To send digitally signed or encrypted emails, you need to obtain and install a personal certificate.

Warning

You must read and understand this warning before using a certificate to encrypt your email or files.

If you use a certificate, it is your responsibility to ensure that you have taken adequate measures to safeguard your private key. Full instructions on backing up your private key and certificate on a Windows machine are available below.

If you have any doubts regarding the use of certificate to encrypt your email, contact the ICT Security team via the ICT Service Desk.

Obtain a personal certificate

As a member of College you are entitled to a certificate that is used to prove your identity to other College members.

To request your certificate you must enrol by following the instructions below. You will need to be connected the College network to access this site, by College computer or via remote access. By enrolling, you indicate that you have read and understood the warning above.

acc widget 3

How to obtain a personal certificate (Windows)

1. In Internet Explorer, go to Settings > Internet options > Security > Local intranet zone. Select sites > Advanced and add the URL https://icca4.ic.ac.uk to your intranet sites. Internet explorer properties screen

2. Open Internet Explorer and go to https://icca4.ic.ac.uk.

3. Click Request a certificate.

Request certificate

4. Select User Certificate.

User certificate5. Allow the certificate operation by pressing Yes.

Web access confirmation

6. Click Submit and allow the certificate operation again by pressing “Yes”. 

Identifying information

7. Click Install this certificate.

Certificate issued 

8. Once you have completed the wizard, your certificate is ready to use.

How to obtain a personal certificate (Mac)

Generate a CSR in macOS Keychain Access

Open Keychain Access.

Open the Keychain Access application, located at /Applications/Utilities/Keychain Access.app

keychain access 

Open Certificate Assistant.

Select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority… from the menu. 

open menu 

Enter email address.

In the Certificate Assistant window that opens, enter your email address in the User Email Address field. Leave the Common Name as it is. Leave the CA Email Address field blank. Check the Saved to disk radio button and click ‘Continue

Certificate assistant

then click ‘Save

save certificate  

then ‘Show in finder’.

Show in finder

This will show the CSR on your desktop (or wherever you saved it).

Right-click (control + click) and select ‘Open With’ and ‘Other 

Open with other

Then select ‘TextEdit’

TextEdit

Click Open and highlight and copy the whole CSR (including ----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST ------) so you’re ready for the next steps.

Obtaining your personal certificate

1. Go to https://icca4.ic.ac.uk/certsrv in your Firefox or Chrome browser

2. Click Request a certificate.

Request certificate

3. Click advanced certificate request.

Request certificate4. Paste your Certificate Signing Request (CSR) in the saved request box and select 'User 2 Year' from the Certificate Template drop-down and press submit.

  submit request

5. The certificate will be available to download by clicking Download Certificate.
download certificate

6. Once you have completed the wizard, your certificate is ready to use.

The certificates provided by Imperial should work with any S/MIME-enabled client. Please be aware that digital signing of emails is not possible with Firefox as it disables the S/MIME by default. 

Once you have completed the wizard, your certificate is ready to use.

The certificates provided by Imperial should work with any S/MIME-enabled client. Please be aware that digital signing of emails is not possible with Firefox as it disables the S/MIME by default. 

Support

If you experience issues when using your personal certificate, contact the ICT Service Desk.

Set up a personal certificate on your account

Microsoft Office 365

1. Go to http://www.imperial.ac.uk/office365.

2. Sign in and start to compose a new email.

3. Under the ... button choose Show message options...

Show message options

4. Choose whether to encrypt or sign your message by ticking either the  Encrypt this message (S/MIME) box or the Digitally sign this message (S/MIME) box. If you choose to encrypt, your recipients must also have obtained personal certificates, otherwise they will not be able to read the email. Signing your message adds your digital signature to prove that it originated from you and has not been tampered with in transit.

Choose S/MIME

5. Click OK. A message will appear stating that you need to install the S/MIME Control.

Install S/MIME

6. Click the link to install and then click Run to download the application. Once it has been successfully installed, click OK.

Click Run

7. Sign out and then sign back in to the email to send encrypted or signed mail.

If you are using the full desktop version of Outlook provided with Microsoft Office 365, you can also send signed or encrypted email by opening a new message, clicking the Options tab and clicking either Encrypt or Sign in the Permission section.

Encryption lock or signing rosette

Thunderbird

  1. Open Thunderbird 
  2. Use keyboard shortcut Alt + E to open Account Settings
  3. Select Security 
  4. Select Manage Certficates 
  5. Select Your Certficates and click on Import 
  6. Browse to the certficate you exported from Firefox
  7. Complete the import by entering your login credentials
  8. You will have to restart Thunderbird for it to recognise the Certficate 

Note: The email address you configure in Thunderbird will need to match the name of your certificate 

Send encrypted/signed emails and back up your key

Sending encrypted or signed emails

If you have not already set up a certificate, you will need to do so before you can proceed (see above).

To send encrypted or signed emails, follow these steps.

  1. Login to OWA or open Microsoft Outlook.
  2. Open a New message.
  3. Select the Options tab on the toolbar.
  4. Click either the message with a padlock button or the message with a rosette button (the buttons are together) in the toolbar.

The padlocked message is for sending encrypted emails and the rosette button is for signing emails.

Encrypting emails

This option means that you wish the message to be sent in an encrypted format. The recipient must already have a personal certificate installed and published to the Global Address List, otherwise Outlook will not allow you to send him or her the encrypted email.

Signing emails

If you sign an email with a digital signature, it proves that the email can only have come from yourself (non-repudiation), as you are the only one with your certificate.

Backing up your certificate and private key

As with all public key infrastructures, your certificate has an associated private key, which means that only you can decrypt email sent to you using your certificate and only you can sign emails using your certificate. Nobody else, including us, will ever see your private key, as it is held securely on your local machine.

However, this does mean that you are responsible for keeping your private key safe. If it is lost, nobody else has a copy to give to you.

You can back up your key on any Windows machine.

Using the snap-in

Your certificate is held in a store on your machine. To access the certificate store, follow these steps:

  1. Click the Start button in your Windows desktop toolbar and select Run...
  2. Enter certmgr.msc and press OK.
  3. Click on Personal and then click on Certificates. You should now see a list of your personal certificates on the right hand side.
  4. Click on the certificate that was issued by Imperial College London.
  5. Right click the screen and select All Tasks and then Export.
  6. Click Next in the Wizard to begin the export process.
  7. Select Yes, export the private key and click Next.
  8. Select Personal Information Exchange - PKCS #12(.PFX) and ensure that Include all certificates in the certificate path if possible is the only option ticked.
  9. Click Next to continue. If you are exporting the certificates for use on another College-owned Windows machine, you can protect it by Group or Username(s) - ensure that your username is the only one in the list. Alternatively, if you are exporting the certificates for use on a personal machine or a machine running a different operating system (OS X or Linux), protect the certificate with a password
  10. Enter a password to protect your private key backup, if you're using the password method, and ensure that even if somebody obtains a copy of your backup file, the person will not be able to use your certificate to decrypt email or sign emails on your behalf.
  11. Confirm your password and click Next.
  12. Enter a path to save your backup file to. You need to save the file somewhere other than on your local machine e.g. your Home directory or H: drive.
  13. Click Next, then click Finish to end the Wizard.

You have successfully backed up your private key and certificate.

Backing up your certificate and private key using Linux

As with all public key infrastructures, your certificate has an associated private key, which means that only you can decrypt emails sent to you using your certificate and only you can sign emails using your certificate. Nobody else, including us, will ever see your private key, as it is held securely on your local machine.

However, this does mean that you are responsible for keeping your private key safe. If it is lost, nobody else has a copy to give to you.

you can back up your key on Linux by following these steps:

  1. Open Firefox 
  2. Go to prferences (Alt + E)
  3. In preferences search Cerificates
  4. Click on View Certificates
  5. Click on Your Certificates tab
  6. Find the Certficate with your username and click Backup
  7. Choose location and enter a Password (this is used to protect the private key)