From: Floyd Resler on
This is kind of both on and off topic. I need to send encrypted email. I have found code to do this but I'm not sure which certificate file to use. Can I use our server's signed certificate we use for Apache? Does anyone know of a clear, step-by-step tutorial?

Thanks!
Floyd

From: Nathan Rixham on
Floyd Resler wrote:
> I need to send encrypted email. Can I use our server's signed certificate we use for Apache?

Yes you can use the servers certificate, you can use any x509
certificate you like - however, I'd recommend checking out startssl.org
who will give you a free smime certificate.

note:
Each certificate has codes embedded which state for what you can use
said certificate, although it's technically possible to use almost any
certificate for anything, it's best to use one which has the correct
flags set.

Best,

Nathan
From: "Erik L. Arneson" on
On Thu, 16 Sep 2010, Nathan Rixham wrote:
> Floyd Resler wrote:
>> I need to send encrypted email. Can I use our server's signed certificate we use for Apache?
>
> Yes you can use the servers certificate, you can use any x509
> certificate you like - however, I'd recommend checking out
> startssl.org who will give you a free smime certificate.

But that is probably just for *signing* the email. If you'd like to
encrypt email, you will need a public key or shared secret from the
email recipient.

--
Erik Arneson <dybbuk(a)LNouv.com>
GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
Office : +1.541.291.9776 Skype : callto://pymander
http://www.leisurenouveau.com/

From: Floyd Resler on

On Sep 21, 2010, at 1:00 AM, Erik L. Arneson wrote:

> On Thu, 16 Sep 2010, Nathan Rixham wrote:
>> Floyd Resler wrote:
>>> I need to send encrypted email. Can I use our server's signed certificate we use for Apache?
>>
>> Yes you can use the servers certificate, you can use any x509
>> certificate you like - however, I'd recommend checking out
>> startssl.org who will give you a free smime certificate.
>
> But that is probably just for *signing* the email. If you'd like to
> encrypt email, you will need a public key or shared secret from the
> email recipient.
>
> --
> Erik Arneson <dybbuk(a)LNouv.com>
> GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
> Office : +1.541.291.9776 Skype : callto://pymander
> http://www.leisurenouveau.com/
>
>

I got it all figured out. The part I was missing was combining the certificate with the key and giving it to the end-user to install on their system. I was able to use the Web server's certificate for the encryption. The interesting thing is that the client wants ALL passwords sent via encrypted email. Of course, they need the P12 file installed in order to view the email and that requires a password to install it. So, obviously, I can't send that password encrypted. So, my solution is to provide a Web page that the user gets to by an emailed link that has a unique identifier and the user must enter a piece of personal information for verification (in this case, ZIP code). Once verified, they are shown the password on the page. That's the only way I can think of to do it. Is that a good solution or does someone have a better way?

Thanks!
Floyd


From: "Erik L. Arneson" on
On Tue, 21 Sep 2010, Floyd Resler wrote:
> I got it all figured out. The part I was missing was combining the
> certificate with the key and giving it to the end-user to install on
> their system. I was able to use the Web server's certificate for the
> encryption. The interesting thing is that the client wants ALL
> passwords sent via encrypted email. Of course, they need the P12 file
> installed in order to view the email and that requires a password to
> install it.

Wait, you didn't send the webserver's certificate to the user, did you?
That's a bad idea. The email recipient should have her own certificate,
which has both a private and a public part.

The webserver's certificate (presumably the one you have signed by the
CA), especially the private key, needs to be kept *private*, and not
sent all over the place. Using the same private/public key pair on both
endpoints defeats the purpose of PKI. You would be better off using
plain old symmetric encryption.

>So, obviously, I can't send that password encrypted. So, my solution
>is to provide a Web page that the user gets to by an emailed link that
>has a unique identifier and the user must enter a piece of personal
>information for verification (in this case, ZIP code). Once verified,
>they are shown the password on the page. That's the only way I can
>think of to do it. Is that a good solution or does someone have a
>better way?

I'm sure there are some good products out there to handle this.
Personally, for email encryption I always prefer the OpenPGP family of
tools (including GnuPG and commercial PGP). End-users can install PGP
on their systems, generate public keys, and then send them to the
webserver. No passwords need to be handed out---they will come up with
their own passphrases when they generate their public/private key pairs.

--
Erik Arneson <dybbuk(a)LNouv.com>
GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
Office : +1.541.291.9776 Skype : callto://pymander
http://www.leisurenouveau.com/