WELLS FARGO AUTHENTICATION SERVICES DATED: MAY 2003
TABLE OF CONTENTS GENERAL INFORMATION... 1 INSTALLING THE WELLS FARGO ROOT CERTIFICATE CHAIN.. 2 INSTALLING THE CERTIFICATES INTO IE... 3 SETTING UP THE SECURITY PROFILE IN OUTLOOK... 15 USING THE CERTIFICATES IN OUTLOOK MAIL... 20 SENDING ENCRYPTED EMAIL... 25 BACKING-UP DIGITAL CERTIFICATES... 28 RESTORING YOUR DIGITAL CERTIFICATE... 31 STORING PUBLIC ENCRYPTION KEYS... 34 SENDING SIGNED / ENCRYPTED MAIL USING OUTLOOK... 34 READING AN ENCRYPTED MESSAGE... 38 CUSTOMIZING OUTLOOK FOR SINGLE-CLICK SIGN AND ENCRYPT... 39 MESSAGES / SYMBOLS... 41 5/22/2003 Page: ii
General Information Purpose of Using Encryption Use encryption to secure email whenever you send confidential data across the Internet. Public key encryption ensures that only the intended recipient can open and read the email message and that it cannot be intercepted or tampered with by someone else. Requesting the Service Use of digital certificates issued out of the Wells Fargo PKI requires a sponsor within Wells Fargo to submit a request for a certificate on your behalf. Speak with your account representative about acquiring a digital certificate for yourself or others in your organization if using secure email to protect confidential data in transit could facilitate your business dealings with Wells Fargo. 5/22/2003 Page: 1
Installing the Wells Fargo Root Certificate Chain To trust certificates issued out of the Wells Fargo PKI, including your own, you must install the Wells Fargo root certificate chain. To do this, link to http://www.wellsfargo.com/cps. 1. Click on the appropriate button for you browser type. IE users will see the following screen: 1. Click on Yes. The Wells Fargo root certificate will now appear in your trusted root store. 5/22/2003 Page: 2
Installing the Certificates into IE The following steps are general instructions for users and may not exactly apply to your situation. In all cases, adjust the specific instruction to your situation. Use your passphrase to open the.p12 file you received from the Wells Fargo PKI. Save the certificate files to a local drive do not change their names. 1. Navigate to your personal drive (here, the H:/ drive is used) in the Save in: field 2. Do not change the name or file type in the File name: and Save as type: fields 3. Click on the Save button 4. Repeat for both files, the Signing and the Encryption certificate 5/22/2003 Page: 3
Importing the certificates The two files you just saved are located in your personal drive where you saved them in this example, the drive used is H:/. The next process is to import the certificates into your browser, where the Outlook email client can use them. 1. Using Windows Explorer, navigate to your personal drive. 2. Open the Signing certificate first by double clicking on it. The Certificate Import Wizard will begin automatically. 1. Click on the Next > button. 5/22/2003 Page: 4
The File name: field will automatically be populated. 1. Click on the Next > button 1. Enter the passphrase that you previously entered when requesting the PKI certificates. The same passphrase is used throughout the installation process. 2. Select the Enable strong private key protection field 3. Select the Mark the private key as exportable field 4. Click on Next > 5/22/2003 Page: 5
1. Select Automatically select the certificate store based on the type of certificate field 2. Click on Next > 1. Click on the Finish button 5/22/2003 Page: 6
1. Click on Set Security Level 0. Select the security level a. Selecting High will offer the greatest protection. It will require you to create a password to access your certificate that only you will know and which you will have to remember to use your digital certificates. Every time you access your certificate, you will be required to input the password that you created. i. Recommended for high risk transactions, and ii. High-risk workstations. b. If you select Medium, you will not be required to create a password, or to input the password every time you use the certificate. The system will tell you when the private key of the key pair is being accessed, and you will be required to approve that use, but there will not be any password or strong security attached with the use of the certificate. Medium users can skip the next screen, and the screen after that, the security level will be set to Medium. i. Recommended for lower risk transactions, and ii. Secured workstations (nobody uses it but the certificate owner). 1. Click on Next > 5/22/2003 Page: 7
1. In the Password for: field, enter your first name (space) sig, (as shown in example above) 2. Create a new password in the Password: field 3. Re-enter the new password in the Confirm: field 4. Click on Finish 1. Click on OK 5/22/2003 Page: 8
Once complete, you will see the successful window. 1. Click on OK. Now you must import the encryption file, using the same screens. 1. Using Windows Explorer, navigate to your personal drive. 2. Open the Encryption certificate by double clicking on it. 3. Click on the Next > button 5/22/2003 Page: 9
1. Click on the Next > button 1. Enter the same, (one and only) password you originally obtained to access the PKI system, (not the password you just made up in recent steps). 2. Select Enable strong private key protection 3. Select Mark the private key as exportable 4. Click on Next > 5/22/2003 Page: 10
1. Select Automatically select the certificate store based on the type of certificate 2. Click on the Next > button 1. Click on the Finish button 5/22/2003 Page: 11
1. Click on Set Security Level 1. Select the security level a. Selecting High will offer the greatest protection. It will require you to create a password to access your certificate that only you will know and which you will have to remember to use your digital certificates. Every time you access your certificate, you will be required to input the password that you created. i. Recommended for high risk transactions, and ii. High-risk workstations. b. If you select Medium, you will not be required to create a password, or to input the password every time you use the certificate. The system will tell you when the private key of the key pair is being accessed, and you will be required to approve that use, but there will not be any password or strong security attached with the use of the certificate. Medium users can skip the next screen, and the screen after that, the security level will be set to Medium. i. Recommended for lower risk transactions, and ii. Secured workstations (nobody uses it but the certificate owner). 5/22/2003 Page: 12
2. Click on Next > 1. In the Password for: field, enter your first name (space) enc (as shown in example above) 2. Enter the same new password as created for the signature certificate steps in the Password: field 3. Re-enter the same password in the Confirm: field 4. Click on the Finish button 1. Click on the OK button 5/22/2003 Page: 13
You will see the successful window. 1. Click on OK 5/22/2003 Page: 14
Setting up the Security Profile in Outlook 1. On the main menu in Outlook 2000, click on Tools 2. Click on Options 1. Click on the Security tab 5/22/2003 Page: 15
1. Click on the Settings button 1. Click on the New button 5/22/2003 Page: 16
1. Enter your name in the Security Settings Name: field 2. Click on the Choose button in the middle of the screen 1. Highlight the signing certificate, titled Signing Key 2. Click on OK. 5/22/2003 Page: 17
Click on the Choose button on the lower portion of the screen 1. Highlight the encryption certificate. 2. Click on the OK button. 5/22/2003 Page: 18
1. Click on OK 5/22/2003 Page: 19
Using the Certificates in Outlook Mail In order to send or receive secure email messages, you must exchange certificates. The first step is to email your signature certificate to the person you want to communicate with via secure email. 1. In Outlook, create a new email message 2. Click on the Options button 5/22/2003 Page: 20
1. Click in the Add digital signature to outgoing message field 2. Click on Close Do not select this option Now you must enter the new password you created when downloading the certificates. You should have only used one password. 1. For those with the security level set to High, enter your password in the first field. If you selected High security, do NOT click in the Remember password field. By doing so the system would never ask you for your password again. This would defeat the purpose of using encrypted emails, which require both the sender and receiver to enter their passwords. 2. Click on OK 5/22/2003 Page: 21
Send the email message. You will see a red and yellow certificate symbol on any emails that are sent using certificate keys, as noted in the first email on the screen above. When you open the email, you will see the same red and yellow certificate symbol on the right side of the email message, in the shaded area. 5/22/2003 Page: 22
The other party must also have secure email certificates on their side. Have the person send you an email message with their digital signature certificate attached. When received, add the person to your contacts as follows. 1. Open the email message 2. Right click on the senders name, in the shaded area 3. Select Add to Contacts Enter any data about your new Contact that you need to have beyond the information automatically captured name and email address, and the certificate. 5/22/2003 Page: 23
1. Click on the Certificates tab 2. Click on the Properties button to view their certificate information 1. Click on OK 2. Click on Save and Close near the top left of the screen. 5/22/2003 Page: 24
Once both sides have saved the other person to their contacts, you will be able to exchange signed and/or encrypted emails. Sending Encrypted Email Encrypted email may be sent once signature keys are exchanged. From a New Message Window, click on the To button. Select the recipient from your Contacts List. 1. In Outlook, create a new email message 2. Click on the Options button 5/22/2003 Page: 25
1. Click in the Encrypt message contents and attachments field 2. Click on Close Do not select this option Now you must enter the new password you created when downloading the certificates. You should have only used one password. 1. For those who have set the security level to High, enter your password in the first field. 5/22/2003 Page: 26
Do not click in the Remember password field. By doing so the system would never ask you for your password again. This would defeat the purpose of using encrypted emails, which require both the sender and receiver to enter their passwords. 2. Click on OK 3. Send the encrypted email. You will see a blue certificate on any emails sent to you indicating they are encrypted. All new messages sent encrypted will have the blue lock symbol as displayed above in the circled area. 5/22/2003 Page: 27
Backing-Up Digital Certificates It s important that you make a back-up copy of your signing and encryption certificates for emergency use. These steps will take you through the certificate export process. 1. From the Outlook Main menu select Tools 2. Click on Options 3. Click on the Security tab 4. Click on Import/Export 5/22/2003 Page: 28
The Import/Export Security Information and Digital ID dialog box will be displayed. 1. Click on the Export your Exchange or S/MIME Security Information 2. Click on the Select button. 3. The Certificate Store will be displayed; highlight the digital certificate to export 4. Click OK. 5/22/2003 Page: 29
After selecting the certificate to back up, you will be returned to the Import/Export Security Information dialog box. The Digital ID box will be filled in with the certificate s Friendly Name. Enter an export file name for the certificate 1. Enter your certificate passphrase. Do NOT select Delete Security Information Digital ID from the system. 2. Click OK. 5/22/2003 Page: 30
Restoring Your Digital Certificate Complete the following steps to restore your digital certificate. 1. From the Outlook Main menu select Tools 2. Click on Options 3. Click on the Security tab 4. Click on Import/Export Digital ID 5/22/2003 Page: 31
The Import/Export Security Information and Digital ID dialog box will be displayed. 1. Click on Import existing Digital ID from a file option 2. Click on the Browse button 1. Select the security file to import 2. Click Open 5/22/2003 Page: 32
The Import/Export Security Information and Digital ID dialog box will be displayed. 1. Enter the password for the file and a Friendly Name for the certificate. 2. Click Ok. Your certificate will be imported into the Certificate Store 5/22/2003 Page: 33
Storing Public Encryption Keys Until public key certificates are available through a publicly accessible directory, store public keys locally. In Microsoft, that means saving to Contacts, and it may mean addressing encrypted mail to persons for whom you have the certificates through Contacts. Sending Signed / Encrypted Mail using Outlook Signing and/or encrypting mail messages in Outlook can be set at a global level or for each message as desired by the user. Each time a message is sent, Outlook will sign the message with the private key of the certificate owner s signing certificate and send the public key of certificate owner s encryption key. The steps are outlined below. Note: Selecting Signing at a global level will require the certificate owner to enter their password each time they send a signed message. Note: Wells Fargo has many different configurations of Internet Explorer and Outlook in place. Not all Outlook configurations can accept signed email. In most case users with IE 5.5 and Outlook 98 and higher can accept signed messages. If you will be sending a signed message to an internal recipient you for the first time, you may want to follow up and determine if they could successfully open the signed message. If not, an upgrade may be required. Global Signing 1. From the Main Outlook screen select Tools/Options/Security. 2. Click Add digital signature to outgoing messages box. 5/22/2003 Page: 34
3. Click OK to accept the changes. Global Encryption 1. From the Main Outlook screen select Tools/Options/Security. 2. To encrypt all outgoing messages select the Encrypt contents and attachments for outgoing messages box. 3. Click OK to accept the changes. 5/22/2003 Page: 35
Signing a Single Message 1. From a message screen, click the Options button. 2. In the Message Options screen select Add digital signature to outgoing message. 3. Click on Close. 5/22/2003 Page: 36
Encrypting a Single Message 1. From a message screen, click the To click the Options button. 2. In the Message Options screen select Encrypt message contents and attachments 3. Click on Close. 5/22/2003 Page: 37
Reading an Encrypted Message When you receive a message that is encrypted with your public key, only your private key can decrypt the message. When an attempt is made to open the message, Outlook will prompt for your password. The message will be decrypted and displayed. When you close the message it will return to its encrypted state. 1. Enter your password in the space provided. 2. Click OK. 5/22/2003 Page: 38
Customizing Outlook for Single-Click Sign and Encrypt To setup native Outlook for single-click sign and/or encrypt control: 1. Open a new email message 2. Select Tools on the menu bar 3. Click on Customize 1. Click on the Command tab 2. Highlight Standard in the Categories: box 3. Scroll down and find the following 2 choices in the Commands: box Encrypt Message Contents Digitally Sign Message 4. Highlight these choices and drag and drop these icons to your message toolbar 5. Click on Close 5/22/2003 Page: 39
Now you can digitally sign and/or encrypt by clicking a single button. 5/22/2003 Page: 40
Messages / Symbols Non-Secure Recipients The system cannot find the recipient s public key to encrypt the message. Remedy: If you do not have the recipient s public key, ask the recipient to send you a signed message, store their key in your local Contacts List, the try re-sending the message. If you have the recipient s public key, then address the message from your Contacts List. Secure Message Icons When you receive a secure message either signed and/or encrypted, Outlook with display a sealed envelope with a blue lock. Blue Pen The message was sent using Exchange Server security. Red Certificate The message was sent using S/MIME and has an invalid certificate or a certificate with an unknown verification source. The message was sent using S/MIME and includes a digital ID that is clear signed. To include a digital ID, follow these steps: 1. On the Tools menu, click Options. 2. On the Security tab, click Add digital signature to outgoing messages, and Send clear text signed message. 5/22/2003 Page: 41
Blue Lock The message was sent using S/MIME and the digital ID was not sent using clear text. Send clear text signed message is not selected. The digital ID was sent encrypted. The message is sent using S/MIME and is encrypted. These icons will be displayed within the secure message. The lock indicates an encrypted message. The ribbon indicates the message is signed. Encryption Algorithm Message Double-click on an encryption icon from within a message will display a message identifying the encryption algorithm 5/22/2003 Page: 42
Certificate Clicking on Encryption Certificate or Signing Certificate button will display the digital certificate. You can view the detail, certificate path or trust by clicking on the appropriate tabs. 5/22/2003 Page: 43
Digital Signature Validation Message Out of Memory or System Resources Outlook is unable to open a signed message, or you have aborted a signing operation. Key Not Found Outlook was unable to locate your private key to decrypt. Your key may have been deleted or lost. 5/22/2003 Page: 44
Password Mismatch You entered your password incorrectly. 5/22/2003 Page: 45