S/MIME is an IETF open standard (currently specified in RFC 8551, “Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification,” April 2019). It is based on S/MIME personal digital certificates created by a trusted Public Key Infrastructure (PKI). Each participant must obtain a unique S/MIME Certificate that identifies themselves. That cert must be trusted by all other parties that they will be communicating with. S/MIME allows adding a digital signature (for message integrity and detection of tampering) and/or a digital envelope (for privacy) to any Internet email message. These messages can be delivered in various ways, including over SMTP via existing email servers. The messages pass transparently through these servers. Secure messages are created on the sending node and opened on the receiving node. This provides true end-to-end privacy and sender-to-recipient authentication.
For a TLS Client Certificate, the X.509 Enhanced Usage field must have the Client Authentication flag set (as opposed to the Server Authentication flag in a TLS Server Certificate). In an S/MIME Certificate, the Enhanced Usage field must have the Email Security flag set.
For an S/MIME Certificate, the X.509 Subject Alternative Name field must contain an RFC822 name which is the user’s email address, for example, RFC822Name = [email protected]. There is no need for any Subject Alternative Name field in a TLS Client Certificate, but the presence of one does not interfere with its use for TLS SCA.
It is possible to create a single certificate that will work for both TLS SCA and S/MIME by setting both Enhanced Usage flags and the Subject Alternative Name. I call that a “dual use” or “dual purpose” certificate.
Normally for S/MIME secure email, you would want for each user to obtain a “public hierarchy” S/MIME Certificate. A public hierarchy digital certificate is one that chains up to a Trusted Root Certificate that has been approved by WebTrust and is automatically installed in all leading operating systems. Such certificates are issued by a public Certification Authority, such as DigiCert, GlobalSign, Entrust, or Sectigo (formerly Comodo).
However, for use within a closed group (e.g., in-company secure email), you can use “private hierarchy” S/MIME Certificates (either issued by a public CA or an in-house CA, like Microsoft Active Directory Certificate Services ). Private hierarchy digital certificates chain up to a Root Certificate that must somehow be installed in all relying nodes, since it is not installed automatically in all leading operating systems. Once that Root Cert is installed in a computer’s Certificate Store, the private hierarchy certificate works just like a public hierarchy certificate on that computer. The Root Certificate can be deployed in all nodes in an organization in various ways. With Microsoft Active Directory Certificate Services, the Root Certificate is deployed automatically to all nodes that are members of the Microsoft Domain involved.
Issuing S/MIME Digital Certificates with Microsoft AD CS
We will now configure Microsoft Active Directory Certificate Services to issue S/MIME Client Certificates that can be used to deploy S/MIME secure email. For S/MIME secure email, each user must obtain a unique S/MIME Certificate that identifies them. In an S/MIME Certificate, the Subject Distinguished Name field identifies a particular person in the world, as opposed to some server node name. An S/MIME Certificate can be used from any node – it is not tied to a node name as a server certificate is. Note that to use S/MIME secure email, each user must have access to their own private key on every node that they will be using to sign outgoing emails or receiving incoming encrypted emails. In addition, when sending an S/MIME encrypted email, the sender needs access to the current S/MIME Certificate for all recipients of that message. This can be accomplished via a shared address book (e.g., in Active Directory) that contains the S/MIME Certificate for all users. It helps if that shared address book is built automatically as S/MIME Certificates are issued by the CA.
Note that while only one TLS Server Certificate is needed regardless of how many people use that secure server, with S/MIME secure email, every user must be issued a unique S/MIME Certificate that identifies that user. There are several vendors that provide automated systems for providing large numbers of users with S/MIME Certificates, including building a shared address book in AD, and even optional private key escrow. Sixscape Communications provides such a system.
You can export your key material (S/MIME Certificate and private key) in PKCS #12 format and import it on another node (e.g., use your work key material from home or from any other computer). It is possible to import your key material into a hardware token (USB or smart card). If the key material is created inside the token from the start, there is no way to back up the key material (the private key can never be exported from the hardware token). You can move the token (containing the key material) to another computer, but it can only be used from one computer at a time. Alternatively, you can obtain the key material in PKCS #12 form, back it up, and then import the PKCS #12 file into a hardware token (or any number of hardware tokens). This allows you to restore your S/MIME Certificate and create a new hardware token from the PKCS #12 file in the event the original hardware token is lost.
If you are only going to use your key material for digital signatures, there is no need to back up your key material, so it is acceptable to create the key pair and certificate inside a hardware token (a new one with a different key pair can easily be created and used if the current key material is lost). If you are going to use your key material for encryption, then you should back up the key material. In that case, it is not recommended to create the key material and certificate directly inside a hardware token. If the private key is lost, all files encrypted by the corresponding digital certificate are unrecoverable.
We will create a new certificate template for S/MIME Certificates that has only the Email Security flag set and the user’s RFC822 Name (email address) in the Subject Alternative Name.
CN | CommonName | User’s full name (e.g., Lawrence Hughes) |
---|---|---|
E | EmailAddress | User’s email address (e.g., [email protected]) |
O | Organization | User’s organization (e.g., PKIEdu Inc.) |
OU | Organization unit | User’s department (e.g., IT) |
L | Locality | User’s city (e.g., Frisco) |
ST | State | User’s state or province (e.g., Texas) |
C | Country | User’s country (e.g., US) |
There are numerous other fields possible in a Subject Distinguished Name, but each item included must be validated by the Registration Authority before the certificate is issued by the Certification Authority. With public CAs, the more fields in your SubjectDN, the more the CA charges for the cert, because most of their cost is in verification of your identity. With AD CS, this verification is done by your PKI administrator.
Enhanced Usage flags – Instead of Client Authentication flag, set the Email Security flag.
Subject Alternative Name – Must contain the user’s email address as an RFC822 Name.
Subject Distinguished Name – As with TLS Client Certificate, it specifies a person or device. This can have any of the fields listed earlier (CN, E, O, OU, L, ST, or C).
Create Template for S/MIME Certificate
On the VM running your subordinate CA (in my case, intca.us.hughes.org), in Server Manager, click Tools/Certification Authority. This will start certsrv.
Click the General tab.
Set the Template display name to S/MIME Certificate. This will change the Template name to S/MIMECertificate.
Set the Validity period to one year.
Select Publish certificate in Active Directory.
Select the Subject Name tab.
Select Build from this Active Directory information.
Select Subject name format as Fully distinguished name.
Select Include e-mail name in subject name.
Under Include this information in alternate subject name, select E-mail name and User principal name.
Select the Extensions tab.
Only Secure Email is required. Click Edit.
You can now dismiss the Certificate Templates Console (X in upper-right corner).
Prepare for Issuing S/MIME Certificates
Select S/MIME Certificate by clicking it, and then click OK. This will enable your new S/MIME Certificate Template to issue certificates.
Now right-click Certificate Templates and select Manage.
Find S/MIME Certificate in the list of templates. Right-click it and select Properties.
Select the Security tab.
Select who you want to be able to enroll S/MIME Certificates (e.g., Authenticated Users), and select Read and Enroll. Click Apply.
Click OK.
Request and Obtain an S/MIME Certificate Using mmc.exe
The next step is to use mmc.exe to request an S/MIME Certificate for Administrator (the currently logged in user).
Start mmc.exe by selecting Start/Run and entering mmc.exe.
Click OK. Certificates. Expand Personal. Expand Certificates.
Before requesting an S/MIME Cert for Administrator, make sure there is an email account for that user (e.g., administrator@hughesnet.org). I host the email for hughesnet.org at Rackspace, so I just added a new user there. Alternatively, you could create an S/MIME Cert for any existing email account.
Right-click the middle pane, and select All Tasks/Request New Certificate.
Click Enroll.
Congratulations, you have just issued an S/MIME Certificate for the current user (Administrator). Click Finish.
It was issued to Administrator.
It was issued (signed) by PKIEdu Int CA.
The ValidFrom date is the date of issue (when I issued this cert).
The ValidTo date is one year from then.
You have a private key that corresponds to this certificate.
Now select the Details tab.
Under CRL Distribution Point, you should see an LDAP URL pointing to your AD server.
This is exactly what you need for an S/MIME Certificate.
The new certificate chains up to the PKI Int CA Intermediate Cert. The PKI Int CA Intermediate Cert chains up to the PKIEdu Root CA Root Cert, which is trusted. This is a three-level hierarchy.
Congratulations! You have just issued an S/MIME Certificate for Administrator.
Test Your New S/MIME Certificate
To test this, you must have Outlook installed on any node in your domain, with an account for [email protected] (or whatever your domain is). In my case, this account is hosted at Rackspace, as an IMAP account. Verify you can send an email to yourself.
If you are not doing this on your Subordinate CA server, you can export the cert and copy it to the node where you have Outlook installed. Alternatively, you can request another S/MIME Cert on the node where Outlook is installed. One way or another, the S/MIME Cert must be on the node where you are running Outlook.
Now configure that account to use S/MIME. This is a bit complicated.
Click Trust Center at lower left. In the right pane, click Trust Center Settings.
In the left pane, click Email Security.
Under Encrypted email, click the Settings button.
Change the hash algorithm to SHA256 (SHA1 was deprecated some time ago). Your S/MIME Cert for Administrator was selected (being the only one found).
Create a Digitally Signed Email
Create a new email (top left corner) to [email protected] (to your account).
Click the Sign option and send the message.
The signature is valid. The message is from [email protected] and was signed by [email protected].
This message was signed by [email protected] on 11/21/2021.
Send a Digitally Enveloped Message
You can see that it captured the certificate from the signed message in our Outlook contacts.
Click Save and Close.
The administrator contact we created is now there. Click the To button at the bottom to use it as the recipient.
Click OK.
Send the message. If the send fails, it didn’t find the recipient’s certificate.
Note the new message in the reading pane has both the padlock (encrypted) and seal (signed).
There are now both Encryption and Signature layers.
The message was encrypted using AES256, for [email protected].
The message was signed by the sender, using RSA/SHA256.
You can see the signer’s certificate via View Details as before.
As you can see, we have created a valid S/MIME Certificate using Active Directory Certificate Services and sent both signed and encrypted emails using it.