This sample acts as a starting point and uses a generic certificate to sign outgoing messages. It is useful, because it brings you up and running in less than five minutes. Also this sample gives you a feeling about S/MIME and the way it works.

Once the setup is complete, all messages from youremail@yourdomain.com to someone@hotmail.com are signed. The next step would be that you use your own certificate rather then using the generic certificate.

download TLS/SSL Toolkit

extract CACert.pem into the CERT directory

extract sample@mydomain.com.pem into the CERT\PRIV directory

select Options->S/MIME->Sign and create a new record

To overcome this limitations, XWall or CryptoFilter provide a central handling of certificates and even further, automatically certificate exchange, with little or no user intervention.

The sample assumes XWall or CryptoFilter at Site A using an e-mail address of @domainA.com and a second XWall or CryptoFilter at Site B using an e-mail address of @domainB.com.

Once the setup on both sites is complete, the automatic certificate exchange must be triggered. The simplest way is that one site starts sending a messages to the other site, which XWall will sign. The XWall at the receiving site will then extract the public key from the signed message and store it in the CERT\PUB directory. The reply to this message is then encrypted using the key that was previously extracted and the own public key is enclosed. At the end, both keys are exchanged and from then on every message is encrypted.

On Site A:

enable Options->S/MIME->Options->Collect the public certificate of the sender

copy all user certificates into the CERT\PUB directory

The name of the certificate file is the e-mail address, but with a .pem extension ( e.g. user@domainA.com.pem )

select Options->S/MIME->Sign and create a new record

select Options->S/MIME->Verify and create a new record

select Options->S/MIME->Encrypt and create a new record

select Options->S/MIME->Decrypt and create a new record

On Site B:

enable Options->S/MIME->Options->Collect the public certificate of the sender

copy all user certificates into the CERT\PUB directory

The name of the certificate file is the e-mail address, but with a .pem extension ( e.g. user@domainB.com.pem )

select Options->S/MIME->Sign and create a new record

select Options->S/MIME->Verify and create a new record

select Options->S/MIME->Encrypt and create a new record

select Options->S/MIME->Decrypt and create a new record

This sample assumes XWall or CryptoFilter at Site A using an e-mail address of @domainA.com and a second XWall or CryptoFilter at Site B using an e-mail address of @domainB.com.

There is one certificate for each site, the name of the private key file is cert-priv-DomainA.pem and cert-priv-DomainB.pem and the name of the public key file is cert-pub-DomainA.pem and cert-pub-DomainB.pem.

The private key file is a secrect and never leaves the site, but the public key file must be sent to the other site.

Once the setup on both sites is complete, all messages between the sites are immediately encrypted.

Note: For testing you can use the sample@mydomain.com.pem certificate from TLS/SSL Toolkit on both sites. Once the setup is working, you can then change the sample certificate to a real certificate.

On Site A:

copy cert-priv-DomainA.pem into the CERT\PRIV directory

copy cert-pub-DomainB.pem into the CERT\PUB directory

select Options->S/MIME->Sign and create a new record

select Options->S/MIME->Verify and create a new record

select Options->S/MIME->Encrypt and create a new record

select Options->S/MIME->Decrypt and create a new record

On Site B:

copy cert-priv-DomainB.pem into the CERT\PRIV directory

copy cert-pub-DomainA.pem into the CERT\PUB directory

select Options->S/MIME->Encrypt and create a new record

select Options->S/MIME->Decrypt and create a new record

select Options->S/MIME->Encrypt and create a new record

select Options->S/MIME->Decrypt and create a new record

The program expects the certificate in PEM format.

PEM format is Base64 encoded and therefore you can open it with a text editor. The extension of the file is .pem.

Your certificates are private certificates and must have a private key section in the pem file. Private certificates are stored in the CERT\PRIV directory.

Your recipients certificates are public certificates and are stored in the CERT\PUB directory.

When you obtain certificate from an authority, they may send you a .p12 or .pfx file, which you need to convert to a .pem file.

Extract PKCS12_to_PEM.bat and OpenSSL.exe from TLS/SSL Toolkit into a directory of your choice.

Run PKCS12_to_PEM.bat and give it the name of your .p12 or .pfx file and a tlscert.pem file will be created.

Sample: PKCS12_to_PEM mycert.pfx

Or you can use the online converter at https://www.sslshopper.com/ssl-converter.html

Sometimes when you obtain certificate from an authority, they install the certificate direct into the certificate store of Windows.

To export the certificate to a .pfx file, start a MMC and select Add / Remove Snap-In -> Add -> Certificates -> My user account.

In the Snap-In select Certificates - Current User -> Personal and there you find the certificate.

Press the right mouse key and select All Task -> Export.

Certificates usable for S/MIME are available from:

• SwissSign AG
• Comodo ( this is by far the simplest way to get a free certificate )
• TC TrustCenter
• StartCom
• GlobalSign (free 30-day trial)
• CACert
• Secorio