[Skip navigation links]

S/MIME Certificates

I am having trouble setting up two factor authentication using a S/MIME personal certificate.

See the guide the AusCERT CSM RAO Administrator Quick Start Guide (QSG), version 1.05. Guidelines about how to set up two factor authentication are particularly relevant, page 18 - 20. It is important to note that if you are setting up two factor authentication for another person via the CSM, they must send you their personal certificate first. The best way to do this is to ask them to send you a digitally signed email with their certificate. When you receive it; open the certificate and check that it has been imported into your computer's certificate store. If not, then you may need to manually import it.

I am using Chrome and am having trouble setting up two factor authentication using a S/MIME personal certificate.

This is a known issue to do with using Chrome. This problem affects Chrome on all platforms and is due to Google's removal of custom file type handling, meaning installation of the generated certificate through Chrome is not supported. For this reason, Chrome is no longer supported for client side key generation. This will affect any end-user certificate templates that use client-side key generation and also AdminIDs. There is no other option other than avoiding the use of Chrome.

When I send a digitally signed email with an attachment, the digital signature breaks for recipients of the email (but not the sender of the email).

This is likely to be a problem with the MS Exchange Server in your organisation. See: http://support.microsoft.com/kb/949703 . To correct this you will need to ask that the server be updated.

How do I send an encrypted email using my S/MIME certificate?

The public key within a person's S/MIME certificate is used to encrypt a message. The person's private key (which only they have access to) is used to decrypt the message. Hence, to send an encrypted email, all parties in the communication need to have their own personal (S/MIME certificate) so you can encrypt the message separately to each party (including yourself).
You will need to check that you have successfully imported all certificates for all recipients of the email before you attempt to send an encrypted email to them.
If you are using MS Outlook, check that the person is a saved contact. If not, create one. Then check if there is a certificate associated with this identity. If not, then you will need to manually import and associate the certificate with that identity. The easiest way to do this is to ask them to send you a digitally signed email with their S/MIME certificate; which you can then manually import and associate with the contact. Once this is done you will be able to select "encrypt" from the "option" tab before you send an email to them.

How do I digitally sign an email using my S/MIME certificate?

Also, if you are using multiple identities from your Outlook account, make sure you select the correct identity (email address) associated with the certificate you wish to use, otherwise you won't be able to send a signed message.

How do I check if a digital signature is valid?