Digital Certificates

What are they?

Digital certificates serve two purposes; they are in effect virtual fingerprints that authenticate the identity of a person or thing absolutely, positively or they are used to encrypt information so that only the recipient with the correct digital ID can read it.  The certificate itself is simply a collection of information to which a digital signature is attached.

A digital signature is a piece of data that is sent with an encoded message to uniquely identify the sender and to verify that the message has not been altered since it was sent.  A digital signature is as legally binding as a handwritten signature.

Encryption certificates are used to encrypt data so that only the recipient can decrypt it.  Note: You cannot encrypt email to someone who does not have a valid digital ID nor can you encrypt email to someone whose certificate you do not have access to.

In the future, certificates may be used for a number of things, including accessing restricted pages at other universities (such as their library checkout pages), identifying yourself to vendors so you can purchase items for university use or authenticating documents (such as grant applications) for the government.

Why do you want digital IDs?

E-mail is not private or secure.  However, it does make it easy to communicate information rapidly to a number of people.  Texas state law (Texas Business Code, Chapter 48), Texas Administrative Code (1 TAC 202), and The University of Texas at Dallas Information Security policy, state that confidential and sensitive information must be kept secure.  If the information that you want to communicate contains confidential or personally identifiable information, legally you can not send it in e-mail without using digital certificates and encryption.

Digital Certificates at UT Dallas

Digital certificates must be issued by a trusted entity known as a Certificate Authority (CA). UT System is the CA for all UT components, and UT Dallas Security department is the CA for UT Dallas. 

Before a digital id will be generated, you will be required to provide your NetID and password.  This is authenticated against UT Dallas Lightweight Directory Access Protocol (LDAP), and provides the required proof of identity before your certificates are issued.

UT Dallas has moved from everyone having single certificates to dual certificates.  One of the certificates is for signing and the other is for encrypting.  If you lose the signing certificate, the old one will be revoked and you will have to enroll for a new one.  The encryption certificate will be escrowed in a manner that allows it to be recovered in the event it is lost.  Recovery requires a coordinated effort of both of the CA's and VeriSign to recover the certificate.

You can get digital signing and encryption certificates for use in Internet Explorer and Microsoft Outlook.  You can also get digital signing and encryption certificates for Mac and Unix systems using Firefox or Netscape (Please Note: Safari is unsupported and does not work!)   Internet Explorer and Microsoft Outlook are the preferred method, however, because certificates are issued and installed into Internet Explorer and Outlook and published to the global address list (GAL) with very little action on your part.  Icons will be placed on the Outlook toolbar for digitally signing and encrypting individual e-mails after the first time you send an encrypted message.  Furthermore, when you want to send encrypted email, Outlook will search the GAL for the recipient's certificate and use it automatically if found.

Other email clients don't have that ability to access the GAL or the LDAP server to obtain someone's certificate, so you have to obtain the recipient's certificate some other way before you can send them encrypted email.  The easiest way to do this is to have them send you a signed email message.  Your mail client will automatically extract their encryption certificate and store it locally so that you can send them encrypted email in the future.

What do you need before you request a Digital ID with Microsoft Outlook?

At UT Dallas, we use VeriSign digital certificates, called Digital IDs. 

To use a VeriSign Digital ID to sign and encrypt e-mail easily at UT Dallas using Outlook and Exchange, you must have an account on the Campus/Exchange server, be using Outlook for e-mail and have the following software on your PC:

• Windows Vista, XP or 2000
• Internet Explorer 5.50 or above with 128-bit encryption strength  or above*
• Office 2007, Office 2003, Office XP or above

* All of the security patches for Internet Explorer relating to digital certificates and encryption must be applied before you can successfully apply for a digital certificate.

If you are not sure you have the above items, call the UT Dallas Help desk at ext. 2911.  They can help you make the determination and schedule any upgrades that are necessary.

Digital Certificates are also available for use in Netscape and Firefox in UNIX or Mac environments.

If you are not using Microsoft Outlook and the Exchange server or you are using a Mac or Unix-based operating system, you can still use digital certificates, but you will have to perform several steps to make use of them.  First you must apply for the certificates using your browser of choice.  Then you must export the certificates from the browser and import them into the email client that you use.  The email client must be S/MIME compliant, meaning it has the capability to digitally sign and/or encrypt email.  (Most modern clients have this capability.)

You should always back up your digital IDs as soon as you get them!  You do this by exporting them from your web browser or your email client to a location that will be routinely backed up (such as your home directory.)  Please note: A simple copy and paste of your certificates will not work. You must use the export/import feature of your web browser or email client. If your hard drive crashes, you can restore your IDs from the backups.  Note: You will be unable to decrypt any encrypted email if you've lost your certificates.  DO NOT delete your old certificates from your browser or email client.  They can still be used to read "old" encrypted email.

You can easily obtain the Verisign digital IDs of anyone you want to send encrypted email to by going to the Verisign database and searching for them using their email address.  Be sure to select the option that is appropriate for your web browser.  (Verisign has promised to add Firefox in the future.)

As mentioned earlier, the easiest way to obtain someone's certificate is to ask them to send you a signed email message.  That message will include their public encryption key, and your mail client should either automatically add it to the Other People store or prompt you to add it.  (Check the help files for your mail client to verify this.)

Links:

• How to apply for Digital IDs for Outlook on Exchange using Internet Explorer
• How to Publish your Digital IDS to the GAL
• How to use your Digital IDs to sign and encrypt e-mail using Outlook
• How to backup or move your Digital IDs to a new machine using Internet Explorer
• How to apply for Digital IDs for IMAP email using Firefox
• How to use your Digital IDs to sign and encrypt e-mail using Mulberry
• How to backup or move your Digital IDs to a new machine using Firefox
• How to apply for Digital IDs on a Mac using Netscape
• How to backup your Digital IDs on a Mac using Netscape
• How to Import your Digital IDs into Thunderbird on a Mac
• How to Apply For Or Renew A Server Certificate
• How to Install Intermediate Server Certificate (Certificate Chaining)
• How to Install Intermediate Server CA for Firefox

Quick Fixes:

• Outlook Offline Address Book (OAB)

This area here left blank