Steven Van Acker

E-mail: steven AT singularity DOT be
Gothenburg, Sweden

Using S/MIME in Evolution

12 Mar 2008 S/MIME is a method to send signed and/or encrypted messages through E-mail.
It's relatively easy to setup in Evolution:

Step 1: Create an SSL key and certificate

First thing to do, is create a private key for yourself, and generate a CSR (certificate signing request) from it.


openssl req -out myname.csr -pubkey -new -keyout myname.key


Fill in some details about where you are and who you are. When asked for a password, enter a password ;) If someone steals your private key, they can impersonate you and that's not what you want to use S/MIME for.

Now send the myname.csr file to someone who can sign it (a certificate authority). You'll get a myname.crt file back. (Look elsewhere for information on how to create your own CA and sign it yourself)

Evolution expects a PKCS12 file, which is a file format that holds both the private key and the certificate. You can create it as follows:


openssl pkcs12 -export -inkey myname.key -in myname.crt -out myname.pkcs12


Now the stage is set. Enter Evolution.

Step 2: Import it into Evolution

Edit -> Preferences
Click the Certificates tab, then the "Your Certificates" tab and then "Import"
Find the myname.pkcs12 file you just created and click "OK".
You'll be asked for a password of the certificate, and another password to protect your keystore.

If you are using a selfsigned certificate (like me), you need to import your CA certificate as well.

To do that, you first need to find your CA certificate ;) Poke the person who signed your certificate in the ribs and ask him for this certificate.
Next, go to Edit -> Preferences -> Certificates -> Authorities
Click on "Import", select the CA certificate file and click OK.

Evolution will ask you about trust settings. We want to use these certificates for E-mail, so that's the second option "Trust this CA to identify email users".
Of course, this only applies to us when we receive mails that were signed or encrypted by someone else. But it's important when you want to test by sending mail to yourself.

Certificates are locked and loaded. Now it's time to use them.

Step 3: Enable the S/MIME signing and/or encrypting

Go to Edit -> Preferences -> Mail Accounts, select your account and click "Edit".
Find the "Security" tab and the "Secure MIME (S/MIME)" section under it.

You can either sign mails, encrypt them, or do both. I sign and encrypt them by default. (Encrypting mails will only make sense if you have the public key of the recipient).

Don't forget to set "Also encrypt to self when sending encrypted mail" if you want to try this out by sending mail to yourself.

Now if only amazon and other phished internet services started using this...