Saturday, 2 May 2015

Email Encryption using S/MIME in Evolution Email Client

Consider the following scenario:

Consider Batul sending an email to Shabbir. When Batul sends a digital signature, she signs the email with her private key. And Shabbir will verify it with Batul's public key.

But when Batul sends an encrypted mail to Shabbir, she encrypts it with Shabbir's public key. And Shabbir will decrypt it with his private key.

Encryption by itself is not sufficient. Because the contents of the message are secret, but there is no guarantee that the mail has come from Batul. Batul has to send a digital signature to prove that she has sent the message and that the message has not been altered during transit.

In this tutorial, we create a local CA on Batul's machine. This local CA creates S/MIME certificates for users Batul and Shabbir.

We will then add Batul and Shabbir's certificate along with the CA certificate to their email clients. Then we will send encrypted mail.

Batul's Machine: On Batul's machine, perform the following steps.

1) Install package
[batul@server3 ~]$ sudo yum -y install openssl

2) Create S/MIME Certificate for Batul's email-id. Follow the following steps:
    2.1) Create local CA. The CA certificate file '/etc/pki/CA/cacert.pem' will be added to Batul and Shabbir's email client.
[root@server3 ~]# /etc/pki/tls/misc/CA  -newca

    2.2) Create public-private key pair
[root@server3 ~]# openssl genrsa -out batul.key

    2.3) Create a certificate signing request (CSR) for Batul's email address.
[root@server3 ~]# openssl req -new -key batul.key -out batul.csr
Country Name (2 letter code) [XX]:inState or Province Name (full name) []:maharashtra
Locality Name (eg, city) [Default City]:mumbai
Organization Name (eg, company) [Default Company Ltd]:my company ltd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:batul@mycompany.com
Email Address []:batul@mycompany.com

    2.4) Sign the Certificate.
[root@server3 ~]# openssl ca -in batul.csr  -out batul.crt

   2.5) Create pkcs12 format file. The pkcs12 file combines the Certificate and key file into one file.
[root@server3 ~]# openssl pkcs12 -export -inkey batul.key  -in batul.crt -out batul.pkcs12
Enter Export Password:
Verifying - Enter Export Password:

Batul's certificate files: batul.pkcs12, batul.crt


3) Create S/MIME Certificate for Shabbir's email-id. Follow the following steps:
    3.1) Create public-private key pair
[root@server3 ~]# openssl genrsa -out shabbir.key

    3.2) Create a certificate signing request (CSR) for Shabbir's email address.
[root@server3 ~]# openssl req -new -key shabbir.key -out shabbir.csr
Country Name (2 letter code) [XX]:inState or Province Name (full name) []:maharashtra
Locality Name (eg, city) [Default City]:mumbai
Organization Name (eg, company) [Default Company Ltd]:my company ltd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:shabbir@mycompany.com
Email Address []:shabbir@mycompany.com

    3.3) Sign the Certificate.
[root@server3 ~]# openssl ca -in shabbir.csr  -out shabbir.crt

   3.4) Create pkcs12 format file. The pkcs12 file combines the Certificate and key file into one file.
[root@server3 ~]# openssl pkcs12 -export -inkey shabbir.key  -in shabbir.crt -out shabbir.pkcs12
Enter Export Password:
Verifying - Enter Export Password:


 Shabbir's certificate files: shabbir.pkcs12, shabbir.crt


 4) Add Batul's Email Certificate, Shabbir's email certificate and C.A. Certificate in Evolution Email Client
    Click Applications, click Office, Click Evolution.
    In the Evolution main menu, Click Edit, Click Preferences.

    In the left tab, click Certificates.
    In the tab, Your Certificates, Click Import button.Select the file batul.pkcs12. (created above) 

    In the tab, Contact Certificates, Click Import button.Select the file shabbir.crt.  

    In the tab Authorities. Click Import button. Select the CA Certificate file cacert.pem. In the 'Certificate Authority Trust Window' select "Trust this CA to identify email users".

    In the left tab, click Mail Accounts.
    Select Account Name batul@mycompany.com, click Edit
    In the left tab, Click Security. 
   In the section Secure MIME, for Signing Certificate select Batul's certificate and for Encryption Certificate select Batul's certificate.
    Click OK.
5) Give the following files to Batul's friend Shabbir, to configure in his email client.  Shabbir's pkcs12 certificate file: shabbir.pkcs12
            Batul's certificate file: batul.crt
            CA certificate file: cacert.pem


Shabbir's Machine: On Shabbir's machine, perform the following steps.

1) Add Shabbir's pkcs12 Certificate, Batul's Certificate and C.A. Certificate in Evolution Email Client
    Click Applications, click Office, Click Evolution.
    In the Evolution main menu, Click Edit, Click Preferences.

    In the left tab, click Certificates.
    In the tab, Your Certificates, Click Import button.Select the file shabbir.pkcs12.  

    In the tab, Contact Certificates, Click Import button.Select the file batul.crt.  

    In the tab Authorities. Click Import button. Select the CA Certificate file cacert.pem. In the 'Certificate Authority Trust Window' select "Trust this CA to identify email users".

    In the left tab, click Mail Accounts.
    Select Account Name shabbir@mycompany.com, click Edit
    In the left tab, Click Security. 
   In the section Secure MIME, for Signing Certificate select Shabbir's certificate and for Encryption Certificate select Shabbir's certificate.
    Click OK.

3) Send encrypted mail to Batul.
    On the Evolution main screen, click New to Compose a new mail message
    In the Compose Message menu, click Options. Click S/MIME Encrypt
    Enter Batul's email id and other email details and click Send to send the message.

    The encrypted message has been sent. Batul's email client will decrypt the mail using her private key.

4) To sign the message Click S/MIME Sign in the Options menu item in the Compose Message window

No comments:

Post a Comment