Encrypt emails (digital signature)
Please be aware...
- that it might not be possible to read encrypted emails on personal devices (i.e. devices owned by you, not by College);
- that you may also receive a warning when receiving emails with a digital signature.
To send digitally signed or encrypted emails, you need to obtain and install a personal certificate.
You must read and understand this warning before using a certificate to encrypt your email or files.
If you use a certificate, it is your responsibility to ensure that you have taken adequate measures to safeguard your private key. Full instructions on backing up your private key and certificate on a Windows machine are available below.
If you have any doubts regarding the use of certificate to encrypt your email, contact the ICT Security team via the ICT Service Desk.
Obtain a personal certificate
As a member of College you are entitled to a certificate that is used to prove your identity to other College members.
To request your certificate you must enrol: Imperial College London Intermediate Certificate Authority. (You need to be connected the network to access this site, by College computer or via remote access.) By enrolling, you indicate that you have read and understood the warning above.
acc widget 3
Get a personal certificate
1. Connect to https://icca2.ic.ac.uk in Internet Explorer, login with your College username and password when prompted.
2. Click Request a certificate.
3. Select User Certificate.
4. Allow the certificate operation.
5. Click Submit and allow the certificate operation again.
6. Click Install this certificate.
Once you have completed the wizard, your certificate is ready to use.
The certificates provided by Imperial should work with any S/MIME-enabled client.
If you experience issues when using your personal certificate, contact the ICT Service Desk.
Set up a personal certificate on your account
Microsoft Outlook 2007
- Open Microsoft Outlook 2007.
- Click the Tools menu and choose Trust.
- Click the Email Security option.
- Select Publish to GAL* in the new window. This places your certificate in the Global Address List and allows other to send you encrypted emails.
- Click OK.
Your certificate is now ready to use.
*If you receive an error message when you click Publish to GAL, close and reopen Outlook and repeat this step.
Microsoft Outlook 2010/2013
1. Open Microsoft Outlook 2010/2013.
2. Click on the File menu and choose Options.
3. Select the Trust Center and choose Trust Center Settings.
4. Choose the Email Security option.
5. Click the Settings button which will open a new window.
6. Select the Choose button next to Signing Certificate in the Certificates and Algorithms section.
7. Choose the certificate in your name that says Issued by Imperial College London Intermediate Certificate Authority. This is the certificate that you enrolled for earlier.
8. Highlight the certificate and click OK.
9. Click the Choose button next to Encryption Certificate and choose the same certificate as you did in the step above. This means that you use the same certificate for both signing and encrypting emails.
10. Click OK on the Change Security Settings window.
Your certificate is ready for use.
Outlook web access
You can use your personal certificate to digitally sign and encrypt emails when using Outlook web access.
This only works with Internet Explorer.
1. Login to OWA.
2. Select Options.
3. Choose See All Options.
4. Select Settings.
5. Download and install the S/MIME control software.
Microsoft Office 365
1. Go to http://www.imperial.ac.uk/office365.
2. Sign in and start to compose a new email.
3. Under the ... button choose Show message options...
4. Choose whether to encrypt or sign your message by ticking either the Encrypt this message (S/MIME) box or the Digitally sign this message (S/MIME) box. If you choose to encrypt, your recipients must also have obtained personal certificates, otherwise they will not be able to read the email. Signing your message adds your digital signature to prove that it originated from you and has not been tampered with in transit.
5. Click OK. A message will appear stating that you need to install the S/MIME Control.
6. Click the link to install and then click Run to download the application. Once it has been successfully installed, click OK.
7. Sign out and then sign back in to the email to send encrypted or signed mail.
If you are using the full desktop version of Outlook provided with Microsoft Office 365, you can also send signed or encrypted email by opening a new message, clicking the Options tab and clicking either Encrypt or Sign in the Permission section.
Send encrypted/signed emails and back up your key
Sending encrypted or signed emails
If you have not already set up a certificate, you will need to do so before you can proceed (see above).
To send encrypted or signed emails, follow these steps.
- Login to OWA or open Microsoft Outlook.
- Open a New message.
- Select the Options tab on the toolbar.
- Click either the message with a padlock button or the message with a rosette button (the buttons are together) in the toolbar.
The padlocked message is for sending encrypted emails and the rosette button is for signing emails.
This option means that you wish the message to be sent in an encrypted format. The recipient must already have a personal certificate installed and published to the Global Address List, otherwise Outlook will not allow you to send him or her the encrypted email.
If you sign an email with a digital signature, it proves that the email can only have come from yourself (non-repudiation), as you are the only one with your certificate.
Backing up your certificate and private key
As with all public key infrastructures, your certificate has an associated private key, which means that only you can decrypt email sent to you using your certificate and only you can sign emails using your certificate. Nobody else, including us, will ever see your private key, as it is held securely on your local machine.
However, this does mean that you are responsible for keeping your private key safe. If it is lost, nobody else has a copy to give to you.
You can back up your key on any Windows machine.
Using the snap-in
Your certificate is held in a store on your machine. To access the certificate store, follow these steps:
- Click the Start button in your Windows desktop toolbar and select Run...
- Enter certmgr.msc and press OK.
- Click on Personal and then click on Certificates. You should now see a list of your personal certificates on the right hand side.
- Click on the certificate that was issued by Imperial College London.
- Right click the screen and select All Tasks and then Export.
- Click Next in the Wizard to begin the export process.
- Select Yes, export the private key and click Next.
- Select Personal Information Exchange - PKCS #12(.PFX) and ensure that Include all certificates in the certificate path if possible is the only option ticked.
- Click Next to continue. If you are exporting the certificates for use on another College-owned Windows machine, you can protect it by Group or Username(s) - ensure that your username is the only one in the list. Alternatively, if you are exporting the certificates for use on a personal machine or a machine running a different operating system (OS X or Linux), protect the certificate with a password.
- Enter a password to protect your private key backup, if you're using the password method, and ensure that even if somebody obtains a copy of your backup file, the person will not be able to use your certificate to decrypt email or sign emails on your behalf.
- Confirm your password and click Next.
- Enter a path to save your backup file to. You need to save the file somewhere other than on your local machine e.g. your Home directory or H: drive.
- Click Next, then click Finish to end the Wizard.
You have successfully backed up your private key and certificate.