encryption - S/MIME email Public Certificate?

06
2014-04
  • Guest154845123

    Is there a way to create a public certificate for a S/MIME email certificate?

    I would like to share the public key on my website so people can send me encrypted emails. However I can only find "tutorials" where I need to send someone a signed mail first so their mail program can obtain the key. But I want to share my public key over HTTP so people don't have to ask for a signed mail in order to send an encrypted one. It is common to share public PGP keys, is S/MIME different in this aspect?

    I have a S/MIME cert set up in Thunderbird but it can only export the whole (private) key.

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    email - Store personal certificates encrypted in Windows?
  • David Nordvall

    I recently got my self an email S/MIME signing/encrypting certificate. I installed this on my Windows machine, which, obviously, required me to enter the password I used to encrypt the certificate, and fired up Outlook to test it. Sure enough, I was able to send a signed email. What bothered me, however, was that I was never prompted to enter any password. I assume this means that, when I installed my certificate, Windows decrypted the certificate and the private key and stored it somewhere, either in clear text or encrypted using some other key, implicitly tied to my user account.

    Personally, for security reasons I would like to have to enter a password each time I would like to use my certificate. Is it possible to get this kind of behaviour in Windows, either out of the box or using some third part add on?


    • Related Answers
  • grawity

    Your certificate was imported into Windows Certificate Store, where it is kept encrypted with a key tied to your Windows account (which is in turn encrypted with your Windows login password).

    You can use certmgr.msc to manage certificates (look under Personal).

    Personal certificates can be protected in several ways. In XP, both options are only presented when importing from a PKCS#12 file. You will have to remove and re-import the certificate/key in order to change them.

    Certificate Import Wizard

    • Non-exportable: When importing the certificate, disable "Mark this key as exportable". This way, programs can still use the certificate to sign and decrypt, but they cannot access the private key itself.

    • Strong protection: When importing the certificate, check "Enable strong private key protection". After completing the import, you will be asked to choose a CryptoAPI security level.

      Security level

      • Medium – Windows will ask for confirmation every time the key is used

      • High – you can enter a protection password, which Windows will ask for whenever the key is used.

      (At least in Windows XP, there is a slight bug: You must choose "High" in order to change the "description" field from the default CryptoAPI Private Key. This has no effect on actual security, however.)