Prerequisites for S/MIME encryption
Introduction
The Email connector lets you use S/MIME (Secure/Multipurpose Internet Mail Extensions) to sign or sign and encrypt an email before sending it with the Send Email activity. You can also read signed and/or encrypted emails using the Read Email activity.
S/MIME certificates use public-key encryption. To encrypt an email, you need the recipient's public key. To receive an encrypted email, the sender needs your public key.
This page explains how to create a personal public/private key pair. You must share your public key with others to receive encrypted emails, but keep your private key secure.
Important
If you're using a cloud provider, like Microsoft 365 Outlook with an Exchange Online account, you need an S/MIME certificate from a trusted certificate authority (CA), such as Let's Encrypt. Self-signed certificates won't work with cloud providers.
While the process to configure S/MIME should be similar for other providers, Jitterbit has validated S/MIME only with Microsoft Outlook.
Step-by-step instructions
These instructions use OpenSSL, though other tools can also create certificates. If using Windows, run your command prompt as administrator.
Step 1: Create an OpenSSL configuration file
Skip this step if your OpenSSL distribution already includes a default configuration file with the necessary extensions. When you run the openssl.exe file (from the OpenSSL installation directory), you'll see a warning if no configuration file exists.
If needed, create a file named smime.cnf with this configuration:
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[v3_ca]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
subjectAltName = email:copy
Next, set the OPENSSL_CONF environment variable to reference this configuration file. In a terminal, enter the following command:
set OPENSSL_CONF=c:/openssl/smime.cnf
export OPENSSL_CONF=/usr/bin/openssl
Step 2: Generate an RSA private key for the certificate authority
Run this command to generate an RSA private key for the certificate authority:
openssl genrsa -aes256 -out ca.key 4096
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out ca.key
In the examples above, the options specify to use the aes256 encryption cipher and output the results to a file named ca.key with a size of 4096 bits.
You will be prompted to create a passphrase for this key. Retain this passphrase for use in Step 3.
Step 3: Create a self-signed certificate for the certificate authority
Run this command to create a self-signed certificate:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -extensions v3_ca
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -extensions v3_ca
The example above specifies that the generated certificate is certified for 10 years and uses the private key created in Step 2. The command -x509 specifies that it's a self-signed certificate. It also writes the certificate to a file named ca.crt.
Note
If your OpenSSL distribution already has a proper configuration file (you skipped Step 1), remove the -extensions v3_ca parameter from this command.
Follow the prompts, entering the passphrase from Step 2. This creates your certificate authority.
Step 4: Generate a private key for the personal email certificate
Run this command to create a new private key for your personal certificate:
openssl genrsa -aes256 -out personal.key 4096
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out personal.key
Enter a new passphrase (different from the one in Step 2). Retain this passphrase for Step 5.
Note
You can use cryptographic algorithms other than RSA, such as ECC.
Step 5: Create the certificate signing request
Run this command to create the certificate signing request:
openssl req -new -key personal.key -out personal.csr
openssl req -new -key personal.key -out personal.csr
Enter the passphrase you created in Step 4. When prompted for a "Common Name," use a different name than you used in Step 3.
Step 6: Sign the certificate using the certificate authority
Run this command to sign the certificate (using the configuration file from Step 1):
openssl x509 -req -days 3650 -in personal.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out personal.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile c:\openssl\smime.cnf -extensions smime
openssl x509 -req -days 3650 -in personal.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out personal.crt -sha256
When prompted, enter the passphrase for the certificate authority private key from Step 2.
Note
If your OpenSSL distribution already has a proper configuration file (you skipped Step 1), remove the -extfile and -extensions arguments from the Windows command. Make sure the required extensions exist in your default configuration file.
Step 7: Create a PKCS#12 archive file
Run the following command to generate a PKCS#12 archive containing your private key and certificate:
openssl pkcs12 -export -in personal.crt -inkey personal.key -out personal.p12
openssl pkcs12 -inkey personal.key -in personal.crt -export -out personal.pfx
When prompted, enter the passphrase associated with your personal private key created in Step 4. Create another passphrase which will be used when importing the .p12 file into an email client. Retain this second passphrase, as you need it when enabling S/MIME encryption in either the Read Email or Send Email activities.
Warning
Never share your private key with anyone. Others need your public key to send you encrypted emails, but only you should have your private key.
Step 8: Import the certificate to an agent path
Move the .p12 or .pfx file created in Step 7 to an agent-visible path (for example, the Resources folder). Then import the certificate to the Java default truststore (see Add certificates for instructions).
Note
When importing the certificate to the default truststore, retain the alias you use to identify it, as you will need it when enabling S/MIME encryption in either the Read Email or Send Email activities.
Next steps
Now that your self-signed S/MIME certificate has been created, it can be used to sign or sign and encrypt your emails, and to read emails that were signed or encrypted. By providing your public key to a sender, you can receive encrypted emails from them. Once a recipient provides you with their public key, you can send them an encrypted email as well.