There are few providers that can provide you free digital certificates to sign and encrypt your email communication, some of them even without requiring you to create an account.
For this cause (email digital signature and encryption), my provider of choice is StartCom (https://www.startcomca.com/) with their StartSSL certificates.
|Designed by Freepik|
You should have a linux shell at your fingers (but in this days, you have linux shell even in Windows, precisely in Windows 10 is Bash, an Ubuntu distro natively integrated)
Step 1: Sign in or create an account on StartCom/StartSSL website: https://www.startcomca.com/Use your real email address for that, email confirmation is required.
Step 2: Go to Certificates Wizard tab and click on Email S/MIME certificate red link (latest column)- your email should appear as valid, use it in the "Email" field
- submit your own CSR;
The CSR generation it's easy, they also provide the shell command for it, and even a Windows tool :), but let's stay with our Linux shell for now :).
Step 2.1 - the CSR generationI recommend to create a work folder, and to issue all commands from within this folder.
mkdir smime && cd smime
openssl req -newkey rsa:2048 -keyout webmaster.key -out webmaster.csr
You will be asked for few things
- a PEM pass phrase, use a strong one
- other self explanatory questions, like country codes, you can skip them if you want (press enter), the only required ones are the email address and pass phrases/challenge password
After that, you will have two new files into work folder: a csr and a key; copy/paste the csr file content into the StartSSL form (the "Please paste CSR")
Press the submit button and a zip file will be available for download (the certificate and the intermediate certificate: 1_Intermediate.crt and 2_youremail.crt) This file is also available in Toolbox->Certificate List.
Extract content of the zip into your working folder.
Step 3: Since for email signing and encryption we need a p12 or pfx version, it's time to do so
openssl pkcs12 -export -inkey webmaster.key -in 2_youremail.crt -certfile 1_Intermediate.crt -out webmaster.pfx
You will have a fresh pfx certificate ready to be used in your desktop email client.
As a bonus, i'll show you how to use it in Thunderbird Email Client, my preferred one since de 1.0 version of it.Go to your email account Settings->Security
Select View Certificates and then Import
Browse and select your fresh generated pfx/p12 file, provide the unlock password, the import is done, press OK
Now, you can select certificates for Digital Signing and Encryption, just select the latest one you have added.