Help for Alpine - S/MIME |
You are in Home > Miscellaneous > S/MIME |
S/MIME is standard technology for e-mail which allows you to communicate with other people privately, allows for verification that the message received from the sender is the message that was actually written, or gives you assurances that your message will not be modified after it is sent by you, and the recipient will read what you actually intended you send.
If you have heard that you should never send by e-mail what you would not write in a postcard, S/MIME is the equivalent of putting your message in a box, under a key, which only you and the recipient of the message have, and sending the box with your message to the intended recipient.
The basis of encrypting a message is the use of certificates (also called keys) that allow a person to verify that they are who they claim to be. These are the equivalents to a government issued ID that shows who you are. Certificates contain information about your name, location and other personal information used to identify you. Information in these certificates is used to encrypt or decrypt a message and to verify its authenticity (that is was sent by the person that claims to to have sent it.) In symmetric key cryptography users that receive your encrypted messages need a piece of your certificate (called the public key) to verify that a message was sent by you and to send you encrypted messages. Users need the other part of the certificate (called the private key) to decrypt messages sent to them and to sign messages that were sent by them.
If your version of Alpine is compiled with S/MIME support, then you can configure some of the variables using the Alpine interface. From the main screen press S (for setup) and M (for S/Mime). You will be taken to a screen where you can configure a number of options and variables. The following are the variables that can be configured
Before you can send encrypted and/or signed messages, you must be able to prove that you are who you claim to be. After all, the system is based in the trust that when you send a signed message, it was actually you who signed the message, and no one else can do that.
In order to prove that you are who you claim to be, you must be in possession of a certificate. This certificate is just a file. Just like your government gives you an id card so that you can prove who you are, someone must be willing to say that you are who you claim to be. In this case, there are many certificate authorities that can help you prove your online identity. Many of them offer free certificates, and a search in the internet will find many of them. Some universities offer free certificates for their students and staff, or maybe your company can give you one.
For purposes of S/MIME, the level of certification is very low. A certificate for S/MIME certifies the validity of your e-mail address. This is not to certify that you are who you are, just that the e-mail address is yours. Most certificates contain information such that the country, state, company name, etc. While this information is included in certificates, for purposes of S/MIME you do not need to prove that this data is true, only that the e-mail address is yours.
The main idea about certification is that others can check that you are who you claim to be, and the certificate is your proof. This means you want others to be able to see your id (certificate), at the moment they need, but you do not want them to have full control of it, so that they can not use it to impersonate you. This is done by creating two certificates, one private (yours) and one public (for everyone else to see). It goes without saying that your private certificate should not be shared with anyone else. The private certificate is the one that you would use to sign messages, while the public certificate is used by others to check the signature of messages sent from your e-mail address (and hence when validated, it is proof that the message was sent by you.) In addition, a public certificate can be used by other people to send encrypted messages to you, so that others can not read them.
You can share your public key with other correspondents by sending them a signed message. When you receive a signed message from a sender, Alpine imports the certificate needed to verify your signature, and to encrypt messages to that sender, so by sending a signed message, you are sharing the key needed to encrypt messages to you and verify the you are the sender of that message.
cp CompanyCertificate.pem /etc/ssl/certs cd /etc/ssl/certs chmod 644 CompanyCertificate.pem
Now you need to figure out a hash from the certificate, to do this execute the command
openssl x509 -hash -noout -in CompanyCertificate.pem
This command will give you an output, it is a combination of letters and numbers such as b24ac8f4. With this information execute the following command
ln -s CompanyCertificate.pem b24ac8f4.0
Now the certificate is installed for all users of the system.
cp CompanyCertificate.pem ~/.alpine-smime/ca/CompanyCertificate.crt
Notice that the name of the file is not relevant, only its extension. It could be an email address, or a company name, or a silly name like MashedPotatoes.crt, really, anything you want. Only the extension matters.
Starting in version 2.20, one can use the smime configuration screen to manage certificates. This means to import, delete and trust certificates from other users. These can be stored in containers or in directories.
In the case of Public certificates, commands to import, delete, undelete and expunge certificates are available. While in the list of available certificates, placing the cursor on an individual certificate, and pressing RETURN gives you information on that certificate. The last line of this text gives you information on the validity of such certificate. If you wish to trust a self-signed certificate, the T Trust command will be available to you.
The situation is very similar for the Private Key management screen. In this screen a key is listed if there is a public certificate with the same name.
Finally, in the Certificate Authorities management screen, certificates that are trusted by the user are listed. Commands to import, delete, undelete, and expunge certificates are available.
Any changes made in this screen are carried over immediately in the same session of Alpine, so it is not necessary to restart Alpine once changes to the list of certificates is made.
I used to follow a three step process to create a self signed certificate, but Andreas Schamanek reported that there was an even simpler one line command that accomplished the same purpose. The directions come from a post in stackoverflow.com. In order to create a self-signed certificate use the command
openssl req -x509 -newkey rsa:2048 -keyout your_email@address.com.key -out your_email@address.com.crt -days 1095
Now you can install your certificates:
cp your_email@address.com.key ~/.alpine-smime/private cp your_email@address.com.crt ~/.alpine-smime/public cp your_email@address.com.crt ~/.alpine-smime/ca
cp ~/.alpine-smime/public/person_i_trust@address.com.crt ~/.alpine-smime/cato install such certificate. Please note that this will install the certificate, but Alpine must be restarted so that it reads the certificate from the ca/ directory, and sees that you trust it now. Do not forget that certificates in the ca/ directory must have the .crt extension.
Starting in version 2.20, you can use the management certificate screen to trust selft signed certificates. From the screen that lists the certificates that are available, place the cursor on the certificate that you wish to trust, press RETURN to confirm that this certificate is self-signed, and finally press T to trust such certificate.
You are in Home > Miscellaneous > S/MIME |