime && cd smime
Replace "webmaster" with yourname
openssl req -newkey rsa:2048 -keyout webmaster.key -out webmaster.csr

You will be asked for few things
- a PEM pass phrase, use a strong one
- other self explanatory questions, like country codes, you can skip them if you want (press enter), the only required ones are the email address and pass phrases/challenge password
After that, you will have two new files into work folder: a csr and a key; copy/paste the csr file content into the StartSSL form (the "Please paste CSR")
Press the submit button and a zip file will be available for download (the certificate and the intermediate certificate: 1_Intermediate.crt and 2_youremail.crt) This file is also available in Toolbox->Certificate List.
Extract content of the zip into your working folder.

Step 3: Since for email signing and encryption we need a p12 or pfx version, it's time to do so

openssl pkcs12 -export  -inkey webmaster.key -in 2_youremail.crt -certfile 1_Intermediate.crt -out webmaster.pfx

You will have a fresh pfx certificate ready to be used in your desktop email client.

As a bonus, i'll show you how to use it in Thunderbird Email Client, my preferred one since de 1.0 version of it.

Go to your email account Settings->Security
Select View Certificates and then Import
Browse and select your fresh generated pfx/p12 file, provide the unlock password, the import is done, press OK
Now, you can select certificates for Digital Signing and Encryption, just select the latest one you have added.


Share this post on your favorite networks.
© Copyright 2017 | Just another information technology blog - All Rights Reserved