Prerequisites for S/MIME encryption
Introduction
The Email connector allows you to use S/MIME to sign or sign and encrypt an email before you send it using the Send Email activity, as well as to read emails that have been signed and/or encrypted this way using the Read Email activity, but in both scenarios you need to have an S/MIME certificate. In addition, a "certificate authority", or CA, is needed to sign your certificate, but you can be your own CA. This page teaches you how to do that.
Certificates are based on public-key encryption. Therefore, the public key of the intended email recipient is required in order to encrypt the email. Conversely, in order to receive an encrypted email, the sender needs your public key.
This page describes the creation of a personal public/private key pair. While you must provide your public key to someone in order to receive an encrypted email from them, your private key should be kept only by you.
Step-by-step instructions
Although other tools can also be used, the instructions provided in this page will rely on OpenSSL. If you are using Windows, be sure to run your command prompt as an administrator.
Step 1: Create an OpenSSL configuration file
If your OpenSSL distribution already includes a default configuration file containing the necessary extensions, this step is not necessary. When you execute the openssl.exe file (from the directory where OpenSSL is installed), a message will warn you if there isn't a configuration file in place.
If your distribution does not have a default configuration file, create a file named smime.cnf containing the following configuration:
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[v3_ca]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
subjectAltName = email:copy
Next, set the OPENSSL_CONF environment variable to reference the new configuration file. In a terminal, enter the following command:
set OPENSSL_CONF=c:/openssl/smime.cnf
export OPENSSL_CONF=/usr/bin/openssl
Step 2: Generate an RSA private key for the certificate authority
To generate an RSA private key for the new certificate authority, open a terminal. In the example below, the options specify to use the aes256 encryption cipher and output the results to a file named ca.key with a size of 4096 bits:
openssl genrsa -aes256 -out ca.key 4096
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out ca.key
You will be prompted to create a passphrase for this key. Retain this passphrase for use in Step 3.
Step 3: Create a self-signed certificate for the certificate authority
Open a terminal. The example below specifies that the generated certificate is certified for 10 years and uses the private key created in Step 2. The command -x509 specifies that it's a self-signed certificate. It also writes the certificate to a file named ca.crt.
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -extensions v3_ca
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -extensions v3_ca
Note
If your OpenSSL distribution already has a proper configuration file, meaning you've skipped Step 1 above, you should remove the -extensions v3_ca from this command.
You will see a series of prompts. Follow them, using the passphrase from Step 2. After that, the certificate authority will have been created.
Step 4: Generate a private key for the personal email certificate
Next, create a new private key. This one is for your personal certificate instead of the certificate authority. The example below is for someone named Jane Doe with an email address of jane_doe@example.com and uses RSA.
openssl genrsa -aes256 -out smime_jane_doe.key 4096
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out smime_jane_doe.key
When prompted, enter a passphrase different from the one you used when you created the certificate authority private key in Step 1. Retain this passphrase for use in Step 5.
Note
You don't necessarily need to use RSA to create a private key. Other available cryptographic algorithms like ECC can also be used.
Step 5: Create the certificate signing request
Create the certificate signing request by running the following command:
openssl req -new -key smime_jane_doe.key -out smime_jane_doe.csr
openssl req -new -key smime_jane_doe.key -out smime_jane_doe.csr
When prompted, enter the passphrase you used to create the private key in Step 4. Note that when you are prompted to provide a Common Name, don't provide the same one you did in the prompts at the end of Step 3.
Step 6: Sign the certificate using the certificate authority
Create the personal self-signed certificate using the configuration file created in Step 1 to set the necessary extensions and the certificate authority is used to sign the new personal certificate.
Run the following command (increment set_serial with each signing request):
openssl x509 -req -days 3650 -in smime_jane_doe.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_jane_doe.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile c:\openssl\smime.cnf -extensions smime
openssl x509 -req -days 3650 -in smime_jane_doe.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_jane_doe.crt -sha256
When prompted, enter the passphrase for the certificate authority private key from Step 2.
Note
If your OpenSSL distribution already has a proper configuration file, meaning you've skipped Step 1 above, remove the last two arguments from the command shown in this step. Make sure that the extensions listed exist in your default configuration file before doing so.
Step 7: Generate a private key file
Run the following command to generate a PKCS#12 archive (smime_cert.p12) containing the private key and certificate:
openssl pkcs12 -export -in smime_cert.crt -inkey smime_cert.key -out smime_cert.p12
openssl pkcs12 -inkey smime_cert.key -in smime_cert.crt -export -out smime_cert.pfx
When prompted, enter the passphrase associated with your personal private key created in Step 4. Create another passphrase which will be used when importing the .p12 file into an email client. Retain this second passphrase, as you will be asked to provide it when enabling S/MIME encryption in either the Read Email or Send Email activities.
Warning
Do not share your private key with anyone. In order to send you an encrypted email, a sender needs to know your public key, but your private key should be kept only by you.
Step 8: Move the file to an agent path
Now that you have a certificate, which is packed into the .p12 file created in Step 7, move that file to an agent visible path (for instance, the Resources folder), and import the certificate to the default truststore (see Add certificates to learn how to do that).
Note
When importing the certificate to the default truststore, retain the alias you use to identify it, as you will be asked to provide it when enabling S/MIME encryption in either the Read Email or Send Email activities.
Next steps
Now that your self-signed S/MIME certificate has been created, it can be used to sign or sign and encrypt your emails, as well as to read emails that were. By providing your public key to a sender, you can receive encrypted emails from them. Once a recipient provides you with their public key, you can send them an encrypted email as well.