print friendly version

Questions and answers

2388
Installing digital certificates for secure email (for Windows PCs and Outlook)

If you want to install a digital certificate on an Apple Mac rather than a Windows PC, please see FAQ 2537.

In order to share secure, confidential or encrypted email with another person, your computer needs to have digital certificates installed.  This is a standard known as S-MIME.  You can either purchase certificates to last for as long as you need them, or you can obtain free certificates which last for one year.  The following instructions describe the use of free certificates, obtained from Comodo.

When you apply for a certificate, a key pair consisting of a public key and a private key are installed on your computer, via your web browser.  You can find out more about these on WikipediaRemember that the certificates can only be used on the computer on which they're installed; they cannot be used with your email account when accessed from another computer unless you make a backup copy and import them to the other computer.

We recommend - if you use Microsoft Windows - that you use Internet Explorer as your browser for this, because it installs the key pair in the Windows Registry.  Firefox uses its own keystore and this will not be accessible to other applications.

We recommend also that you make a backup copy of your certificate once it has been installed.  The file that holds the backup can then be used to import the certificate to another computer or to the same computer if the certificate is lost either by a system upgrade or mishap.

The instructions below use Internet Explorer and Outlook as the basis for installing, backing up and using digital certificates.  Always use the same browser for requesting and installing the certificate, otherwise you will very likely encounter an error.

Contents

  1. Using Internet Explorer to apply for a certificate from Comodo
  2. Using Outlook to download the certificate
  3. Using Internet Explorer to install the certificate
  4. Using Outlook to exchange certificates with others
  5. Making a backup copy of the certificate
  6. Installing a certificate from a backup copy
  7. Checking for expired certificates

Using Internet Explorer to apply for a certificate from Comodo

Note that you can use other certificate providers if you prefer, but we are using Comodo as our example.

  1. Go to the Comodo Free Secure Email Certificate website:
    http://www.comodo.com/home/email-security/free-email-certificate.php
  2. Click on the Free Email Certificate button.
  3. Enter your details (First name, Last name and Email Address). Take extra care entering your email address because the certificate keys will be emailed to the specified address, and no verification takes place.
  4. Select your Country (select United Kingdom if it's to be used in the UK).
  5. Enter a revocation password, which is a password you must use if you wish to revoke (cancel) the certificate, for example if you no longer need it or if you suspect that it has been compromised or fallen into someone else’s hands. Use a new password: do not use the password of your email account:

    Comodo certificate application

  6. We recommend that you deselect the Opt In option box if you don't want to receive Comodo newsletters.
  7. Click the I ACCEPT box at the bottom of the page to accept the terms of the subscriber agreement.
  8. Click Next.
  9. On Windows 7 computers you may see a warning saying "This web site is attempting to perform a digital certificate operation on your behalf" and asking "Do you want to allow this operation?" Click Yes.
  10. It's possible that you may be told to click the I ACCEPT box again.  If this happens, check and change your email address in the box on the form if it has changed.

This causes the public and private keys to be created.   It should say “Application is successful!”, and that it has emailed the keys to your specified email address.

Using Outlook to download the certificate

  1. You should eventually (may take a few minutes) see an email from ‘Certificate Customer Services’ titled ‘Your certificate is ready for collection’.  Double click the email to open it:



  2. Depending on the way you have set Outlook to display emails, it may show you a red ‘Click & Install Comodo Email Certificate’ button to click, but should also provide a website address (URL)  beginning with https://secure.comodo.com/products which you could copy and paste into Internet Explorer to open the certificate collection website (this is underlined in red in the illustration below).
    The email also provides a Collection Password (also underlined in red but blanked-out in our example below) which you should also copy and enter in the appropriate box on the website, together with your email address as used to request a certificate:



  3. It now collects the signed public key to install in your computer’s keystore.  You may see a similar warning to that described in step 9 of the previous section. Click Yes to confirm you want the certificate installed.
    The Comodo webpage will go blank at first, but a few seconds later should indicate that the certificate has been successfully collected:

    Comodo certificate collection success

    If an error occurs, the following warning may be shown, with the likely causes:

    Comodo certificate collection error

Using Internet Explorer to install the certificate

  1. Open the Tools menu. On later versions of IE, the Tools menu is accessible by clicking on the cogwheel symbol:

    IE9 Tools menu

    Then select Internet Options from the menu.

  2. Click the Content tab and then click the Certificates button:



  3. In the Personal panel, double-click on your email address:



  4. You'll see confirmation of the certificate:



  5. Click OK, then click Close, then click OK again.

Your public and private keys have now been installed in your computer's Registry.

Now you need to exchange certificates with the individuals with whom you will be exchanging confidential email.

Using Outlook to exchange certificates with others

This section provides instructions for Outlook 2010.

  1. Click the File menu and select Options.
  2. Click on Trust Center in the list on the left.
  3. Click the Trust Center Settings button.
  4. Click on Email Security in the list on the left.
  5. Click the Settings… button:



    This brings up another dialogue box showing the installed settings:



  6. Click OK repeatedly until the dialogue boxes have closed.
  7. Start a new test email to your intended correspondent.
  8. Click the Options tab.
  9. Click the More Options dialogue box launcher as shown below:
    Outlook 2010 More Options
  10. Click the Security Settings button:

    Outlook Security Settings button

  11. Click to select the Add digital signature to this message option box:



  12. Click OK, then click Close.
  13. Click the Digitally Sign Message button, which is labelled Sign in the Permission panel under the Options tab:

        Outlook 2010 Sign button
         
  14. Enter some appropriate text in the message window and send the message.  This message sends your public key to the recipient.

    The recipient needs to send you a similarly signed reply which sends their public key to you.  When you read their message you may be shown a dialogue box asking if you trust their message, whereupon you should click Yes.

  15. When you have exchanged your public keys, you should now be able to exchange encrypted emails with your colleague.   After starting a new message, follow these steps:
  16. Follow steps 8 to 12 above, but in step 11, do not select the Add digital signature option box this time, but instead select the Encrypt message contents and attachments option.
  17. Then complete and send your message.

Making a backup copy of the certificate

A backup copy not only provides the means to reinstall a certificate, but will also allow you to install the same certificate on another computer.

  1. In Internet Explorer, choose Internet Options from the Tools menu.
  2. Click the Content tab.
  3. Click the Certificates button.
  4. Click to select your certificate, shown in the list box.
  5. Click the Export button.
  6. In the Certificate Export Wizard, click Next.
  7. Select the Yes, export the private key option, then click Next.
  8. Click to select Personal Information Exchange, but make sure none of the option boxes under it are selected.  Then click Next.
  9. Enter a password (and again to confirm).  Make sure this password is unique to this service - don't use one you're already using elsewhere.  Make a note of the password in a secure place (or just make sure you remember it!). Then click Next.
  10. Click Browse to navigate to a suitable location (we recommend your network or Documents (N:) drive) and enter a suitable file name for the backup.  Then click Save.
  11. Click Next.
  12. The wizard will show a summary of what will be done.  Click Finish.
  13. You may need to click OK once or twice to close the wizard when it asks you to confirm.
  14. Click Close and then click OK to close the Options window.

Make a copy of the backup file to some portable medium such as a USB memory stick to make it easier to transfer to another computer.

Installing a certificate from a backup copy

If you want to re-install the certificate on the same computer (or example if it was removed) or on to another computer so as to share the same certificate, follow these steps:

  1. In Internet Explorer, choose Internet Options from the Tools menu.
  2. Click the Content tab.
  3. Click the Certificates button.
  4. Click the Import button.
  5. In the Certificate Import Wizard, click Next.
  6. Use the Browse... button to locate, select and open the backup file you created in the previous section.  You will need to select Personal Information Exchange from the list of file types alongside the File name: box.
  7. Click Next.
  8. Enter the password you used when you created the backup copy, then click Next.
  9. Select the Place all certificates in the following store option and ensure that Personal is shown in the Certificate Store box.
  10. Click Finish.
  11. Click OK, then Close, then OK again to close the Internet Options dialogue.

Checking for expired certificates

If you installed a free certificate, it will expire after one year.  This is easy to forget (tip: add a reminder for a year hence in your Outlook calendar), so you may one day notice an error message from Outlook when you try to reply to a digitally-signed email.  The error message may look like this:

Outlook 2010 Invalid Certificate error

You can send an unencrypted reply to the message, as a temporary measure, like this:

  1. Click the Change Security Settings... button on the error dialogue box as shown above.
  2. The Add digital signature to this message box will be ticked, so click on the option box to clear it:

    Digital signature check box

  3. Click OK to send the message without a digital signature.

You can check for the expiration date of the certificate in Internet Explorer, like this:

  1. In IE, open the Tools menu and select Internet Options. On later versions of IE, the Tools menu is accessible by clicking on the cogwheel symbol:

    IE9 Tools menu


  2. Click the Content tab and then click the Certificates button.
  3. In the Certificates panel you will see the expiration date of the certificate:

    IE Certificates expiry date
  4. If your certificate has expired, you'll need to install a new one, starting from the first section of this article.

Help us to improve this answer

Please suggest an improvement
(login needed, link opens in new window)

Your views are welcome and will help other readers of this page.

Categories

This is question number 2388, which appears in the following categories:

Created by Andy Clews on 1 November 2011 and last updated by Richard Byrom-Colburn on 23 September 2016