Digital Signatures for Email

Digital signatures can be attached to your outgoing email messages as proof that they came from you and not from a spammer or phisher. They also assure that the message was not altered in transit. Additionally, they can be used to encrypt messages, but that requires that both parties have certificates and that they have shared each other's public keys, so that should only be done for people who you know and for whom you have done the necessary steps.

When you send a signed email message, the recipient will see an envelope with a red wax seal on it, or a red ribbon, depending on the email client (Outlook or Thunderbird). Similarly, you will see one of those symbols when you view a signed email from another person, usually with the headings (From, Subject, To, etc.).

The digital signature you receive in the following steps can also be used to sign documents, but they have to be formatted for that. Instructions are forthcoming.

Applying for a Digital Certificate

The first step is to apply for a digital certificate. Here is the process:

Submitting a Digital Certificate Request

  1. Go to the following link: https://email.buffalo.edu/cgi-bin/ClientCert.pl. Clicking on this link will require you to enter your UB credentials before it goes to the form to apply for a certificate.
  2. In the "Certificate lifetime" box, click the "2 years" button.
  3. Click the "Submit" button.

Obtaining Your Digital Certificate

Within a day, you will receive an email message with a link - visit that page If you do not receive the email please check your Junk Email folder. On that page you will find:

The PIN code:The password used when importing the certificate into an email client.
The Passphrase:Used when you access InCommon's web portal to make changes to your certificate

Click the "Submit" button and your certificate will be emailed to you. Do not delay between entering your PIN and password and submitting the form, or you may run into issues as the site will time out.

The email attachment will be a file with a name in the format "ubitname_buffalo_edu.p12".

SAVE THE PIN CODE, PASSPHRASE, AND ATTACHMENT IN A SAFE PLACE! You will need them again.

Configuring Signed Emails in Microsoft Outlook on a Microsoft Windows PC

Importing Your Certificate File into Windows

You need to import your certificate into Microsoft Windows before you can use it in Microsoft Outlook.

  1. Browse to the folder where you saved the "*.p12" file from the previous section.
  2. Right click on the "*.p12" file and select "Install PFX" from the options.
  3. From the "Certificate Import Wizard", choose the following options:
    1. On the "Store Location" screen, select "Current User" and click Next.
    2. On the "File to Import" screen, verify that the file name/location listed is correct and click Next.
    3. On the "Private key protection" screen, make the following changes:
      1. For your "Password", enter the PIN that you set earlier.
      2. Check the box entitled "Mark this key as exportable".
      3. Leave all of the other options as defaults and click Next.
    4. On the "Certificate Store" screen, keep the default "Automatically select" action and click Next.
    5. On the "Completing" screen, verify the options and click Finish.
  4. When prompted that "The Import was successful", click OK to finish the import process.

Configuring Microsoft Outlook

  1. Open Microsoft Outlook.
  2. Click the "File" tab and select "Options" from the choices in the left pane.
  3. In the left pane of the "Outlook Options" window, click on "Trust Center".
  4. In the right pane of the "Trust Center" menu, click on the "Trust Center Settings" button.
  5. In the left pane of the "Trust Center" window, click on "Email Security".
  6. In the right pane of the "Email Security" menu, complete the following steps:
    • Under the "Encrypted email" heading:
      1. Check the box entitled "Add digital signature to outgoing messages".
      2. Do NOT uncheck "Send clear text signed message when sending signed messages" (necessary so that people without digital signature capabilities can still read your messages).
      3. To the right of "Default Setting:", click the "Settings" button.
      4. In the "Change Security Settings" window, verify that your certificate is selected under "Security Settings Name" (will be named something like "My S/MIME Settings (ubitname@buffalo.edu)") and click OK (this will close this window).
      5. Change the drop-down menu option to the right of "Default Setting:" to the certificate from the previous step (if not listed).
    • Under the "Digital IDs (Certificates)" heading, click the "Publish to GAL" button to add your public certificate in the Global Address List (GAL) so that other people can send you encrypted messages.
  7. Click OK to close the "Trust Center" window and the "Outlook Options" window.
  8. Send a test email to yourself. The header bar for the incoming message should have a picture of a red ribbon. If you click on it, it should say "Digital Signature Valid".

Configuring Signed Emails in Outlook or Entourage on a Macintosh

Importing Your Certificate File into the Mac Keychain

You need to import your certificate into Keychain before you can use it in Outlook or Entourage on your Macintosh.

Directions can be found on this page: https://knowledge.digicert.com/solution/SO5181.html.

Configuring Outlook or Entourage on a Macintosh

Directions can be found on this page: https://knowledge.digicert.com/solution/SO6722.html.

Configuring Signed Emails in Mozilla Thunderbird (Microsoft Windows, Apple macOS, or Linux)

  1. From the "Tools" menu (Windows or macOS) or the "Edit" menu (Linux), launch "Account Settings".
  2. Click on the account settings for your UB Exchange email account.
  3. In the lower right corner, click "Manage Identities...".
  4. Edit your default identity.
  5. Click on the "End-To-End Encryption" tab.
  6. Click on "Manage S/MIME Certificates".
  7. Click the "Your Certificates" tab.
  8. Import the certificate file you received from InCommon. Click "OK" when done.
  9. Under "Personal certificate for digital signing", click "Select...".
  10. Choose the certificate you just entered.
  11. Answer "Yes" if you want this certificate to also be used for encryption (you probably do).
  12. Check the box "Sign unencrypted messages".
  13. Unless you know that everyone you send email to also has a certificate, you should not require encryption. Leave the default set to "Disable encryption for new messages" for now.
  14. Click "OK", "Close", and "OK" to back out of the dialog boxes.

Now, try sending an email to yourself. The header bar for the incoming message should have a picture of an envelope with a red wax seal on it. If you click on it, it should say "Message is Signed". That's it!

Signing Emails in the Outlook Web App (Exchowa)

Signing emails in the Outlook Web App (OWA), often referred to as "Exchowa", requires not only an ActiveX control on a Windows system but also a web browser that understands how to use it. Chrome, Firefox and Safari are not supported at this time and we have been unable to get it to work with Microsoft Edge so the only option is Microsoft Internet Explorer in Windows. You can still read messages that are signed by others but will NOT be able to sign messages yourself or read encrypted messages without this option.

Stop here if you're NOT using Internet Explorer on a Windows system.

Follow the instructions in the section "Importing Your Certificate File into Windows", shown above, to import the certificate file you obtained in the first section.

To install the "S/MIME" ActiveX control, send yourself a signed message from another client and open it in the web app. You will get a message that says: 

S/MIME isn't supported in this view. To view this message in a new window, click here.

Click, and another window will open. You will see the message plus this at the top: 

This message has a digital signature, but it wasn't verified because the S/MIME control
isn't installed. To install S/MIME, click here.

Click, and download "owasmime.msi". Close IE if you have it open, run the MSI file, and start IE. You should then be able to use the "S/MIME" features. Go back to the message you viewed earlier and it should now say the digital signature is valid and trusted.

Now that you've done that, you can set up your certificate. Click on the gear icon in the top right and select "S/MIME" settings. Click the box next to "Add a digital signature to all messages I send".

Send yourself a test message to verify it's working properly.