Where I currently work, we are using smart cards in order to secure Active Directory accounts with elevated privileges. That’s great way to do two-factor authentication because smart cards are integrated in AD natively. In order to force an account to use a smart card, you only have to click on a checkbox on the user account.
In order to be able to digitally sign and encrypt your e-mails, you have to first take the following steps:
- Import the certificate on your smart card into the IE Store
- Configure Outlook to use the certificate
- Start signing/encrypting your e-mail
Sounds simple enough. Let’s get into the details of how we do all of that.
The first step is to import the digital certificate that is on the smart card into what is sometimes called the IE store. Since I use Gemalto‘s GemSafe drivers, it is fairly easy.
- I first go to the Certificates section of the Toolbox and click on my certificate.
- This enables the Export… button. Click on it to go to the export screen.
- Select Export to IE store and make sure that you select Personal as the certificate store.
- Click the Export button.
This puts a copy of the certificate (private and public keys) into your personal store for your use. You can verify that the certificate was imported properly by opening up Internet Explorer, click on Tools | Internet Options | Content | Certificates. Your certificate should be listed in the Personal tab. Click on the certificate. This will fill the Certificate intended purposes section at the bottom of the dialog box. If Secure Email is not one of the intended purposes, then you will not be able to use this certificate to sign your e-mails.
Now the last thing to do is to configure Outlook to use that certificate.
- In Outlook (I’m using Outlook 2003), click on Tools | Options… | Security tab| Settings… button in the Encrypted e-mail section.
- Here we need to choose our signing certificate and encryption certificate. Click on the Choose… button and select the same certificate in both cases.
- Your Hash Algorithm should be SHA1 because it is stronger than the old MD5.
- Your Encryption Algorithm is probably defaulted to 3DES, which is the strongest algorithm available.
- Make sure that the checkbox for the Send these certificates with signed messages option is checked. This will then allow your recipient to import your certificate (with your public key only) into their store. This way they will be able to encrypt e-mails to you and only you will be able to decrypt them.
And there you go. The next time you write an e-mail, simply click on the Options… button and then the Security Settings… button to open the dialog box that will allow you to digitally sign and encrypt your e-mail. Make sure that your smart card is inserted. When you click on the Send button, you will be asked to enter your PIN before your e-mail is signed and encrypted in order to confirm your identity.
I hope this was helpful to you. Let me know if you have any questions.