Getting Started:Before you start the process to set up your digital certificates, you will need the following information about your computer:
- What operating system is on your computer (ex.- Windows XP, Windows 7, Mac, ect.)?
- What email client, or program, are you using (ex.- Outlook 2007, Outlook 2010, Thunderbird, etc.)?
- Click the Start button.
- Click on the Control Panel.
- Either click on the System icon in the Control Panel OR click on the System and Security link and then the System link.
- Open your email program.
- Click on the Help menu.
- Click on the About option. It is usually the last option on the Help menu.
Setting Up Digital Certificates:There are three processes required to set up digital certificates on your computer. You must complete all three of them for your certificates to work properly.
Step 1: Enroll for Digital Certificate, please follow the instructions below.
Step 2: Install Your Digital Certificate into Your Operating System. We have included instructions for several different operating systems. Follow ONLY the instructions for the operating system on your computer. If you do not know what operating system is on your computer, please follow the instructions above.
Step 3: Publish Your Digital Certificate to the Global Address List (GAL). We have included instructions for several different email clients or programs. Follow ONLY the instructions for the email client you use. If you do not know what email client you use, please follow the instructions above.
- Apply Enroll
- Windows XP- How to Install Your Digital Certificate and Publish to the GAL
- Windows Vista- How to Install Your Digital Certificate and Publish to the GAL
- Windows 7- How to Install Your Digital Certificate and Publish to the GAL
- How to Video (Install)
- How to use your Digital ID to sign and encrypt e-mail using Outlook
- How to backup or install on another computer using Internet Explorer
- How to verify I have a current valid certificate
- How to Install Digital ID on a Mac
- How to Install Digital ID into Outlook on a Mac
- How to Install Digital ID into Thunderbird on a Mac
- How to Publish InCommon digital certificates to the Global Address List (GAL) for non-Windows PCs
- How to use your Digital ID to sign and encrypt e-mail using Mac Mail
- How to use your Digital ID to sign and encrypt e-mail using Outlook on a Mac
- How to use your Digital ID to sign and encrypt e-mail using Thunderbird on a Mac
What are they?
Digital certificates serve two purposes. They are, in effect virtual fingerprints that authenticate the identity of a person or thing absolutely, positively. They are also used to encrypt information so that only the recipient with the correct digital ID can read it. The certificate itself is simply a collection of information to which a digital signature is attached.
Signing certificates allow you to add a digital signature to your email. These certificates help the recipient of your mail verify that you are the person who sent the mail.
A digital signature is a piece of data that is sent with an encoded message to uniquely identify the sender and to verify that the message has not been altered since it was sent. A digital signature is as legally binding as a handwritten signature.
Encryption certificates allow you to encrypt your messages. NOTE: Both you AND your recipient must have valid, current encryption certificates. You will not be able to send encrypted messages to anyone who does not already have a valid encryption certificate, even if your encryption certificate is valid. If a person has a valid certificate but you do not have access to it, you will not be able to send them an encrypted email message.
Why do you want digital certificates?
E-mail is not private or secure. However, it does make it easy to communicate information rapidly to a number of people. Texas state law , Texas Administrative Code (1 TAC 202), and The University of Texas at Dallas Information Security policy, state that confidential and sensitive information must be kept secure. If the information that you want to communicate contains confidential or personally identifiable information, legally you can not send it in e-mail without using digital certificates and encryption.
Digital Certificates at UT Dallas
Digital certificates must be issued by a trusted entity known as a Certificate Authority (CA). UT System is the CA for all UT components, and UT Dallas Information Security department is the CA for UT Dallas.
Before a digital id will be generated, you will be required to provide your NetID and password. This is authenticated against UT Dallas Lightweight Directory Access Protocol (LDAP), and provides the required proof of identity before your certificates are issued.
UT Dallas has moved from everyone having dual certificates to a single certificate. The certificate contains both the signing and encrypting certificates. If you lose the certificate, the old one will be revoked and you will have to enroll for a new one. The encryption certificate will be escrowed in a manner that allows it to be recovered in the event it is lost. Recovery requires a coordinated effort of both of the CA's and InCommon to recover the certificate. The recovery of the revoked cert will allow you to read previously encrypted email.
You can get digital signing and encryption certificates for use in Internet Explorer and Microsoft Outlook. You can also get digital signing and encryption certificates for Mac and Unix systems using Firefox or Safari. Internet Explorer and Microsoft Outlook are the preferred method, however, because certificates are issued and installed into Internet Explorer and Outlook and published to the global address list (GAL) with very little action on your part. Icons will be placed on the Outlook toolbar for digitally signing and encrypting individual e-mails after the first time you send an encrypted message. Furthermore, when you want to send encrypted email, Outlook will search the GAL for the recipient's certificate and use it automatically if found.
Other email clients don't have that ability to access the GAL or the LDAP server to obtain someone's certificate, so you have to obtain the recipient's certificate some other way before you can send them encrypted email. The easiest way to do this is to have them send you a signed email message. Your mail client will automatically extract their encryption certificate and store it locally so that you can send them encrypted email in the future.
What do you need before you request a Digital ID with Microsoft Outlook?
At UT Dallas, we use InCommon digital certificates, called digital certificates.
To use an InCommon Digital ID to sign and encrypt e-mail easily at UT Dallas using Outlook and Exchange, you must have an account on the Campus/Exchange server, be using Outlook for e-mail and have the following software on your PC:
- Windows 7, Vista, XP or 2000
- Internet Explorer 5.50 or above with 128-bit encryption strength or above*
- Office 2010, Office 2007, Office 2003, Office XP or above
* All of the security patches for Internet Explorer must be applied before you can successfully apply for a digital certificate.
If you are not sure you have the above items, call the UT Dallas Help desk at ext. 2911. They can help you make the determination and schedule any upgrades that are necessary.
Digital Certificates are also available for use in Safari and Firefox in UNIX or Mac environments.
If you are not using Microsoft Outlook and the Exchange server or you are using a Mac or Unix-based operating system, you can still use digital certificates, but you will have to perform several steps to make use of them. First you must apply for the certificates using your browser of choice. Then you must export the certificates from the browser and import them into the email client that you use. The email client must be S/MIME compliant, meaning it has the capability to digitally sign and/or encrypt email. (Most modern clients have this capability.)
When you apply for your InCommon digital certificate, you must save it to proceed with the installation process. Be sure that you have saved the certificate in a secure location, for example on the H; drive. To backup up your digital certificates export from your web browser or your email client to a location that will be routinely backed up (such as your home directory). Please note: A simple copy and paste of your certificates will not work. You must use the export/import feature of your web browser or email client. If your hard drive crashes, you can restore your IDs from the backups. Note: You will be unable to decrypt any encrypted email if you've lost your certificates. DO NOT delete your old certificates from your browser or email client. They can still be used to read "old" encrypted email.
As mentioned earlier, the easiest way to obtain someone's certificate is to ask them to send you a signed email message. That message will include their public encryption key, and your mail client should either automatically add it to the Other People store or prompt you to add it. (Check the help files for your mail client to verify this.)