Signing+ Encryption of e-mails with certificates

Author: Kevin Krammer

Version 2.1 / 3^rd of February 2023
http://www.globaltrust.eu/static/outlook-anleitung-en.pdf –

1 Basics

1.1 Goals of this document

This tutorial is optimized for the installation and use of certificates with Microsoft Outlook 2016 for signing
and encryption of e-mails:

→ 2 Short version installation of the certificate Outlook 2016

→ 3 Set up the certificate (E-Mail Security) in OUTLOOK 2016

→ 4 Use GLOBALTRUST certificates in Outlook 2016

 

Additional Information:

• Set up the GLOBALTRUST LDAP server ldap.globaltrust.eu (→ 5 Use GLOBALTRUST LDAP-Server
  ldap.globaltrust.eu)
• Setting up an Outlook 2016 account if the login name and email address of the mail server are different (→
  6 Set up Outlook 2016 – E-Mail-Account)
• Troubleshooting Outlook 2016 (→ 7 Troubleshooting Outlook 2016)
• Information about the older Outlook versions (→ 8 Previous Outlook Version)

Hint:
This guide was created for Microsoft Windows. This guide has not been tested for Outlook on Mac OS. The
screenshots used are to be understood as symbol images and may be different from your specific installation due
to language variants, patch versions and other special features.

The e-mail addresses and personal designations used can vary between the different screenshots.

1.2 Definitions and shortcuts

CA (Certificate Authority)
Certificate authorized to issue other certificates. A distinction is made between top certificates (RootCAs) and
intermediate certificates (SubCAs). In order for an end customer certificate to be recognized as genuine, the
certificate chain between a RootCA and the end customer certificate must be closed.

eIDAS-regulation
EU legal framework that regulates the use of certificates within the EU. GLOBALTRUST is an eIDAS-compliant
the provider (https://webgate.ec.europa.eu/tl-browser/#/tl/AT/4)

LDAP
Public certificate directory service

PKCS#12-File
The file containing the user certificate, the private key and all necessary CA certificates, mostly with the
extension .p12 or .pfx

Ribbon
Menu bar in Microsoft Office products from version 2007

1.3 Changelog

1.3.1 V1.1 Original version

Editorial deadline: 21. May 2015

1.3.2 V2.0 Version for Outlook 2016

Major changes

– Documentation of Outlook 2016

– Installation of the LDAP-Server

– Informations about certificate troubleshooting

Editorial deadline: 3. March 2020

1.3.3 Version 2.1 Microsoft security administration supplement

Major changes

– Description “Trusted Publishers” settings ”

Editorial deadline: 3rd of February 2023

2 Short version installation of the certificate Outlook
2016

This summary is intended for users who already have experience with installing and using certificates and only
covers the essential steps (without explanation).

Install certificate:

• Download the PKCS#12 file from GLOBALTRUST and install it in the Windows certificate manager with a
  double-click
• In the Outlook options select the settings for the trust center
• Under „E-Mail-Safety“ at „Encrypted E-Mail-Messages“ choose “Settings…”
• Select signature and encryption certificate, and switch the hash algorithm to “SHA256”.

Sign/Encrypt:

• Create a new message.
• Show options ribbon
• Press the Sign or Encrypt button → Send
• A certificate from the recipient is required to encrypt a message. (→ 4.3 Send e-mail encrypted)

3 Set up the certificate (E-Mail Security) in OUTLOOK 2016

This documentation requires an existing Outlook 2016 account with exactly the email address that is entered in
the certificate.

If you do not yet have an Outlook account, please contact your workstation or computer supervisor. For users of
mail accounts that are not managed by Microsoft or Google, see the section → 6 Set up Outlook 2016 –
E-Mail-Account (p39) an installation guide (using the example of the GLOBALTRUST mail server).

Hint!
This section describes how to set up a software certificate, if you are using certificates on a smart card or
token, please contact GLOBALTRUST.

3.1 Obtaining the PKCS#12-file

Depending on the agreement with GLOBALTRUST and its partners, there are different methods of delivering the
PKCS12 file.

The most common method is to download the PKCS12 file from the GLOBALTRUST website (see the GLOBALTRUS documents
provided for the link).

 

Required data for the download:

• Reference number (18 digits): will be sent by post or email
• Activation password: was assigned by the customer when ordering (alphanumeric characters are allowed, no
  special characters)
• a key password freely assigned by the customer: this password protects the PKCS12 file during transport and is
  required for installation in the certificate management

 

 

 

Download the PKCS12 file by double-clicking on the “pfx-format (PKCS#12-format)” link

The PKCS12 file must be stored in a suitable location for later installation in Outlook. All other download
options can be ignored in the case of Microsoft Outlook.

3.2 Installation PKCS#12-file in Outlook 2016

Open Outlook 2016 → File→

Settings →

Trust Center →

Settings for the Trust Center… →

E-Mail-Safety →

Import digital IDs (certificates)

Import/Export… →

Import file: the saved PKCS12 file is to be entered here

Password: the password that was assigned when downloading the PKCS12 file is to be entered here

TC ” Screen 8: Importmenu for thePKCS12-file

OK →

Information dialog for the safety settings

Security level →

A medium security level is recommended, but “high” can also be selected for internal reasons. If you
are unsure, contact your IT manager.

Continue →

Finish →

OK →

 

The settings for the e-mail account must be configured so that the certificate can actually be used.

Trust Center → E-Mail-Account → Settings… →

• Name of the security setting: Different certificates can be selected for each e-mail account. It is recommended
  to designate the name of the security setting with the assigned e-mail address.
• Signature certificate: the desired one from the certificate store is to be selected; if only one is entered,
  only this can be selected
• Hash algorithm: at least SHA256 must be entered (can only be entered after the signature certificate has been
  selected)
• Encryption certificate: is usually identical to the signature certificate
• Encryption algorithm: the proposed algorithm can be retained

 

Display by the signature certificate: → Choose… →

Depending on the number installed, either one certificate is displayed or the first certificate + the possibility
to choose different ones with options

select a suitable security certificate → OK →

OK →

optional configuration options

• Request S/MIME confirmation: if this option is selected, the recipient will be asked for each email sent
  whether they should receive a verification confirmation
• Add digital signature to outgoing messages: if this option is selected, EVERY e-mail will be signed by default,
  the annoying selection in individual cases is no longer necessary
• Encrypt content and attachments for outgoing messages: if this option is selected, EVERY email will be
  encrypted by default. This option only makes sense if you have also entered the certificate of most e-mail
  recipients in the Outlook address book or can retrieve it using LDAP (→ 4.3.2 Case 2: Find recipients in
  LDAP-Server).

 

OK → OK finish →

Outlook is now configured to sign and encrypt emails.

4 Use GLOBALTRUST certificates in Outlook 2016

4.1 Send mail signed

Open Outlook 2016 →

New e-mail → type message as usual →

TC ” Screen 18: Outlook send e-mail

Options → choose sign →

(can also be preset → see optional configuration options)

Screen 19: Outlook 2016 Options menu

Send →

Screen 20: Confirmation of using the certificate

Allow →

Hint!
If sending of the e-mail fails, see → 7 Troubleshooting Outlook 2016

4.2 Check signed mail

Depending on the settings of the sender (→ look at optional configuration options, p14) this message could
show up:

Screen 21: Nachfrage S/MIME Bestätigung

If the “Yes” option is selected, the sender will receive a notification of this type

Screen 22: Message based on S/MIME confirmation

Otherwise, the only difference between a signed e-mail and an unsigned one is this symbol

If a warning sign appears instead of the seal symbol, see → 7 Troubleshooting Outlook 2016

Screen 23: signed message (The signature symbol has been resized)

Hinweis!

The following section describes the various messages from Outlook about the certificate. As a rule, no detailed
check is required, but the recipient of a signed message can find out details about the validity of a signature
in this way

 

Checking the sender

Double-click on the signature symbol →

Screen 24: Signature check I

Details… →

Screen 25: Signature check II

If ” Signator” is choosen, you can read more advanced signature information

Signator → Show details → Tab “General” →

Screen 26: Signature check III

Tab “Details” →

Screen 27: Signature check IV

Details for the certificate

in the tab “General” → Show certificate… → Tab “General” →

Screen 28: Signature check V

Tab “Details” → Choose “Applicant” → indicates the person for whom the certificate
was issued

GLOBALTRUST takes the responsibility that the identity of this person is carefully checked

Screen 29: Signature check VI

 

Details on identity verification can be found in the following documents:

• http://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf
• http://service.globaltrust.eu/static/globaltrust-certificate-practice-statement.pdf

An overview of the GLOBALTRUST policy and the CAs used can be found at:

• http://www.globaltrust.eu/certificate-policy.html
• https://fruit.globaltrust.eu/certificate-policy/

Tab ” Certification path ” →

Screen 30: Signature check VII

GLOBALTRUST uses 3 root certificates (RootCAs):

• GLOBALTRUST 2006 (usually only as GLOBALTRUST) was designated and issued under the friendly name “Austrian
  Society for Data Protection GLOBALTRUST”
• GLOBALTRUST 2015 with the Friendly Name “GLOBALTRUST 2015”
• GLOBALTRUST 2020 with the Friendly Name “GLOBALTRUST 2020” (active since May 2020)

All GLOBALTRUST RootCAs comply with the requirements of the European eIDAS regulation.

Tab “Trust” →

Screen 31: Signature check VIII

Here the recipient has the option of “overwriting” the automatically suggested trust status of Outlook
2016. This can be useful if a certificate is displayed as untrustworthy although it is trustworthy according to
an individual check by the recipient or if a certificate is displayed as trustworthy even though the recipient
does not trust the sender (→ Section 7.1 Error messages and warnings)

Meaning of the settings:

• Inherit Trust from Issuer (Basic): Outlook has found a complete chain of trust and therefore trusts the
  certificate
• Explicitly Trust this Certificate: the user trusts the certificate, regardless of the result of the Outlook
  check
• Explicitly Don’t Trust this Certificate: the user does NOT trust the certificate, regardless of the check
  result from Outlook

Trust certification authority… →

Screen 32: Signature check IX

show certification authority… →

Screen 33: Signature check X

 

4.3 Send encrypted e-mail

Possibilities of encrypting messages

• Case 1: the intended recipient has sent a signed e-mail
• Case 2: there is no communication with the recipient yet, but he is entered in the LDAP directory of a
  certification provider

4.3.1 Case 1: The intended recipient has sent a signed e-mail

In this case, the easiest way is to transfer the intended recipient to your own Outlook address book. The
signature certificate is also automatically adopted. This is used to encrypt the message.

Open signed e-mail → Right-click on sender →

Screen 34: signed e-mail

Add to Outlook contacts →

Screen 35: Overview of contact details of an e-mail recipient

Save →

(Optionally, the intended Outlook contact fields can be added)

Screen 36: Overview of contact details of an e-mail recipient II

Close (X) →

Then continue as with → Section 4.3.2 Case 2: Find recipients in LDAP-Server (p26), but with the difference that “Contacts (this computer only)” must be selected for the address book.

4.3.2 Case 2: Find recipients in LDAP-Server

 

 

Mails can be sent encrypted to recipients without prior communication if the recipient has a publicly viewable
certificate (requires → Section 5 Use GLOBALTRUST LDAP-Server ldap.globaltrust.eu p31)

Screen 37: Outlook 2016 main page

New e-mail → Open address book →

 

Screen 38: Outlook address book

in the field “address book” you have to choose the desired LDAP server!

If a search is frequently made in an LDAP server, then this should be ranked first → Section 5.3 Optional
customization of the Outlook address book (p37)

Advanced search →

Screen 39: search e-mail recipient

Enter the recipient you are looking for → OK →

Screen 40: List of the found recipients

pick desired recipient → Double click → OK →

type message as usual

Screen 41: write an e-mail

Options → choose encrypt (can also be preset → optional configuration options, p14)

 

Screen 42: Mail with the option own signature + encrypt with recipient’s key

Send →

Depending on the mail program, the message is automatically or not automatically decrypted by the authorized
recipient. Outlook 2016 decrypts automatically.

Screen 43: Message at the receiver

Details for encryption

Lock symbol → Double click → show details→

Screen 44: Detailed information about the encryption

Error message if encrypted information comes to the wrong recipient→

 

Screen 45: Outlook 2016 error message when trying to open an encrypted message intended for someone else

5 Use GLOBALTRUST LDAP-Server ldap.globaltrust.eu

With the help of the GLOBALTRUST LDAP server, the certificates of other e-mail users can also be downloaded.

5.1 Set up LDAP-Server ldap.globaltrust.eu

Hint!
This LDAP configuration is optimized for the GLOBALTRUST LDAP server. Only certificates and mail addresses issued
by GLOBALTRUST can be searched here. It may be necessary to install additional LDAP servers.

File →

Screen 46: Show account details

Account settings →

Screen 47: show account settings

Address books → New→

Screen 48: Auswahl Adressbuch

Internet directory service (LDAP) → Continue →

Screen 49: Standard configuration LDAP-Directory service

Enter GLOBALTRUST LDAP-Server: ldap.globaltrust.eu

More settings… → Tab “Connection” →

Screen 50: Connection options LDAP Server

type in port: 389 (= is the IP-Portnumber)

change to the tab “Search” →

Screen 51: Search options LDAP Server

OK → Continue →

In order for the LDAP search to be activated, Outlook must be restarted

Screen 52: Restart Information Outlook

5.2 People search using LDAP-Server ldap.globaltrust.eu

Screen 53: Outlook main page

Hint!
The search in the Outlook main menu does not work for LDAP!

Open address book →

Screen 54: Address book

Best LDAP search results using advanced search

open link “Advanced search”→

Screen 55: LDAP-search mask

enter the person you are looking for in “Display name” → choose “contains”→ OK →

Search results:

Screen 56: List of addresses found (including certificates) in the LDAP server

Transfer e-mail address to local address book: Double-click on desired address→

Screen 57: Adoption of LDAP entry in the local address book

OK →

5.3 Optional customization of the Outlook address book

If an LDAP search is performed frequently, then the LDAP server should be pre-ranked (optional):

→ Extras → Settings… →

Screen 58: Address book

Screen 59: Define the order of the address search

6 Set up Outlook 2016 – E-Mail-Account

This section is optimized for the initial setup of an email account of a mail server where the login data on the
server is different from the email address.

If you use the mail server from Microsoft, Google, etc., refer to their installation guides.

Outlook 2016 offers two different products:

→ 6.1 Outlook 2016 “Standard”

→ 6.2 Outlook 2016 “Professional”

Depending on the Outlook product used, there are different installation procedures for your account. If you are
unsure which Outlook version you are using, contact your IT manager.

6.1 Outlook 2016 “Standard”

Start Outlook 2016 →

Screen 60: Entry screen Outlook 2016

Continue → START with the option “Use Outlook without an account “[1] →

Screen 61: Set up Outlook without an account I

Continue → Choose the option “Use Outlook without an account” →

Screen 62: Set up Outlook without an account II

Finish →

Screen 63: Outlook 2016 main page

File →

Screen 64: Overview of Account information

Add account →

Screen 65: Set up an e-mail account

“Choose “manual configuration or additional server types”
→ Continue →

 

Screen 66: Choose the e-mail server type

choose “POP or IMAP” →

Enter account settings according to the account with the e-mail provider (This information is made available to
you by the e-mail provider, usually an Internet service provider, a telecom provider or the IT department.)

Screen 67: Standard settings for your e-mail account

→ More options

→ Tab “General” (optional)

Screen 68: Internet e-mail settings in general

Tab “Outgoing mail server” →

Hint:

• In order to prevent misuse as a relay and spam mail server, most SMTP servers only allow use by registered
  users (such as the e-monitoring.at mail server).
• As a rule, the login data for incoming and outgoing servers are identical (such as with the mail server of
  e-monitoring.at).
• As a rule, “The outgoing mail server (SMTP) requires authentication” must be selected.

Screen 69: Configuration of the SMTP-Server

Tab “Advanced” (optional) →

• The Port of the incoming mail server with IMAP is usually: 143 (otherwise you have to contact your IT supervisor)
• The Port of the outgoing mail server is usually 25 for SNMP (otherwise you have to contact your IT supervisor)
• You should set the server timeout higher as usual if you have a slow internet connection.

 

Screen 70: Advanced internet e-mail settings

OK → Continue →

Outlook then performs a mail server check, is it OK:

Screen 71: Successful connection test to the mail server

Close →

Screen 72: Ending of adding account

→ Finish → afterwards the new account will be shown

Screen 73: The new account

6.2 Outlook 2016 “Professional”

The “Professional” version does not provide a direct option to set up an account with a different name,
you have to choose the “detour” via the control panel instead

Access Control Panel via Windows search (e.g Windows-Key on the keyboard)

Screen 74: Windows 10 system overview

“User accounts” →

Screen 75: Selection of user accounts

Mail (Microsoft Outlook 2016) (Version 32-bit or 64-bit) →

Screen 76: Overview of e-mail accounts

Add… →

Screen 77: Create a new account

OK →

Screen 78: Set up an e-mail account

Next identical to section 6.1 Outlook 2016 “Standard” from “Choose “manual configuration or
additional server types” → (p42).

7 Troubleshooting Outlook 2016

GLOBALTRUST-Zertifikate sind ausgereifte Produkte und EU-weit als rechtsgültig anerkannt. Trotzdem kann es
vor´kommen, dass im Rahmen der Nutzung in Outlook unverständliche Meldungen erscheinen. Einige
(wenige) dieser Meldungen finden Sie in diesem Section.

7.1 Error messages and warnings

7.1.1 Obviously missing the certificate

This error message will show up:

Screen 79: Outlook message about missing certificate

OK →

Screen 80: Warning invalid certificate

• Make sure you have performed the installation steps correctly → Section 3 Set up the certificate (E-Mail
  Security) in OUTLOOK 2016 (p5)

If the error persists, it may be due to one of these points (not entirely):

• Your certificate is already expired (Prüfung Zertifikat → Section 7.2.1 Check the duration of
  certificate)
• Your certificate got revoked (Prüfung Widerrufsliste → Section 7.2.2 Check revocation status)
• There is an error in the certificate chain (Eg the CAs were deleted by mistake or firewall settings in the
  company prevent Windows from automatically updating your certificate store)) → Contact your IT manager

7.1.2 Certificate is not accepted by Microsoft
for email signature

In principle, all GLOBALTRUST certificates contain an identifier for the signature (including the e-mail
signature). However, Microsoft uses its own security management in its products which certificate types are
permitted for which signature forms. For the e-mail signature, the signature flag “SMIME signature” or
“e-mail signature” must therefore be enabled.

This activation has been agreed upon with Microsoft for all GLOBALTRUST root certificates. However, it can happen that
in local installations, this activation (a) has been deactivated or (b) does not work as expected.

Messages similar to the following may appear:

Screen 81: An error message to the missing S/MIME feature

In this case, the Microsoft certificate management must be checked and corrected if necessary.

Call up the Microsoft certificate management using Internet Explorer → Extras → Internetoptions →

(alternative: using the control panel → Internetoptions →)

Screen 82: Microsoft certificate management

STEP 1: Check the root certificates in the certificate

Tab Contents→ Certificates → Trustworthy Root certificate authorities →

Screen 83: Microsoft certificate manager II

The root certificates from GLOBALTRUST must be entered here and at least “Secure e-mail” must be
displayed as “Intended purpose of the certificate”.

STEP 1a: Import Root certificate (only when you have missing certificates)

If the root certificate is missing, it can be installed later. Download locations for the root certificates::

• GLOBALTRUST: https://www.globaltrust.eu/static/globaltrust2006-der.cer
• GLOBALTRUST 2015: http://service.globaltrust.eu/static/globaltrust-2015-der.cer
• GLOBALTRUST 2020: https://service.globaltrust.eu/static/globaltrust-2020-der.cer

Import… → Continue → Search… →

Screen 84: Import a root certificate

choose “Trusted Root Certification Authorities ” → Continue →

Screen 85: Import a root certificate II

Continue → the import is done

 

STEP 2: CHECK ROOT CERTIFICATES IN TRUSTED PUBLISHERS

In addition to the general certificate management, Microsoft offers another certificate management for Office
products. All root certificates intended for applications that have not been automatically activated by
Microsoft should be entered here.

Tab Contents→ Contents → trusted publishers →

Screen 86: Microsoft certificate manager III

In the present case, the GLOBALTRUST 2020 certificate was released for all conceivable signature applications.

Hint!

This is only a Windows-specific release. The release only allows the use of a certificate if a specific property
is actually entered in the certificate.

The import of missing certificates works the same as in the case → STEP 1a: Import Root certificate (only
when you have missing certificates)

STEP 3: Check settings in Outlook Trust Center

Open Outlook 2016 → File→

Screen 87: Open Outlook 2016 file overview

Options →

Screen 88: Options overview

Trust Center →

Screen 89: Trust Center overview

Settings for the Trust Center… →

Screen 90: Trust Center overview II

Trusted publisher →

Screen 91: Trusted publisher overview

All root certificates that were entered in the previous step appear here →

Recommendation
GLOBALTRUST strongly recommends adding GLOBALTRUST root certificates to the list of trusted publishers. This
avoids future errors or unwanted Microsoft policy changes.

7.1.3 Incorrect certificate chain in an incoming e-mail

The following warning appears instead of the seal symbol:

Screen 92: Warning in a signed e-mail

Screen 93: Warning in a signed e-mail II

Screen 94: Warning in a signed e-mail III

The description of the signer contains the entry “The certificate used to create this signature is on a
valid certificate revocation list.” (Check revocation list → Section 7.2.2 Check revocation status,
p63)

7.2 Remediation steps

Usually, the GLOBALTRUST certificates are automatically and correctly recognized by Windows and all
Windows-enabled programs, and the runtime, revocation status and certificate chain are also correctly retrieved.

However, the following steps allow you to manually check whether Windows is correctly configured on your computer
and shows correct results.

7.2.1 Check the duration of the certificate

→ Control panel

Screen 95: Control panel overview

→ Network and internet

Screen 96: Network and internet overview

→ Internet options

Screen 97: Internet options overview

→ Contents → Certificates → Own Certificates

Screen 98: Own certificates overview

Choose the desired certificate with double click

Screen 99: Certificate basic information

The period of validity is shown under “Valid from”.

Hint!
At this point, it cannot be recognized whether the certificate has not been revoked. A revocation does not change
the validity period in the certificate!

7.2.2 Check the revocation status

Certificate call identical to →Section 7.2.1 Check duration of certificate (p60)

Instead of the “General” tab, select the “Details” tab → Choose the entry “Block
List Distribution Points”

Screen 100: Details of the certificate block list distribution points

Mark the shown URL and copy it using the [Ctrl]-C key combination → enter it in any browser

Screen 101: Open the block list

Screen 102: Download the block list

→ Choose “Open with” → OK

Screen 103: General certificate block list

→ the tab “Block list” shows all blocked certificates from this CA

Screen 104: Certificate block list

7.2.3 Check certificate chain

Certificate call identical to → Section 7.2.1 Check duration of certificate (p60)

Instead of the tab “General” you have to choose the tab “Certification path”

Screen 105: Certification path

The certification path is OK if it has a closed chain with no warnings up to the RootCA.

8 Previous Outlook Versions

Dieser Section enthält Dokumentationshinweise zu früheren Outlookversionen. Er wird nicht mehr
gewartet und kann daher in Details von bestehenden Installationen abweichen.

8.1 Outlook 2013 – Install and use certificates

8.1.1 Install certificate

8.1.1.1 Install certificates in Windows

In order to be able to use the e-mail signature in Outlook 2013, the personal certificate (PKCS12 file) must
first, be installed in the certificate storage in Windows.

The installation of the personal certificate varies depending on the Windows version but always uses the
“Internet options” input window:

Screen 106: Internet options

→ Contents → Certificates

Screen 107: Certificate manage

→ Own certificates → Import

Screen 108: Importassistant

→ Continue

Screen 109: Importassistant II

Selection of the appropriate PKCS12 file with the personal certificate

Screen 110: Importassistant III

The password with which the PKCS12 file is secured must be specified.

Screen 111: Importassistant IV

We recommend: “Select certificate store automatically” – the personal certificate and all CA
certificates are stored in the correct Windows certificate store.

Screen 112: Importassistant V

→ Finish

8.1.1.2 Outlook 2013 Menu

Screen 113: Menu Outlook 2013

Choose “File” on the main page.

→ Choose Settings

Screen 114: Choose settings

Choose “Settings” in the left bar

→ Trust Center Settings

Screen 115: Trust Center settings

Choose „Trust Center“

Choose “Settings for the Trust Center” on the right side of the window

→E-mail encryption settings

Screen 116: E-mail encryption settings

First, choose “e-mail safety”

Choose automatically sign of e-mails on the right side of the window

Choose „Settings…“ → Safety settings

Screen 117: Safety settings

Click on the „Select…“ button to add a new signature certificate

→ Choose certificate

Screen 118: Zertifikat wählen

From the list of certificates (only one is available in the example), select the required one and press “OK” and return to the main Outlook page. → Done

8.1.2 Create and send a signed e-mail

→ Create a new e-mail

Screen 119: Create a new e-mail

After opening a new window to compose an email as usual, select the “OPTIONS” ribbon

In the middle of the ribbon are the “Encrypt” and “Sign” buttons.

→ Sign e-mail

Screen 120: Sign e-mail

If the “Sign” button has a blue background, there is nothing further to do. The e-mail can be composed and sent as usual. If the button does not have a blue background, just click on it once and sign the e-mail. → Done

 

8.1.3 Encrypt e-mails

In order to be able to encrypt an e-mail, the recipient’s certificate is required in any case.

There are two ways to use this, both of which are described below.

– Method 1: Answer a signed e-mail (see → Section 8.1.3.1 Method I – Recognize signature and answer)

– Method 2: Manually add a certificate to one of your contacts. To do this, the certificate in the form of a file (file extension .cer) must be exchanged with the relevant contact in advance and be available on the computer.
(see → Section 8.1.3.2 Method II – Open contacts)

8.1.3.1 Method I – Recognize signature and answer

Screen 121: Recognize signature and answer

If this icon is visible in a received email, it has been signed by the sender. In order to encrypt the reply e-mail, it is sufficient to reply as usual.

Choose the “answer” button.

 

→ Answer in a different window

 

Screen 122: Answer in a different window

 

In order to be able to encrypt the message, a separate window for composing e-mails is required. To open it select “Undock”.

 

→ Encrypt e-mail

 

Screen 123: Encrypt e-mail

 

Choose the „OPTION“ Ribbon

In the middle of the ribbon are the “Encrypt” and “Sign” buttons. Select the “Encrypt” button so that it is highlighted in blue. Now compose and send the e-mail as usual. It will now be transmitted in encrypted form.
→ Done

 

8.1.3.2 Method II – Open contacts

 

Screen 124: Open contacts

 

Open the address book and double-click the desired contact

 

→ Contacts window

 

Screen 125: Contacts window

 

Choose “Show” in the “CONTACT” Ribbon.

Choose “certificates” in the new appeared small window

 

→ Certificate window

 

Screen 126: Certificate window

 

Choose “Import”

 

→ Choose certificate

 

Screen 127: Choose the certificate

 

Navigate to the folder in which the certificate is located (file extension .cer), select it and click on “Open”.

 

→ Check certificate

 

Screen 128: Check the certificate

With a double-click on the entry, the details of the certificate can be called up and it can be checked again whether the correct certificate was selected. Then close the contact and address book and compose a new email.

→ Encrypt e-mail

Screen 129: Encrypt e-mail

Choose “OPTIONS” Ribbon

In the middle of the ribbon are the “Encrypt” and “Sign” buttons. Select the “Encrypt” button so that it has a blue background. Now, as usual, compose and send the e-mail. It is now transmitted in encrypted form.→ Done

8.1.4 Set up LDAP Server

GLOBALTRUST provides its customers with an LDAP directory. All certificates issued by GLOBALTRUST can be found in this directory. This makes it possible to send encrypted emails to anyone with a GLOBALTRUST certificate. It is also possible to integrate this directory into the Microsoft Outlook address book.

8.1.4.1 Short version

Installation of the LDAP directory:

• You must go into the account settings and click the “New…” button to add a new address book.
• Choose “Internet directory service” in the installation wizard.
• Set „ldap.globaltrust.eu“ as the server name and set “c=at” as the search default under “More options…”
• Finish wizard and restart Outlook → Done

Use the LDAP directory:

• Open the address book and select “ldap.globaltrust.eu” from the drop-down menu under “Other address books”.
• Enter the search term in “Display name” in the advanced search and select the “Contains” radio button in the “Search criteria”.
• In the list of found certificates, select the one you are looking for and add it to the contacts. Send encrypted messages, as usual, → Done

8.1.4.2 Installation of the LDAP directory

→ Start Outlook → FILE

Screen 130: Outlook

Choose “FILE” in the main window of Microsoft Outlook 2013.

→ Open Account settings

Screen 131: Open Account settings

Choose „Account settings“ and after the dropdown menu shows up click on “Account settings…”.

→ Add new address book

Screen 132: Open Account settings

Switch to the “Address books” tab in the new window.

Click on “New…” to add a new address book.

→ Choose the LDAP directory

Screen 133: Choose LDAP directory service

Choose „Internet directory service (LDAP)“.

Click on “Continue”

→ Fill in Server details

Screen 134: Serverdaten eingeben

Set „ldap.globaltrust.eu“ as the server name.

Click on “More settings…”

→ Confirm message

Screen 135: Confirm message

Click the “OK” button to continue.

→ Fill in additional server data

 

Screen 136: Fill in additional Server data

Change to the tab “Search”

In the “Search base” category for “User-defined” you still have to enter “c=at”.

Click on “OK” to continue.

→ Continue installation

Screen 137: Continue installation

Click on “Continue”.

→ Finish installation

Screen 138: Finish installation

Click on “Finish” to end the installation.

→ Account settings

Screen 139: Account settings

There is a new entry for the LDAP directory now in the list of address.

Click on “close” and restart Microsoft Outlook 2013 to finish the installation. → Done

8.1.5 Use the LDAP directory

→ Open the address book

Screen 140: Open the address book

Click on the “address book” button on the main page.

→ Choose the LDAP address book.

Screen 141: Choose the LDAP address book

In the dropdown menu “more address books” choose the address book “ldap.globaltrust.eu”.

Click on “Advanced search”.

→ Advanced search

Screen 142: Advanced search

Fill in the name of the desired person in the field “Display name”.

Choose “Contains” in the category Search criteria.

Click on “OK” to start the search. Afterwards a list with the found entries will appear → Done

8.2 Outlook 2007/2010 – Install and use certificates

8.2.1 Install certificates

Screen 143: PKCS12-file on the desktop

In order to install the certificate file PKCS#12 file, it is sufficient to double-click on the file. After that, the help program should start, which will go through the installation with you.

Screen 144: Certificate import assistant

Now you can click “Continue” 2 times til you get to the following window:

Screen 145: Certificate import assistant II

Here you have to enter the key password/download password that you specified when downloading your certificate on the A-CERT website.

If you do not need a mass signature, you can select “Enable high security for the private key.”

You can skip all other windows in the certificate import wizard with “Next >”. At the end, there is a short confirmation “The import process was successful“.

8.2.2 Configure Outlook – Open Trust Trust Center

Now you can start Microsoft Outlook 2007 and open the Trust Center. You can find the Trust Center under the menu item Extras.

(in Microsoft Outlook 2010 you will find this window under the Office button→ Options → Security Center → Settings of the Security Center)

Menu → Extras → Trust Center

Screen 146: Trust Center I

Choose e-mail security settings

There, please select the sub-item “E-Mail Security” on the left-hand side.

Screen 147: Trust Center II

We recommend selecting the “Add a digital signature to outgoing messages” option so that all of your outgoing emails are signed.

Optionally, you can also select “Encrypt content and attachments for outgoing messages” so that all your outgoing emails are encrypted (if possible).

Choose signature certificate

If you now select “Settings…”, you will come to a new window in which you can select the certificate
for the signature of your e-mails.

Screen 148: Fill in security settings

Now you can click the “Select…” button under “Signature Certificate” to get an overview of your installed certificates.

Screen 149: Choose the certificate

The certificate that you have installed must be selected here. The selected certificate will now be used to sign and encrypt your emails.

Choose encryption for the certificate (optional)

If you want to use a different certificate to encrypt your e-mails, you must select this separately.

To do this, click on the lower “Select…” button next to the “Encryption Certificate” field and select another certificate.

8.2.3 Sign and/or encrypt e-mails.

In order to sign or encrypt an e-mail that you are writing, you can either select the icon with the sealed letter (to sign) and/or the icon with the lock in front of the letter.

Screen 150: Write an e-mail and sign

You can find the two icons in the ribbon under Message → Options

In order to be able to send someone an encrypted email, you need their certificate. To save the certificate of a contact person, a signed e-mail from this person is sufficient. After right-clicking on the e-mail, you can select the option “Add to Outlook contacts”.

You can then send encrypted e-mails to this person.

Screen 151: Add e-mail address to the contacts.

To get an overview of the certificates that Outlook can use to encrypt an email, open the “Contact” tab
and select the icon for certificates, which you can find in the “Show” sub-item.

Screen 152: Outlook contact list overview

Check signed and/or encrypted e-mails

If you see the following icon, the email has been signed. If you also see a lock next to it, the e-mail has also been encrypted.

Screen 153: Test e-mail

 

---