PrivaSphere Gateway Certificate Authority (GW CA) Send and receive secure emails with your email program through restricting firewalls using SMIME gateway functionalities. PrivaSphere Secure Messaging supports sending secure emails to recipients using SMIME encryption to recipients over the PrivaSphere Secure Messaging Platform. The recipient does not need to be a registered PrivaSphere user. This can be useful if the sender is behind a corporate firewall and is not allowed to use the SMTP protocol and/or he can not configure a second email account in his email client. Be aware that this breaks the relationship privacy! This means that it is visible from outside who sends emails to whom. The content is still encrypted and safe. Prerequisites To use the PrivaSphere Gateway CA, the following prerequisites are necessary: 1. Registered PrivaSphere User: As sender it is necessary to be a fully registered PrivaSphere Secure Messaging user with an email address and a valid password. 2. The sender needs a valid SMIME key pair (private and public key). It can be a commercial one or a self signed. The public key must be uploaded in the PrivaSphere Secure Messaging profile. 3. Need of an email client which is able to encrypt and decrypt emails using SMIME. This can be Microsoft Outlook, Mozilla Thunderbird or others. ❶ ❷ ❸ ❹a) ❹c) ❹b) Firewall Sender ev. MUC Recipient Process of sending a secure email using the GW CA Page -1-
Principle 1. The sender requests a certificate for the recipient on the PrivaSphere Secure Messaging Platform. 2. The PrivaSphere Secure Messaging Platform generates and delivers a SMIME public key for the recipient. 3. The sender sends a SMIME encrypted and signed email to the PrivaSphere Secure Messaging Platform for delivery to the recipient. 4. The recipient gets the secure email depending of his personal settings. a. New recipient: browser based with notification mail and Message Unlock Code (MUC) Existing recipient using web interface: browser based with password (and ev. MUC) b. Via secure POP to the mail client c. Encrypted with his deposited public key (SMIME) or delivered via domain (if applicable). Step by step instruction for Microsoft Outlook 2002/2003/XP 1. The sender needs to be a fully registered PrivaSphere user. 2. The sender has to upload his public key into the PrivaSphere profile. Log in to PrivaSphere Secure Messaging. go to Edit Profile and press go go to Receive in Mail Program upload your public key Page -2-
press Open and then press Update Account Your public key is uploaded now. You will get a first SMIME encrypted email for testing. 3. Go to the page Help on the PrivaSphere Secure Messaging Platform. go to Receive in your mail program with your public key (SMIME) go to How the Gateway CA works Page -3-
4. To validate the Gateway Certificates install the PrivaSphere GW Certificate first. Press Get gateway certificates for your recipients here. Click on Download Gateway-CA Root Certificate and install it in your mail program. The Root Certificate of the PrivaSphere Gateway is successfully installed. Page -4-
5. Request GW CA (SMIME) a. Direct as *.crt file (*.crt) fill in the recipients email address and press Save Certificate of recipient Save the downloaded certificate for further use. b. Direct as MS Outlook Contact file fill in the recipients email address and press Save as recipients contact Save the downloaded file, open it and press save and close to use it in MS Outlook. Page -5-
c. via email fill in the recipients email address and press Send Gateway-Certificate via email to you. You will get an email signed with the gateway certificate of the respective recipient. Save the sender s address as a contact for MS Outlook: Page -6-
The GW certificate is stored in the contact (pressing save and close ): Page -7-
6. Send an email to the recipient Edit a new email and send it encrypted and signed to the email address which has the format: john_at_doe.org@gw.privasphere.com Be aware that the email must be signed with the same key deposited in your profile. Send this email. 7. Transmit the Message Unlock Code (MUC) to the sender if necessary 8. The recipient gets the notification mail and can access the message with the Message Unlock Code (MUC). For the Mozilla Thunderbird email client Start with Steps 1 to 3 4. Import the Root Certificate into the Mozilla Thunderbird Root Store To validate the Gateway Certificates install the PrivaSphere GW Certificate first. Press Get gateway certificates for your recipients here. Click on Download Gateway-CA Root Certificate and save it on your computer. Open Mozilla Thunderbird, go to Extras Settings Privacy Certificates Page -8-
Open Certificate Authorities press Import and choose the saved root certificate Page -9-
trust this certificate and you will have the root certificate in your Mozilla Thunderbird root store. Page -10-
5. Get the user certificate a. Direct as *.crt file (*.crt) fill in the recipients email address and press Save Certificate of recipient Save the downloaded certificate for further use. Import the certificate into your Mozilla Thunderbird certificate store: go to certificates certificates of others and import the user certificate. Page -11-
and you will find the user certificate in your store. b. Sending out of Mozilla Thunderbird: to send an email via the Gateway CA to a recipient, just use the email address in the format name_at_company.com@gw-privasphere.com and enable signing and encryption. Page -12-
6. via email fill in the recipients email address and press Send Gateway-Certificate via email to you. You will get an email signed with the gateway certificate of the respective recipient. the signature (*.crt) is attached as a zip file. Save this zip-file, extract the certificate, save it and import it into the Mozilla Tunderbird root store as shown unter 5 a). Page -13-
For Lotus Notes Mail Client (V 6.5) Start with Steps 1 to 3 4. Import your own SMIME Certificate Lotus Notes Certificate Store You must have your SMIME certificate (public and private key) as a *.p12 or *.pfx file. Open Lotus Notes File Security User Security Your Certificates Choose Import Internet Certificates and open your certificate. Page -14-
Select the format (PKCS 12 encoded). Enter your password (if the *.pfx file is password protected) And accept the import. Page -15-
And you can see your certificate in the store. 5. Get the recipients certificate via email Page -16-
fill in the recipients email address and press Send Gateway-Certificate via email to you. You will get an email signed with the gateway certificate of the respective recipient. 6. Open the received email and accept the certificate ( cross cerify ) Add sender to your contacts. Page -17-
Include the X.509 certificate 7. Send a secure email to the recipient using the Gateway CA Write an email to the saved contact (address format is: name_at_company.com@gw.privasphere.com) and mark Sign and Encrypt in the Delivery Options. Send the email as usual. Other Operating Systems / Mail Clients For advanced users or other Operating Systems than Windows and other email clients than MS Outlook, you can get the certificate as a text file. Therefore press Next in Browser. Page -18-
Save this file as *.crt. This is the public key of the respective user. Sending your Gateway Certificate to an other user of PrivaSphere Secure Messaging With the function Senden Ihr Gateway-Zertifikat via email an Absender you are able to send an email to the recipient signed with your Gateway-Certificate and with your Gateway email address as sender s address. The recipient must be a registered PrivaSphere user and must hav uploaded his SMIME public key into his profile. Then he will be able to send you SMIME encrypted and signed emails over the PrivaSphere Secure Messaging Platform out of his email client without using a SMTP connection to PrivaSphere. Page -19-