Skip to content

Mail Signing & Encryption

You can sign and/or encrypt your e-mail using your TU Delft mail account. This is done with S/MIME for which you will need to obtain a certificate. Certificates for TU Delft are handed out by GÉANT using the following instructions:

  1. goto https://edu.nl/sectigo-sso
  2. Find Your Institution: Delft University of Technology
  3. Certificate Profile: GÉANT e-mail signing and encryption
  4. Terms: 365 Days
  5. Enrollment Method: Key Generation
  6. Key Type: RSA - 2048
  7. Password:
  8. Key Protection Algorithm: Secure AES256-SHA256

Save and store your encrypted certificate certs.p12 for future use. Note that you can only decrypt your own encrypted mail with the certificate with which you previously encrypted it. If you loose this certificate there is now way of retrieving the original message!

In the instructions below you will find how to configure your e-mail client to be able to sign & encrypt your e-mail. It is assumed that the e-mail client is already setup for retrieving and sending with your TU Delft e-mail account.

macOS

Apple Mail allows for signing & encryption with S/MIME. Alas the default GÉANT certificate for e-mail is not usable on the Mac because of a problem with the support of OpenSSL in recent versions of macOS (see https://discussions.apple.com/thread/254729870?sortBy=best).

The following instructions present a workaround for this problem using the command line:

  1. recreate the certs.p12 with a fix via the command line (Terminal)

    Note: if you’re using the HomeBrew version of openssl add the option -legacy to the last command below

    cd ~/Downloads # or to the location where you stored the certs.p12 file
    openssl pkcs12 -in certs.p12 -nocerts -nodes -out privatekey.pem # retrieve private key
    openssl pkcs12 -in certs.p12 -clcerts -nokeys -out mycert.pem # retrieve certificate
    openssl pkcs12 -in certs.p12 -cacerts -nokeys -out cacerts.pem # retrieve CA certificated
    openssl rsa -in privatekey.pem -outform PEM -out newprivatekey.pem # convert private key format
    openssl pkcs12 -export -out newcerts.p12 -inkey newprivatekey.pem -in mycert.pem -certfile cacerts.pem # repackage everything, remember password
    rm privatekey.pem mycert.pem cacerts.pem newprivatekey.pem
    
  2. open Keychain Access

  3. on the left sidebar select Default Keychains→login
  4. from the menu select File→Import Items…
  5. select newcerts.p12, use password used to create this file (openssl pkcs12 -export)
  6. goto tab My Certificates
  7. select your new certificate
  8. right-click and select New Identity Preference…
  9. fill in your TU Delft e-mail address in Location or Email Address and click Add

To use this certificate in Apple Mail follow these instructions:

  1. open Apple Mail
  2. from the menu select Mail→Settings…
  3. on the left sidebar select the TU Delft mail server (Exchange)
  4. goto tab Server Settings
  5. click Advanced Exchange Settings
  6. choose your certificate in the dropdown menu for TLS Certificate and click OK

You can now sign and/or encrypt e-mail in Apple Mail.

Linux

The program Evolution allows for easy installation and usage of the certificate. Follow these instructions:

  1. open Evolution
  2. from the menu select Edit→Preferences
  3. install certifcate
    1. on the left sidebar select Certificates
    2. goto tab Your Certificates
    3. on the right side click Import
    4. select certs.p12, use password used to create this file with the GÉANT website
  4. setup mail account for using certificate
    1. on the left sidebar select Mail Accounts
    2. select your TU Delft account (Type ews)
    3. on the right side click Edit
    4. on the left sidebar select Security
    5. click Select after Secure MIME (S/MIME)→Signing certificate
    6. choose your installed certificate from the dropdown menu for Certificate and identify your latest certificate by checking the Expires: value! Click OK
    7. click Select after Secure MIME (S/MIME)→Encryption certificate
    8. choose your installed certificate from the dropdown menu for Certificate and identify your latest certificate by checking the Expires: value! Click OK
    9. decide on how to use signing and encryption by ticking the appropriate options

You can now sign and/or encrypt e-mail in Evolution.