How to get and start using an S/MIME certificate with CSR

Oct 6, 2020 | Jindřich Zechmeister

You can now obtain personal S/MIME certificates using CSR, and Internet Explorer is no longer used to obtain them. This article explains the reasons for the change and the new procedure for obtaining a personal S/MIME certificate. Do not worry, it is even easier than before!

The end of Internet Explorer also means the end of the "pick up" in the browser

Issuing personal S/MIME certificates was relatively convenient as long as browsers allowed the certificate to be retrieved from the web. If you did your "pick up" with a browser in Microsoft or Chrome, the certificate was generated and stored directly in the Windows certificate store. Other programs such as Outlook then "saw" it and there was no problem to just select the certificate to sign.

The exceptions are Firefox and Thunderbird, which use their own certificate store and do not use the Windows certificate store (even each program has its own, which is quite annoying). Although there was once the option to retrieve the certificate in Firefox, it is no longer possible.

A big change for the worse was the end of support for so-called Crypto-api in browsers - simply put, they lost this feature and the possibility of retrieving the certificate. The only supporting browser remained Internet Explorer. However, a lot of people (rightly) confuse Internet Explorer with Edge, which does not have this feature either. This created confusion, which had an adverse effect on the usability of this procedure and the user experience.

Therefore, Internet Explorer remained the last option to retrieve the S/MIME certificate. However, after announcing the end of its support (there was also speculation that it was removed from Windows), Microsoft no longer recommends using it at all. Whether it is removed from the system or not, the browser is definitely dead. Therefore, we have already decided to issue S/MIME certificates using CSR (like other TLS certificates).

How to create CSR and get a certificate

The best option for creating CSR is to generate it directly in the order detail. That is the fastest and easiest way. Of course, you can also create CSR by yourself, but the data must match the data in the order. For your own CSR, use OpenSSL (the package is part of * unix systems) or the XCA graphical tool.

If you use the order detail, the entire operation is easy, you can be sure that the CSR is OK, and you have a private key to the certificate. You will need it after it is issued to create the PFX and to use the certificate; therefore, it is absolutely essential that you save the private key carefully (the browser will offer you this option after generating the CSR).

The CSR is then saved in the order, we request the certificate, and you confirm the issuance of the S/MIME certificate. The email for this confirmation, the so-called approver, will be sent to the e-mail address specified in the S/MIME certificate order. The email and address fields are always included in the certificate - even if you do not want to use them to sign emails. Click on the link sent by DigiCert and you will see a confirmation on their website (link destination).

S/MIME approver for certificate issuance

S/MIME approver for certificate issuance. Click to enlarge.

After the certificate is issued, which occurs immediately after the approver verification, download the PFX in the order detail (if you also receive a certificate from DigiCert, ignore the message). Just enter the previously saved private key in the text box and choose the password you will use for the PFX. The downloaded PFX file is protected by this password. It contains, in addition to the certificate, the mentioned private key and CA certificate; keep this file as a backup in case you lose the certificate or in case you reinstall your computer.

Commissioning of the signing certificate

The personal S/MIME certificate is most often used for electronic signatures and is used in programs such as Outlook or Thunderbird. Let us see how to set up a certificate and start using it.

The basis is to have a PFX file that contains everything you need. If you want to import a PFX certificate into a Windows computer so that other programs can use it, simply open the PFX file. When double-clicked, the certificate import wizard starts, and you only need to complete it in default setting.

Do not be fooled by the fact that "nothing happens" after completing the wizard. The certificate is now stored in the Windows store and Outlook will see it.

In Outlook, you now just select this certificate as the default for signing - you can find this dialog in File -> Options menu and in the new Security Centre -> Security Centre Settings window and in the new Email Security dialog. Selecting a signing certificate is simple - the system will only offer you a list of certificates present in the system store and you will select the one from DigiCert.

S/MIME certificate settings in Outlook

S/MIME certificate settings in Outlook

After adjusting this setting, just click the Sign button in the new message (in the Options menu) and the message will be signed with this certificate from the PFX file.

Importing a certificate into Thunderbird is similar; you will find the instructions in the article Import S/MIME Certificate to Clients and Settings.

Not sure what to do? Contact our support team

If you need help using S/MIME certificates, do not hesitate to contact our support. The SSLmarket help covers all aspects of the use of S/MIME certificates in the pictorial instructions, so we recommend that you also look at our website.