Secure E-Mail

Publishing your X.509 certificate

How to put your S/MIME certificate on to your website

One of the issues faced by people using S/MIME (and in particular those used to using PGP) is one of getting their public key, their certificate to other people. In PGP you simply export your public key to a text file and bung it on a web page. Others come along and download it, and install it into PGP. Simple. So how do we do it with S/MIME, or more correctly, your X.509 certificate.

Extracting the X.509 certificate

The first problem is extracting your certificate into a format that can be used by others. You don't want to give away your private key, just the public part.

Internet Explorer

Incredibly, this is easy in IE :-)

Go to the menu option Tools then Internet Options.
Select the Content tabgroup, and click on the Certificates button.
Highlight the cert you want to export from your personal list, then click the button Export...
Within the Export Wizard choose No to the private key option, then choose Base-64 encoded X.509.
Microsoft call this a CER file, but it is also PEM format (not that you need to worry about this).
Choose your filename, and go for it.

You should end up with a file that looks loosely like this:-

-----BEGIN CERTIFICATE-----
OIoinwoeifnowiec98ycojknIUhcwoueUBCEIUbiwevoiwnef
-----END CERTIFICATE-----

There will actually be quite a few more lines between the BEGIN and END lines within your file.

That's the file to put on to your web server, see MIME type below.

Mozilla derivatives

It is relatively straight forward with Firefox/Thunderbird etc these days, but still sort of hidden away. For such a great browser, this is a disappointing point in it's functionality. If you're using Firefox and Thunderbird, then you will probably need to get your certificate using Firefox, then export it (backup) as a PKCS#12 file. This file can then be imported into Thunderbird, where you can then secure your emails.

Goto Tools then Options...
Select Advanced from the icons along the top.
Select Encryption from the list of tabs.
Select the View Certificates button.
From the Certificate Manager that pops up, ensure that the Your Certificates tab is selected.
Click on the certificate that you want to export.
Click the View button.
In the Certificate Viewer that pops up, click on the Details tab.
In the bottom left, there is an Export... button. This is finally the button you need. Pick a filename and the job is done. You will have a PEM file as above for IE.

Publishing on a web site

It is simple enough to upload the page to your web site of choice and then create a link to it, but not all web sites will correctly set the MIME type for the created file. If you have a nice ISP, they may have already got this set up in their server, and it should recognise a file extension of .PEM or .CER although they probably do not.

You could ask them to do so, or you could ask them what file extension they have registered for this MIME type, but either way the correct MIME type for this file is application/x-x509-email-cert.

If you don't have any control over this aspect of the web server, but you do have access to cgi-bin, you could knock up a script that sets the correct MIME type. Same goes for servlets or JSPs.

If all else fails, then the user can download the file to local disc and import it manually. Email clients should allow you to import such files as other people's certificates.