Using your Grid CERT to sign or encrypt Emails
Apart from allowing you to access the Grid, an SSL Client Certificate is imported into the Web browser from which you requested your Grid certificate. This certificate could be used to digtially sign or encrypt Email. For the second, you will need te certificate from the correspondign partner in order to encrypt Emails. To make use of it, folow the below guidance.- first export your certificate from your Web browser. This is explain on the how to Export your key pair for use by Globus grid-proxy-init page. In summary:
- Find in your browser certificate management interface an 'export' or 'backup' option. THis interface varies from browser to browser and from Email client to Email client. We have checked only in Thudenrbird as an Email client and inventoried possible location for browser-based tools.
- Internet Explorer: "Tools -> Internet Options -> Content"
- Netscape Communicator as a "Security" vutton on the top bar menu
- Mozilla: "Edit -> Prefercences -> Privacy and Security -> Certificates"
- The file usually end-up withe xtension .p12 or .pfx.
ATTENTION: Although the backup/export process will ask you for a "backup password" (and further encrypt your CERT), please guard this file carefully. Store it OFF your computer or remove the file once you are done with this process. - After exporting your certificate from your Web browser, you will need to re-import it into your Mail client. Let's assume it is Thuderbird for simplicity.
- FIRST:
Verify you have the DOEGrids Certificate Authority already imported in your Mail client and/or upload them.
Note that the DOEGrid Certificate Authority is a subordinate CA of the ESnet CA ; therefore the ESnet CA root certificate should also be present. To check this - Go to "Tools -> Options -> Privacy -> Security -> View Cretificate"
- Click on the "Authorities" tab
- You should see both "DOEGrids CA 1" and "ESnet Root CA 1" under an "Esnet" tree as illustrated in this first picture
- Be certain the "DOEGrids CA 1" is allowed to allow mail users. To do this, select the cert, click Edit. A window as illustrated in the next picture should appear. Both This certificate can indentify Web sites and This certificate can identify mail users should be checked.
- If you DO NOT SEE those certificate authorities, you will need to import them.
- Do so by downloading the doe-certs.zip attached at the bottom of this document, unzip . Two files should be there
- Load them using the "Tools -> Options -> Privacy -> Security -> View Cretificate -> Aurthorities -> Import" button.
- A similar window as displayed above will appear and you will need to check box at least This certificate can identify mail users.
- Now, import your certificate.
- Use the "Tools -> Options -> Privacy -> Security -> View Cretificate -> Your Certificate" menu and click "Import"
- A file browser will appear, select the file you have exported from your browser. It will ask you for a password. You will need to use the smae password you used during the export phase from your Web Browser.
- Click OK
- Your are set to go ...
Usage note:
- If you want a remote partner to send you encrypted messages, you MUST send first a digitally signed Email so your certificate public part could be imported into his/her Email client Certificate Manager under "Other People's". When done for the first time, THuderbird will ask you to set a certificate as default certificate ; the interface and selection is straight forwardso we will not detail the steps ...
- If you want to send an encrypted message to a remote partner, you MUST have his public part imported into your Email client and then select the "Encrypt This Message" option in the Security drop down menu of Thunderbird.
- Whenever a certificate expires, DO NOT remove from you Certificate Manager. If so, you will no longer be able to read / decrypt old encrypted Emails.