Welcome to the Office Mac Help Site About | Blog | Links | Glossary | Feedback | Downloads | Help

Using Digital Signatures

(Getting started with S/MIME)

This is an archived page. Many links are no longer active.

Step One: Read the Guide-takes you step-by-step through the process of getting S/MIME setup and working correctly in Entourage

Step Two: For more in-depth information:

  1. Learn about -Digital Signatures | Encryption
  2. Beginner's resources to cryptography what certificates are, what are they used for, how encryption and decryption work, etc.), and links to more in-depth information on cryptographic technologies.

Step Three: Setup S/MIME in Entourage

  1. Creating a Digital ID Requesting a Public Certificate | Exporting your new digital ID from other apps (if necessary) | Obtain Thawte Certificate using Safari | Obtain Thawte Certificate using Mozilla browser on a Mac
  2. Importing your new digital ID Into your personal keychain
  3. Set up Accounts Configure Entourage to use digital ID
  4. Distribute your certificate
  5. Obtain other people's public certificates
  6. For each contact, import the root certificate that signed their certificate (if necessary)

Step Four: Send Messages

  1. Send digitally signed messages
  2. Send encrypted messages
  3. Troubleshoot problems


This guide aims to take you step-by-step through the process of getting S/MIME setup and working correctly in Entourage. We start with a broad overview of what S/MIME is and how it works, and then move into the specifics of getting things configured properly for your own system. Since S/MIME can be confusing for people new to the concepts, this guide was written with the idea that more information is better than less. If you're already familiar with any of the concepts detailed here, you're encouraged to skip around to other sections you may find more useful. Though not required to understand this document, it's recommended you have at least a very basic understanding of public key encryption.

What is S/MIME and why do I need it?

Generally speaking, S/MIME is composed of a set of protocols based on X.509 digital certificates that simply allows people to send digitally signed, encrypted, or digitally signed+encrypted messages to others. Simple enough, but what does this mean, exactly?

How does S/MIME work, in general?

It helps to see an overall picture of the S/MIME process in action before actually trying to use it. The following is a quick rundown of the S/MIME process as you'll see in most clients. Specific Entourage/Apple terminology is used in this section to make things clearer, but the concepts and procedures would apply just about the same on any other S/MIME compliant client/platform.

To use S/MIME, you first need two digital IDs one for digitally signing messages, and one for encrypting messages. (The term digital ID is used in this document to refer to your private key plus the corresponding public-key certificate.) You obtain these IDs from a certifying authority such as Thawte, Verisign, or your company. In general, you will find these two IDs combined as one digital ID that is authorized for both signing and for encrypting. This simplifies things a little, however you should keep in mind that it is possible, and not uncommon, for people to have different certificates for signing and encrypting.

After you receive your ID from the CA, you import it into your personal keychain using the MS Cert Manager app in the Office folder. Then whenever you setup an email account in Entourage, you have the option of associating a particular certificate/digital ID with it (the choices are pulled from all those stored in your personal keychain). You choose one identity for encrypting messages and one for signing (again, these are often combined into the same certificate, so in this case, you just choose the same identity for both).

The actual 'security' process works as follows: you send someone a digitally signed message, making sure to "include your certificate" (this is an option in the Account preferences -> Security tab of all accounts, and should be checked by default). Notice that there's nothing you need from a person in order to send them a signed message...with digital signatures, you can randomly initiate communication with anyone you want, just like with any other email. When the recipient receives your signed email, they will now have a copy of your encryption certificate. They simply need to view the security details of the message, and click to "Add you to Contacts". Once this is done, they have associated your encryption certificate with your contact info in their address book, meaning they can now send you encrypted messages whenever they want. Sending signed messages is a common way of distributing one's certificates.

You, however, can NOT send them encrypted messages until you get a copy of THEIR encryption certificate as well. Unlike digital signatures, with encryption, you cannot randomly initiate communication. You must first have a copy of their encryption certificate and associate it with their contact information in your address book. Therefore, they should first send you a digitally signed message and choose to "include their certificate" with that message. When you receive their message, view the security details of the message, and click on "Add to Contacts." Entourage will then store the associated encryption certificate with the rest of their email and contact info. Now you can both send each other encrypted messages whenever you want.

Note that it is not strictly necessary to send a digitally signed message in order to distribute ones certificate. Entourage also supports certificate retrieval through LDAP, and direct import of a certificate into your address book (should you receive it as an email attachment, from a web site, or through some other means). More information on these ways can be found below.

How do I setup S/MIME in Entourage?

Setting up your email client to use S/MIME is not difficult, however it can be confusing and cause many errors if not done correctly. Hopefully this document will guide you step-by-step through the process of requesting your own personal certificate, installing your certificate, distributing your certificate to others, importing other people's certificates into your address book, and finally, using your certificates to send and read secured messages sent by and to you. The process basically breaks down to these steps (steps listed in green may be optional depending on your situation):

  1. Get a digital ID for yourself (this is your private key plus your public key certificate)
  2. Import the root certificate(s) that signed your certificate (only necessary if you got your certificate from a non-standard certificate authority)
  3. Setup your email account(s) to use your new digital ID
  4. Distribute your certificate so others can send you encrypted messages (several ways this can be achieved, including LDAP or sending them a digitally signed message)
  5. Obtain other people's public certificates (also several ways this can be achieved, including LDAP or having them send you a digitally signed message)
  6. For each contact, import the root certificate that signed their certificate (only necessary if your contact got their certificate from a non-standard certificate authority)