Using digital signatures in emails

Implementing digital signatures in Exchange/Outlook environment is not a very complex. However, it requires that you understand how this technology work, and also must have some infrastructure background implemented.
Digital signatures actually protect the content integrity. They don’t provide any protection in a meaning that content of the message can’t be intercepted and read by someone else. However, if the content is altered during transport, digital signature will alert you on this.

When an author digitally signs a document or a message, the operating system on his machine creates a message digest which ranges from between a 128-bit and to a 256-bit number. It is generated by running the entire message through a hash algorithm. This number then is then encrypted by using the author’s private key, and then it is added to the end of the document or message.

When the document or message reaches the recipient, it will go through same hash algorithm as when it was digitally signed. Also, the recipient uses the author’s public key to decrypt the digest that is added to the message. After it is decrypted, it is compared to the digest that the recipient has generated. If they are the same, the document or the message was not altered during transport. Also, if the recipient is able to decrypt the digest by using the author’s public key, this means that the digest was encrypted by using author’s private key, and that confirms the author’s identity. At the end, the recipient also verifies the certificate that was used to prove author’s identity. During this check, the validity period, CRL, subject name, and certificate chain trust also are verified. Make sure that certificates that you use for digital signatures have valid CDP and AIA locations defined.

To implement digital signatures in internal communications, you just need to issue certificates based on the User template. This certificate template is present by default on each Windows Server CA. Of course, you can also use a custom template for this, or you can use smart card certificates for digital signature. This is actually pretty common if smart card infrastructure is deployed. You must issue certificates to all users that who use digital signatures, as authors (don’t need to have one just to read digitally signed message). You can issue the certificate without any user intervention if you use autoenrollment. Also, users must use an application that supports content signing. The digital signatures are ready to be used after the certificate is issued and configured in the application. Certificate for digital signature will be mostly automatically configured in Outlook, so the end user will not need to perform any configuration. If you want to use digital signature in OWA, you will need to install latest S/MIME controls. For mobile platforms and digital signatures, things are not so simple. At the moment, most mobile platforms do not support functionality of digital signature in an email (although ActiveSync does support it on protocol level).

However, if you want to send digitally signed content outside of your organization, you can experience CA trust issues. In this scenario, a recipient is not in the same domain as the author, so it does not trust a the CA that issued a the certificate for the digital signature. Although this kind of digital signature will still be valid from the aspect of content protection perspective, an application being used will probably generate a warning on the recipient side.

If you have a need to send digitally signed content to recipients outside of your organization, I recommended that you buy certificates from a public, globally trusted, CA.

Author: ddamir

Damir Dizdarevic is a b.sc.math and IT professional. He works as a manager of MS CPLS Learning Center in Logosoft Sarajevo, and as a lecturer and author of MOC courses. Occasionally, he also works as a system designer for complex enterprise environments. He is a founding member and president of Bosnian Microsoft Community. He has been working with Microsoft platforms for the last 17 years and he is particularly specialized in Windows Server, Exchange Server, mobility and virtualization. Microsoft awarded him with the Most Valuable Professional – MVP status for his outstanding contribution in sharing knowledge about Microsoft Server products, large number of lectures he delivered, and for his high technical competence. Damir owns several technical certificates (MCSE, MCTS, MCITP, and MCT) for Windows Server 2012, 2008 R2, Exchange Server 2010, Security and Hyper-V. He is regular presenter on conferences in ex-Yu region. On Microsoft Sinergija conference, for previous 7 years, each time he was graded as one of top three speakers. On a Bosnian MS conference, he is the best speaker for last two years. He is also a regular and highly graded presenter on other Microsoft conferences in region such as NT Conference (Slovenia), Microsoft Vizija (Macedonia), Microsoft Windays (Croatia), MS Technet, Mobility Day, KulenDayz etc. Damir is one of very few trainers in Europe who works as an author and reviewer of official MOC courses. In previous year, he was authoring courses 20417 (Upgrading Skills to Windows Server 2012), 20414 (Implementing an Advanced Server Infrastructure), 20412( Configuring Advanced Windows Server 2012 Services) and 20410 (Installing and Configuring Windows Server 2012). Also, he was authoring System Center 2012 courses and currently he is working on Exchange Server 2013 and Windows Server 2012 R2 courses. In addition, he has been working for 16 years now as one of the editors of BiH IT magazine INFO, where he published more than 300 technical articles, and he is also writing for the famous Windows ITPro Magazine (some of his work can be found at: http://windowsitpro.com/author/damir-dizdarevic).

3 thoughts on “Using digital signatures in emails”

  1. Yep :). It might be hard to decide which certificate to use with which email account. Outlook configures certificate on user basis not on account.

  2. I would like digital signatures for all of my users email that work for external users too. Can I buy a single certificate for my organization, such as a wild card certificate or something similar? Or do I need to purchase a separate certificate for every user?

    Thanks!

Leave a Reply

Your email address will not be published.