Issuing Digi-Mail™

Issuing Digi-Mail™ Certificates to End Users

The Digi-CA™ [4] Certificate Authority [CA] system (that issues the Digi-Mail™ end user certificates) can issue thousands of certificates every hour. This 'endless' capacity means that getting Digi-Mail™ certificates to the end users can occur as quickly as your environment demands.

Allow 30+ Minutes

How the Digi-Mail™ certificates are issued is set by the 'Enrolment Policy [5]'. The options within the Enrolment Policy are designed to be very flexible. They can be customised to meet almost any requirement with many different settings and combinations. The three basic options are:

• Manual

• Inviting and approving requiring manual input from the Administrator

• Automated

• Inviting and approving are completely automated

• Combination

• Inviting and approving may require some manual input from the Administrator

Overview of the Issuing Process

Issuing the Digi-Mail™ certificates is either a one or two stage process. Either the user receives an email inviting them to apply for their certificate, or they are referred from an existing online site/system to the Certificate Application form.

However the user is prompted to get their certificate, in the first stage, the Digi-CA™ Inviting 'action' requires the end user 'reaction' (completing an application form). In the second stage, the Digi-CA™ Approving 'action' requires the end user 'reaction' (activating the certificate) and this completes the process. It is best understood as follows:

• Inviting each end user to complete the online enrolment form

• Completing the enrolment form by the end user

• Approving each correctly completed enrolment and issuing the approval notice

• Activating the certificate by the end user

Sample Issuing Process

As stated, because the Enrolment Policy is very flexible, there are many different ways to invite and approve end users certificates. The following is a sample issuing process only. You may wish to include other options, as required.

Stage One 'Digi-CA™ Action' - Inviting Digi-Mail™ Certificate Applications

Using the Digi-CA™ RA Management Console interface, the Administrator uploads a .CSV batch file inviting [6] as many users as required.

Review the other available invitation [6] options.

Stage One 'User Reaction' - Completing Enrolment Form

The Digi-CA™ system sends an email to each end user with a unique link to the Digi-Mail™ certificate enrolment form. Using the link provided in the email, the end user then completes the Digi-Mail™ certificate enrolment form.

Note:- this is the default Digi-Mail™ End Entity Certificate Enrolment Form. This form uses basic HTML programming that can be altered [7] to match your specific design requirements.

See other sample enrolment [7] forms.


Stage Two 'Digi-CA™ Action' - Approving Enrolment Applications

Once the end user completes all the fields and submits the enrolment form to the Digi-CA™ system, the Administrator is notified. The Administrator then approves [5] each end user application using the Digi-Mail™ Certificate Authorization Panel.

Depending on the Enrolment Policy [5] this stage may be automated.

Stage Two 'User Reaction' - Activating the Digi-Mail™ Certificate

Assuming the Administrator approves the application, the Digi-CA™ system sends a new email to the end user advising them that their application has been approved. Using the link provided in the email, the end user then activates [8] the Digi-Mail™ certificate and this completes the issuing process.

See other sample certificate activation [8] forms.

Sample Enrolment Forms

Examples of how the Digi-Mail™ enrolment forms can be customised

The Digi-Mail™ End Entity Digital Certificate Enrolment Form uses basic HTML programming that can be altered to match your specific design requirements. Below are some samples of customised enrolment pages:

Note:- In addition to changing the 'look and feel' of the enrolment page you will notice that the fields required on the form can be altered according to the specific Enrolment Policy [5] set by the organisation.

Once the enrolment form is completed and submitted by the end user, the Enrolment Policy enforces how the application is handled by the Digi-CA™ system. Learn more about the Enrolment Policy [5] options or browse the other pages below.

Issuing Options

Descriptions of the Digi-Mail™ invitations options

Digi-Mail™ certificates are issued according to the Enrolment Policy. The first stage is the Inviting stage that is controlled by the End Entity Account Manager interface in Digi-CA™. There are three options:

• Single manual invitation

• Inviting each end user one-at-a-time

• Batch manual invitation

• Inviting multiple end users in a single batch upload

• Automated invitation

• Inviting multiple end users automatically

Once the invitation is issued, the end user must complete the enrolment form. View customised enrolment [7] forms or browse the other pages below.

Enrolment Policy

Descriptions of the Digi-Mail™ invitations options

The Enrolment Policy for Digi-Mail™ controls the entire certificate issuing process. Enrolment Policy is set by the Certificate Policy [CP] for the Digi-CA™. This is a specialist subject and requires experienced knowledge of Certificate Authority [CA] systems and Public Key Infrastructure [PKI]. Keeping this complex topic simple, there are three basic options for Enrolment Policy:

• Manual

• Inviting and approving requires manual inputs from the Administrator

• Automated

• Inviting and approving are completely automated. If the Enrolment Policy is to completely automate the approval process, it will be based on rules. Enrolment Policy Rules are also too complex a topic to explain here, however, here are some simple examples where certificates requests are approved based on:




• a specific domain being used in the enrolment form

• a specific phone number being used in the enrolment form

• a specific PIN number being used in the enrolment form

• Combination

• Inviting and approving may require some manual input from the Administrator. Again in this instance, part of the process (and most likely the approval) will be automated and will be based on rules similar to those above.




Once the application is approved, the end activates their Digi-Mail™ certificate using the End Entity Digital Certificate Collection form. View customised activation [8] forms or browse the other pages below.

Sample Activation Forms

Examples of how the Digi-Mail™ enrolment forms can be customised

The Digi-Mail™ End Entity Digital Certificate Enrolment Form uses basic HTML programming that can be altered to match your specific design requirements. Below are some samples of customised enrolment pages:

Note:- In addition to changing the 'look and feel' of the enrolment page you will notice that the fields required on the form can be altered according to the specific Enrolment Policy [5] set by the organisation.

Once the enrolment form is completed and submitted by the end user, the Enrolment Policy enforces how the application is handled by the Digi-CA™ system. Learn more about the Enrolment Policy [5] options or browse the other pages below.

Outlook (PC)

Installing and Using your Secure Email Certificate with Outlook(PC)

• Assigning your Certificate to your email account:




1. Open Outlook
2. Select Tools from menu
3. Select Options from drop down menu
4. In dialog box that appears select Security tab






5. Enter a name for your security setting into the Security Settings Name box
6. Ensure S/MIME is selected on the Secure Message Format box






7. Check the Default Security Setting for this Secure Message Format
8. In Certificates and Algorithms section click the Choose button in the Signing Certificate section
9. Select your Secure Email Certificate from the Select Certificate dialog box
10. Outlook should automatically choose the same Secure Email Certificate as your Signing Certificate for the Encryption Certificate.
If not, click the Choose button in the Encryption Certificate and select your Secure Email Certificate from the Select Certificate dialog box
11. Ensure Send These Certificates with Signed Messages is selected
12. Click OK to return to Options dialog box
13. Click OK to return to Outlook




• Following these steps will display digital sign and encrypt buttons on your New Message toolbar:
1. Click New Message button
2. Select Tools from menu
3. Select Customize from drop down menu
4. Select the Commands tab
5. Select the Standard from the Categories listings
6. Scroll down the Commands list on the right to locate Encrypt Message Contents and Attachments. Click on the entry.
7. Using your mouse, drag the highlighted Encrypt Message Contents and Attachments listing onto your Toolbar. We recommend placing it next to the Send button.
8. Repeat the steps 6 & 7 to also add the Digitally Sign Message listing.
9. Click Close to return to composing your message




• Signing an Email:

Signing an email ensures the recipient knows the email has come from you and informs him / her if it has been tampered with since being signed.

1. Compose your email and attach files as usual

2. Click Sign button






3. Click Send button

The recipient of your email must have a copy of your Certificate in order to verify your signed email is legitimate. Ensure you have completed Step 11 in the Assigning your Certificate to your email account section above.



• Encrypting an Email:

Encrypting an email ensures that only the recipient may view the email content and any attachments. Note: in order to encrypt an email for the recipient you must have the recipient's digital certificate, and their digital certificate must be assigned to the relevant entry in your address book

1. Compose your email and attach files as usual
2. Ensure the recipient has a Digital Certificate [9] and you have assigned the Certificate to their entry in your Outlook contacts area
3. Click Encrypt button





4. Click Send button

Outlook Express 5 & 6 (PC)

Secure Email Certificate with Outlook Express 5 & 6 (PC)

• Assigning your Certificate to your email account:
1. Open Outlook Express
2. Select Tools from menu
3. Select Accounts from drop down menu
4. In dialog box that appears select Mail then select your relevant email account
5. Click Properties
6. Click the Security tab
7. Click Select Signing Cert. From the popup Certificate store box locate and select your Secure Email Certificate.
8. Click Select Encryption Cert. From the popup Certificate store box locate and select your Secure Email Certificate.
9. Click OK to return to Outlook Express
• Signing an Email:

Signing an email ensures the recipient knows the email has come from you and informs him / her if it has been tampered with since being signed.

1. Compose your email and attach files as usual
2. Click Sign button
3. Click Send button

The recipient of your email must have a copy of your Certificate in order to verify your signed email is legitimate. The easiest way of ensuring this is to automatically attach your Certificate to every outgoing email:

1. Select Options from Tools menu
2. Select Security
3. Click Advanced button
4. Check (place a tick in) Include my Digital ID when sending signed messages
• Encrypting an Email:

Encrypting an email ensures that only the recipient may view the email content and any attachments. Note: in order to encrypt an email for the recipient you must have the recipient's digital certificate, and their digital certificate must be assigned to the relevant entry in your address book

1. Compose your email and attach files as usual
2. Ensure the recipient has a Digital Certificate [9] and you have assigned the Certificate to their entry in your OE address book
3. Click Encrypt
4. Click Send button
• Adding someone else's Certificate to your address book:
1. Select Options from Tools menu
2. Select Security
3. Click Advanced button
4. Check (place a tick in) Add Senders Certificates to my address book

All incoming signed emails will add the Sender's Certificate to your address book

Netscape

Netscape E-Mail Certificate Installation

Firstly you will need to collect the email certificate from our system using Internet Explorer.

• Then export it to a file using the following method:


1. Select Tools, Internet Options, Content, Certificates
2. Select the required certificate and click Export
3. Go through the wizard and remember to select 'Yes, export Private Key'
4. Remember to tick 'Include all certificates in the certificate path'.
5. When the wizard finishes you will have a pfx file
6. Copy this file to the machine running Netscape
7. Start Netscape and select Edit, Preferences
8. Open Privacy and Security
9. Locate Certificates
10. Select Manage Certificates
11. Select Import
12. The default is PKCS12 Files, which the pfx file is
13. select the file exported earlier
14. Enter a Master Password, this can be anything of your choice
15. Next enter the password for the pfx file, used during the export
16. The certificate should then be imported





• Use the certificate in Netscape to specify which signing and encryption certificates to use with a particular account, begin from the Mail window:


1. Open the Edit menu and choose Mail & Newsgroups Account Settings.
2. Click Security under the name of the mail account whose security settings you want to configure.
3. Under Digital Signing, click Select. (You may be asked to provide your Master Password before you can proceed further.) A dialog box appears that allows you to select from among your available signing certificates.
4. Choose the signing certificate you want to use, and then click OK.
5. Follow the same steps under Encryption: click the Select button, select the encryption certificate you want to use, and click OK.

Lotus Notes 5

Getting a Digi-ID™ [10]

The first step in using S/MIME is to get a digital certificate or digital identification. A digital identification is a public/private key pair, a name, and a certificate that attests to the validity of the public key for this name. At Digi-Sign we refer to this complete package as a Digi-ID™.

For security reasons, you must follow the online instructions carefully. Do exactly as instructed and ensure all operations are carried out from the same computer for each user.

Using S/MIME with Domino

Domino R5 handles MIME (and therefore S/MIME) message content natively. There is nothing you have to do to enable S/MIME messages to pass through a Domino server.

Using S/MIME with general e-mail clients

If you are using all-Microsoft software and acquire a Digi-ID™ on that computer, your private key and public key certificate are automatically installed correctly. They become integrated with Internet Explorer and Outlook/Outlook Express and are automatically saved to the Microsoft Certificate Store. After acquiring the Digi-ID™, you can easily see it:

1. In Windows, click the Start menu and choose Settings - Control Panel.
2. Open Internet Options and click the Content tab.
3. Click the Certificates button to see the list.

To use your Digi-ID™, just press the buttons for Sign (authenticate), or Encrypt (secret), or both, when composing an e-mail message. When you receive a signed message, you will see a symbol indicating this, near where the paperclip appears for attachments.

If you are using Netscape Messenger, Groupwise, or other e-mail software, the details for installing and using the Digi-ID™ may vary, but the general principles are the same. Visit Digi-Sign Support and look for the instructions Digi-ID™ / Digi-Mail™ Help.

Lotus Notes 5 (part II)

Getting a Digi-ID™ [10]

Using S/MIME with Notes

For these instructions, I assume you already have installed a Digi-ID™ [10] on a Windows computer using Internet Explorer and want to use that Digi-ID™ with Lotus Notes on the same computer.

There are four general steps:

1. Export the Digi-ID™ from Windows.
2. Import the Digi-ID™ to your Notes ID file.
3. Make sure this certificate will be used for Internet mail from Notes.
4. Use the Digi-ID™ as you send and receive e-mail from Notes.

This is simpler than it sounds, since the first three steps only have to be done once.

If your situation is different- exporting on a non-Windows computer for example - the basic idea is still the same.

• To export the Digi-ID™ from Windows:




1. In Windows, click the Start menu and choose Settings - Control Panel.
2. Open Internet Options and click the Content tab.
3. Click the Certificates button and select the certificate (Digi-ID™) you want to export to Notes.






4. Click the Export button.
5. Click the Next button in the export wizard.
6. Select Yes to export the private key.
7. Select PKCS #12 as the export file format. Also select "Include all certificates" and "Enable strong protection" on this page.
8. Click the Next button and enter a password for the export file that will be created. Choose a good password, since the export file will contain your private key.
9. Enter a file name for the export file in the File name text field when requested. Something like c:\temp\mycert works fine. The .PFX extension will be added automatically.
10. Click the Next button and then confirm your choices by clicking the Finish button.
11. Click OK if you see a warning that your private key is being used.

1. In Notes, choose File - Tools - User ID.
2. Enter your password when requested and click OK.
3. Go to the More Options panel of the User ID dialog box.
4. Click the Import Internet Certificates button.
5. In the Specify File Containing the Internet Certificates dialog box, browse to the file you exported above, select it, and click Open.
6. You will be asked for the password to the file. This is the password you chose above.
7. You will see a list of several certificates that are contained in the exported Digi-ID™ file. Click Accept All.

Lotus Notes 5 (part III)

Getting a Digi-ID™ [10]

Certificate for Internet mail from Notes:

1. Choose File - Tools - User ID.
2. Go to the Certificates panel of the User ID dialog box.
3. Scroll down in the Certificates Issued By list until you see the new certificates you just imported.
4. Select your public key certificate (not the certificate authority certificates). When you select the right certificate, your e-mail address will appear in the Certificates Issued To list.
5. Make sure that the "This is your default signing certificate" checkbox is selected.
6. Click OK.

To use the Digi-ID™ [10] as you send and receive e-mail from Notes:

1. When composing an e-mail message, click the Delivery Options action button to open the Delivery Options dialog box
2. On the Basics tab, select Sign (to authenticate the message) or Encrypt (to make the message secret), or both.
3. Click OK.

Keep in mind that to send an encrypted e-mail to someone who is not using Notes mail, you must have that person's public key certificate in your Domino Directory. The certificate, if present, is visible on the Certificates tab of the recipient's Person document under Internet Certificates. To get more detail about a particular certificate in a Person document:

1. Open the Person document in edit mode.
2. Click the Examine Internet Certificates action button.
3. Select the certificate you are interested in from the list of certificates in the Examine Internet Certificates dialog box. Details about the selected certificate will appear in the lower part of the dialog box.

If you want to send an encrypted message to someone using S/MIME and their Internet certificate is in their Person document in a Domino Directory to which you have access, no special steps are required. If you want to send an encrypted message to someone and you do not have their Internet certificate, ask that person to send you a signed e-mail message.

When you open the signed message, you will be prompted to cross certify. If you wish to establish trust with the certificate authority that issued their certificate in one simple step (in addition to trusting the user's certificate), you may select it from the Subject name list box. Confirmation that the message was signed will appear in the status bar. Then choose Tools - Add Sender to Address Book from the menu. The default action (on the Advanced tab) is to "Include x.509 certificates when encountered." When a Contact document is added to your personal address book, the sender's public key will be available to you and you will be able to encrypt messages to him or her.

Lotus Notes 6

Getting a Digi-ID™ [10]

The first step in using S/MIME is to get a digital certificate or digital identification. A digital identification is a public/private key pair, a name, and a certificate that attests to the validity of the public key for this name. At Digi-Sign we refer to this complete package as a Digi-ID™.

For security reasons, you must follow the online instructions carefully. Do exactly as instructed and ensure all operations are carried out from the same computer for each user.

Using S/MIME with Domino

Domino R6 handles MIME (and therefore S/MIME) message content natively. There is nothing you have to do to enable S/MIME messages to pass through a Domino server.

Using S/MIME with general e-mail clients

If you are using all-Microsoft software and acquire a Digi-ID™ on that computer, your private key and public key certificate are automatically installed correctly. They become integrated with Internet Explorer and Outlook/Outlook Express and are automatically saved to the Microsoft Certificate Store. After acquiring the Digi-ID™, you can easily see it:

1. In Windows, click the Start menu and choose Settings - Control Panel.
2. Open Internet Options and click the Content tab.
3. Click the Certificates button to see the list.

To use your Digi-ID™, just press the buttons for Sign (authenticate), or Encrypt (secret), or both, when composing an e-mail message. When you receive a signed message, you will see a symbol indicating this, near where the paperclip appears for attachments.

If you are using Netscape Messenger, Groupwise, or other e-mail software, the details for installing and using the Digi-ID™ may vary, but the general principles are the same. Visit Digi-Sign Support and look for the instructions Digi-ID™ / Digi-Mail™ Help.

Using S/MIME with Notes

For these instructions, I assume you already have installed a Digi-ID™ on a Windows computer using Internet Explorer and want to use that Digi-ID™ with Lotus Notes on the same computer. There are four general steps:

1. Export the Digi-ID™ from Windows.
2. Import the Digi-ID™ to your Notes ID file.
3. Make sure this certificate will be used for Internet mail from Notes.
4. Use the Digi-ID™ as you send and receive e-mail from Notes.

This is simpler than it sounds, since the first three steps only have to be done once.

If your situation is different- exporting on a non-Windows computer for example - the basic idea is still the same.

To import the Digi-ID™ to your Notes ID file:

If you have an Internet certificate that you have stored in a browser, such as Netscape, and you want to use that certificate in the Notes browser, you need to import the Internet certificate into your User ID.

Lotus Notes 6 (part II)

You cannot import invalid Internet certificates or incomplete certificate chains.

1. Export the Internet certificate from the browser it is stored in, and save it to a directory that you can pick it up from later. If you have the ability to choose the export format, you should choose PKCS #12 format, which includes your Internet private key and any supporting Internet certificates in the certificate chain if available. You will not succeed at importing certificates into your User ID if the export does not include your Internet private key.

2. Choose File - Security - User Security.
Macintosh OS X users: Notes - Security - User Security.

3. Click Your Identity - Your Certificates.

4. Click Get Certificates - Import Internet Certificates on the right side of the dialog box.

5. Select the file containing the Internet certificate that you just exported from the browser in the "Specify File Containing the Internet Certificates" dialog box, and then click Open.

6. If prompted, select the format of the Internet certificate you are importing, and then click Continue. By default, Notes should select the correct format for you.

7. If there is a password you set for the file, enter the password.

8. To accept the import, click the "Accept All" button in the "Import Internet Certificates" dialog box.

9. Check that your Internet certificates were imported into your User ID by choosing File - Security - User Security (Macintosh OS X users: Notes - Security - User Security), click Your Identity - Your Certificates, and then select "Your Internet Certificates" from the drop-down list.

10. (Recommended) Make a backup copy of your User ID after you successfully import an Internet certificate (unless you are a roaming user with the specific configuration that does not require a backup User ID).

NOTE: Once you import the Internet certificate into your User ID, you may need to create a cross certificate if you do not already trust the Internet certificate.