signing and/or encrypting e-mails with office outlook 2016 ... · microsoft office outlook 2016 and...

Signing and encrypting e-mails in Outlook Guidance for administrators

RIA EID Guidances https://www.ria.ee Page 0/17

SIGNING AND/OR ENCRYPTING E-MAILS WITH OFFICE OUTLOOK 2016 USING SK

CERTIFICATES

Document information

Date of creation 21.01.2019

Receivers RIA

Author Urmas Vanem, OctoX

Version 19.01

Version information

Date Version Changes/Notices

21.01.2019 19.01/1 Public version, based on 18.12 software



Introduction By default, there are bunch of requirements for making digital operations with e-mails in

Microsoft Office Outlook 2016 and not all of those requirements are fulfilled by default. We

need to make following changes to computer configuration to support digital e-mail signing

with SK certificates in Windows environments:

1. Add intermediate certificate to intermediate certificates store;

2. Allow certificates with different e-mail address to sign e-mails.

And of course, ID card software must be installed on computer! And you need to be local

administrator on the computer to make changes in system configuration!

After all requirements are fulfilled you can send digitally signed and/or encrypted e-mails

using SK smart card certificates!

Note. Current document describes what to do with Office 2016. The configuration is also

supported in older versions of Offices and in Office 365, but it can need minor changes for

other versions.



Making required changes

Adding intermediate certificates Download and save root1 and intermediate certificates2 to folder c:\temp:

1. EE-GovCA2018 as EE-GovCA2018.cer

2. EE Certification Centre Root CA as EECCRCA.cer

3. EstEID-SK 2011 as EstEID-SK2011.cer

4. EstEID-SK 2015 as EstEID-SK2015.cer

5. ESTEID2018 as ESTEID2018.cer

Single user/computer

Root CA certificates

Method 1 – adding certificates from command prompt

From administrative command prompt run command: “certutil -f -addstore Root c:\temp\EE-

GovCA2018.cer”:

Picture 1 - adding root certificate to store!

Repeat the step for “EE Certification Centre Root” certificate: “certutil -f -addstore CA

c:\temp\ EECCRCA.cer”.

You can control certificate existence in intermediate store buy running command

“certutil -viewstore Root”.

Intermediate CA certificates

Method 1 – adding certificates from command prompt

From administrative command prompt run command: “certutil -f -addstore CA

c:\temp\EstEID-SK2011.cer”:

Picture 2 - adding intermediate certificate to store!

1 Usually root certificate „EE Certification Centre Root“ is automatically published in most cases, but we can add it to be sure in it. 2 You need to add only one intermediate certificate, which one is your personal certificate issuer. But there is nothing bad to support all currently active intermediate certificates in corresponding store!

http://c.sk.ee/EE-GovCA2018.der.crt

https://www.sk.ee/upload/files/EE_Certification_Centre_Root_CA.der.crt

https://sk.ee/upload/files/ESTEID-SK_2011.der.crt

https://sk.ee/upload/files/ESTEID-SK_2015.der.crt

http://c.sk.ee/esteid2018.der.crt

https://www.sk.ee/upload/files/EE_Certification_Centre_Root_CA.der.crt



Repeat the step for “EstEID-SK 2015” certificate: “certutil -f -addstore CA c:\temp\EstEID-

SK2015.cer”.

Repeat the step for EstEID2018 certificate: “certutil -f -addstore CA c:\temp\ESTEID2018”.

You can control certificate existence in intermediate store buy running command

“certutil -viewstore ca”.

Method 2 – adding certificates using GUI Open downloaded certificates and install those to intermediate certificates store. Here is

example based on “EstEID-SK 2015” certificate:

1. Open and select install certificate:

Picture 3 - select install certificate

2. Selecting store, if possible prefer Local Machine:



Picture 4 - store selection

3. Click Yes on user account control dialog:

Picture 5 - allow change

4. Select intermediate authorities store and click Next:



Picture 6 - selecting intermediate authorities store

5. Click Finish to confirm import:



Picture 7 - completing procedure

6. You’ll get confirmation that everything is fine, click OK:

Picture 8 - import succeeded!

To verify the configuration, you can open your SK certificate and see if full chain is built:



Picture 9 - full chain is built and certificate is OK!

Repeat the step for all other certificates. Root CA certificates add to store “Trusted Root

Certification Authorities”.

Domain environment In domain environment, you can distribute intermediate certificates through group policy!

Allowing different e-mail address in certificate

Single user/computer To support different e-mail address in certificate we need to add registry key to our

configuration.

Method 1 – using command prompt From administrative command prompt run “Reg add

HKCU\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security /v supressnamechecks /t

REG_DW ORD /d 1”:

Picture 10 - add registry key and value



You can control the registry key and value existence by running command „Reg query

HKCU\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security /v supressnamechecks“.

Method 2 – importing registry file Alternative way is to copy following text (and text only please) into notepad and save the

file as SuppDiffEMail.REG. It can by useful if you want easily to share configuration with

others.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security]

"supressnamechecks"=dword:00000001

Run the reg file and click Yes on user account control dialog:

Picture 11 - standard dialog

In next dialog window, be sure you want to continue and click Yes:

Picture 12 - yes, you are sure

Now you’re notified that information was added to registry:



Picture 13 - confirmation

Domain environment In domain environment, you can use Office 2016 user policy “Policies/Administrative

Templates/Microsoft Outlook 2016/Security/Cryptography/Do not check e-mail address

against address of certificates being used”:

Picture 14 - configuring systems with group policy



Sending digitally signed e-mails

Setting signing configuration Open Outlook, select Options from File menu!

In options window select Trust Center and click on Trust Center Settings, select Email

Security:

Picture 15 - trust center, email security

Click Settings, select Choose (for signing certificate) and select your ID card

authentication certificate, set other options as shown on following figure and click

OK!



Picture 16 - selecting signing certificate and setting other options

If necessary add ID card into reader.

Certificates and Algorithms fields are now filled. You must also set name your

settings! Click OK!

In trust center / email security window you can configure the system to add digital

signatures to your e-mails automatically, if you like:



Picture 17 - can change default configuration

Click OK twice to return to outlook.

Your signing configuration is ready now!

Sending signed e-mail Open outlook and select New mail.

Prepare your e-mail as usual, then select Options tab and select Sign!:

Picture 18 - mark sign for digital signature!

Click Send!

Outlook will ask for PIN to sign the e-mail. Enter PIN and click OK!



Picture 19 - asking PIN to get access to private key

Recipient will get digitally signed e-mail:



You can see that:

o E-mail is signed!

o Digital signature is valid and trusted!

o Details of the signature!

o Signature information!

o …and you can also open the certificate for further verification!



Encrypting e-mails E-mail encryption allows you to encrypt e-mail content with recipient’s public key. As a

result, the only person in the world who can open encrypted e-mail is the person who has

private key to decrypt the e-mail. In our case, we use SK certificates on smart cards where

public keys are public information and private key stays always on smartcard (ID or similar

card)! So, to decrypt e-mail (and view its content) encrypted with SK public key recipient

need private key (accessible with PIN 1) on ID card!

To send encrypted e-mail to recipient the recipient must be in your Outlook contacts and ID

card certificate (public key) must be associated to this contact! To add certificate open

Outlook Contacts, select Certificates and click import. Browse to contact certificate file and

import it!

Picture 20 - adding certificate to contact

(How to get recipient certificate?:

Ask for SK authentication certificate from recipient or

Import it from SK LDAP (you need personal identification number for that) or

Ask for signed e-mail for recipient (where certificate is attached).)

Now you can use encryption option when sending e-mail to contact!



Picture 21 - sending encrypted e-mail

Note. You can add signature also to the e-mail in addition to encryption if you like!

Recipient will now get your e-mail and she or he needs ID card and pin to open it:

Picture 22 - decrypting e-mail wit PIN (private key)



After entering PIN recipient decrypts the e-mail and can see its content!

signing and/or encrypting e-mails with office outlook 2016 ... · microsoft office outlook 2016 and...

Documents