You follow email security best practices, and you're skeptical of messages from unknown senders. Your computers actively run a firewall, antivirus, and malware scanner. But is there anything else you can do to ensure the integrity of your communications? Yes.
Digitally signing and, to a greater degree, encrypting email messages serve as excellent protections to your digital communications. Digital signing ensures that messages received are from trusted individuals.
Requirements for securing your email
- Apple computer running OS X 10.9+
- Personal Certificate (either self-signed or third-party from a CA)
- Email account configured in Apple Mail
Now let's move on to the creation of the certificates for use with Mail.app, which will act as our digital fingerprint to prove who we are when sending email.
Creating personal certificates
1. If a third-party certificate from a CA exists, feel free to use that one; however, if you do not have a certificate, you can use your Mac to create a self-signed certificate by launching Keychain Access.app from Applications | Utilities.
2. Select Keychain Access menu | Certificate Assistant | Create A Certificate (Figure A).
3. The Certificate Assistant wizard will appear to guide you through the creation of the certificate. Enter a name for the certificate and select Self Signed Root as the identity type. Also, select S/MIME (Email) as the Certificate Type from the drop-down list, and then click the Create button (Figure B).
4. When creating a self-signed certificate instead of using one issued by a CA, the self-signed certificate will be recognized only by the system it is created on until the certificate is installed as a trusted certificate on another device. A CA overcomes this by being the authorization server that manages certificates in use by all users and devices. Click Continue to proceed with creating a self-signed certificate (Figure C).
5. Once the certificate is successfully created, it will automatically be added to the Keychain Access for future use (Figure D and Figure E).
6. Ensure that the certificate is configured with the proper trust rights by double-clicking it in the Keychain and verifying that Use System Defaults is the setting under Trust (Figure F).
Note: One certificate must be created for each email address you intend to secure with digital signing. Repeat steps 2-5 until all email accounts have their unique certificate.
The layered approach to security
When thinking about security, many security administrators refer to it as layers. Similar to that of a cake, security is not a one- or two-step process that will stop anything from occurring, such as a breach.
The layered approach is in place to provide multiple and varied takes to minimize security issues if and when they happen. Digital signing is just one small, yet important piece of the overall puzzle to ensure that a user's identity is verifiable. If not, then any communication coming from that source could be compromised and may have been tampered with somewhere along the chain.
Have you implemented digital signing for emails? If so, how has it benefitted your organization? Let us know in the comments.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.