Secure your e-mails by digitally signing and encrypting the communication with our e-mail certificates, also known as personal ID certificates. The Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol ensures message integrity so that email senders and recipients can verify that the content they share is legitimate and trusted. Email Certificates are supported by all major e-mail applications, including Microsoft Outlook, Exchange, popular mobile operating systems, etc.
EMAIL DIGITAL SIGNING AND ENCRYPTING
How are S/MIME certificates used?
S/MIME e-mail certificates improve the security profile of your e-mail communication in three ways:
- Authenticates the sender - Each S/MIME e-mail certificate contains the sender's authenticated e-mail address. In this way, recipients can confirm that requests for information, transfers or other actions really comes from authorized parties.
- Encrypts the email content and attachments - E-mail clients can encrypt and decrypt e-mail content (including attachments) if certificates are present. This prevents malicious software from intercepting e-mail communication during transmission and reading its contents.
- Ensures message integrity - If a signed e-mail or its attachments are changed in any way, the validation fails and the user is warned by the e-mail client.
Which validation levels are available for S/MIME certificates?
The growing requirement for secure and confidential email delivery is the topic of almost every company today. Giving the customer the certainty of your identity is a key success factor in online business. S/MIME certificates take this into account and allow you to digitally sign and encrypt emails and their attachments with all common email clients and programs. The EPKI Manager gives you secure access to your web-based console, which allows you to administrate S/MIME Email Certificates for employees and partners in a simple way.
S/MIME class 1 (Personal)
Class 1 certificates validates that the email address exists. These certificates are therefore ideal for private use.
S/MIME Class 2 (Personal PRO & Enterprise)
For class 2 certificates, it is checked that the email address exists, that the company owns the domain, and that the company is registered as such in a commercial register. Class 2 certificates also include the company name, making them more trustworthy than Class 1 certificates.
Email certificates enable encrypted emails and allow recipients to verify the sender's true email address. These certificates protect your online identity from being used in email spoofing attacks and prevent unwanted third parties from reading the content of your email. With the Personal Secure E-Mail Certificate you can digitally sign e-mail messages as well as encrypt them under the usual conditions.
Validation only via email address
With the Personal PRO S/MIME e-mail certificate, you can digitally sign and encrypt messages like any other e-mail certificate. In addition to simple validation using your email address, we also carry out additional person validation using an official document. As a result, the certificate is recognized as a class 2 mail certificate. The certificate is particularly suitable for individuals or for micro-entrepreneurs who value digital identity and security.
Validation via email address and identity card / official document
Enterprise Secure E-Mail Certificates guarantee a higher validity of the digital certificates due to the extended persons and company validation. In addition to the personal validation (first and last name of the employee), the entire company address of your company / organization is also validated and entered in the certificate. This offers the highest possible protection and is therefore issued as a class 2 certificate and in accordance with the requirements of the GDPR.
Validation via email address, company database and personal validation
FAQ on S/MIME
S/MIME encryption - do I need that at all?
Under the Data Protection Act in the EU, all companies that provides personalized data must ensure secure transmission. It is therefore essential that law firms, hospitals, insurance companies as well as small businesses use S/MIME and encrypt their e-mail communication.
How does S/MIME help with fulfilling GDPR / DSGVO?
DSGVO penalty fee
Encypted email considerably reduces the risk of data breaches for companies. In case of a data breach, the company can reduce their penalties by demonstrating that appropriate security measures have been implemented to prevent data theft, such as S/MIME. The GDPR dictates that penalties for loss, alteration or unauthorized disclosure of data are imposed an amount of up to four percent of the worldwide annual turnover or EUR 20 million.
Leading technology solution
Secorio is a leading provider of digital identities with public-key technology. These identities are for a variety of uses in enterprise applications, such as mobile applications, device authentication in wireless networks, for encryption and digital signing of emails using S/MIME standards.
Earlier S/MIME solutions were sometimes costly to implement, with the result that employess could not routinely encrypt all emails. To solve this challenge, Secorio's technology partner has developed the industry's first X.509 Zero Touch Certificate management system This system automatically provides each user with a digital identity.
How can I use S/MIME as a college/student?
But why should you use S/MIME certificates as a student or university? Already starting from EUR 1.08 per month (with a 3-year term) you can strengthen the security of your e-mail communication with our Personal Secure E-Mail Certificate and you no longer have to fear misuse of your identity.
By signing and encrypting emails with S/MIME, you as a lecturer can communicate with students via an encrypted connection. In addition, the physical dispatch of grades and study letters will be a thing of the past.
As Registration Authority, we offer you the opportunity to run your own EPKI management solution. This means you can act independently of us and issue certificates for your employees, lecturers and also for your students.
Students can purchase a 30-day, free S/MIME via the following link: free S/MIME certificate
How do doctors and hospitals use S/MIME Email encryption?
Why should we encrypt our e-mails?
Encrypted emails: do not give readers a chance
The situation is different with encrypted emails: they can not be read by any attacker at a reasonable cost. Thanks to the public key encryption, these emails are only assigned to a specific recipient. This means that only the recipient of an e-mail can open and read the e-mail. To read the e-mail a certificate is required, which in turn is located on the computer of the recipient. This allows the message to be decrypted and read.
Digital sign with your signature
One last question remains: How does the recipient of your e-mail know that a particular public key actually belongs to you? This is listed in the S/MIME e-mail certificate. At least the e-mail address is listed in the certificate. For businesses, we recommend that you use the Enterprise Secure E-mail Certificate, as this validates the company and the full address. Who checks this information? We work closely with CA Sectigo and check your certificate in a 2-step process. This will ensure that you can use your certificate for Extended Signature/Electronic Signature.
We recommend doctors/medical practices/ therapists our Enterprise Secure E-Mail Certificate, which meets the highest safety requirements.
How law firms and trustees cost-effectively can implement email encryption with their clients?
Simply sending all the information and documents by e-mail - that's what the company has become accustomed to. Many are unaware that strangers are able to read or even modify the e-mails. Especially when sending trusted data caution is required.
With S/MIME (Secure/Multipurpose Internet Mail Extensions) e-mail certificates, you, as a lawyer/attorney, can keep your e-mail communication with your clients confidential. With little effort you can establish a secure connection, without sacrificing the usual comfort when sending e-mails.
How does S/MIME encryption work with your clients?
With our S/MIME certificates, your emails are encrypted or decrypted using a public and a private key and the corresponding Mail Gateway software. However, this requires that the sender and receiver have used the same standard (S/MIME) and have exchanged their public key. The exchange takes place after the first signed message.
No problem - our support team is at your disposal and can support you during the ordering and installation process. Our installation guide will help you integrate your certificates in your usual email environment and guide you step by step. You do not need additional software to use our certificates, and you can integrate an S/MIME certificate into any popular e-mail program - even on your smartphone.
We recommend for lawyers and law firms our Enterprise Secure E-Mail Certificate, which was designed according to the highest requirements of the CA/B. This will keep you and your clients safe from the misuse of your digital identity.
You have questions or you are not sure which is the right certificate for you? Our support team is available by phone on +41 41 514 31 33, on live chat or by email at firstname.lastname@example.org.
How do I fulfill the E-Mail encryption as public utilities/companies from the energy industry?
As a partner and registrar of the CA Sectigo, Secorio offers inexpensive and trusted mail certificates. Already from EUR 1 per month, private customers can build encrypted communication through our solution. For companies and public utilities, however, we recommend to use the more extended and qualified signatures.
Thanks to the long-standing cooperation with Sectigo, we offer all municipal utilities and electricity, gas and water suppliers, our free EPKI managed solution for managing our certificates. Each certificate, which is issued via the EPKI Manager, automatically contains the extended signing, as the certificate contains the company name and address as well as the employee's e-mail address and first and last name.
As a municipal utility, you can set a good example. The Data Protection Act recommends encrypted communication for all e-mails containing personal data. With the PKI solution from Secorio, you make the right choice: As an administrator, you independently manage your EPKI solution and can within a few seconds, apply for new certificates for your employees, which you can also revoke if necessary.
What are the requirements of the Federal Agency/Federal Network Agency?
Many companies currently have to deal with the topic of S/MIME e-mail certificates. We would like to familiarize you with the requirements of the Federal Network Agency.
The Federal Network Agency's goal is to introduce secure communication within Germany and in the EU. There are various ways to encrypt the e-mail communication. The most widely used technology worldwide for this are S/MIME certificates. In one Document the Federal Network Agency has created a regulation for the secure exchange of EDIFACT transmission files. It contains all regulations for a secure transmission of e-mails. In order to get the most important information from 26 pages shortly, we have summarized the conditions and requirements for the certificates.
Guidelines for the transmission way
Already since June 1, 2016, all e-mails in the German energy industry have to be signed or encrypted. For signing, the regulations listed below counts:
- In terms of 1: 1 communication, the data exchange is business-process-independent, ie the encryption and signature of the e-mail is uniform for all message types. All transmission files from a sender to a recipient must therefore be encrypted and signed.
- Encrypting and signing of e-mails is only permitted using the S/MIME standard, and it must be at least version 3.2 (IETF RFC 5751, release year 2010)
that is being used
- Each market partner must use only one certificate for the email address used (more precisely the associated private key) for the signing. The same private key is used to decrypt the email sent to this email address by the other market partners.
Choosing the right certification authority
For your e-mail certificate to be valid, it must be issued by a trusted Certification Authority (CA). For the CAs, the conditions described in 5.5.1 apply:
- The CA has a callback service that can be used to revoke certificates. For this purpose, it keeps a so-called certificate revocation list (CRL),
which is publicly accessible.
Our certificates are cryptographed and issued by CA Sectigo (formerly Comodo). All certificates can be revoked by phone on +41 41 514 31 33 or by e-mail email@example.com.
- The IT security of the CA operation is audited by an audit/certification according to a recognized audit/certification standard. There is a certification according to BSI TR03145, Secure Certification Authority operation recommended.
Our certificates are validated according to the guidelines of the CA / Browser Forum. Regular examinations are carried out by an external partner (Ernst & Young) .
- The registration service, including service outsourced to service providers (registrars), is performed with a high level of security.
Secorio itself is a registry authority of Sectigo. For over 10 years, the two companies have maintained a close and strategic partnership to provide a high level of security. All certificates are checked and validated by at least 2 parties.
Further requirements of EDIFACT
Further requirements can be found in the EDIFACT document. Currently, the requirements for certification bodies are fully complied - the final implementation will take place in Q4 2019. Therefore, Secorio works closely with other certificate authorities to offer the appropriate certificates.
Requirements for e-mail certificates
The requirements for e-mail certificates are clarified in 5.5.2:
- The e-mail certificate has to be issued by a CA that meets the requirements just mentioned.
All requirements are fully met.
- All certificates issued until 31.12.2017 must be signed with at least sha-256RSA signature algorithm. Certificates newly issued from 01.01.2018 to 31.12.2018 must be signed using either the RSASSA-PKCS1-v1_5 signature procedure (sha-256RSA or sha-512RSA signature algorithms) or RSASSAPSS. These certificates can be used to the maximum certificate validity (maximum 3 years) in the interim model of market communication.
Our S/MIME e-mail certificates contains the signature algorithm sha-256RSA and are issued with a maximum term of 3 years. An RSASSA encryption can optionally be added.
- All S/MIME certificates issued after 01.01.2019 must be signed with RSASSA-PSS.
Sectigo is currently not supporting the RSASSA-PSS algorithm. This is expected to be implemented in Q1 2020. Through our contact to an alternative international supplier, we have the opportunity to issue certificates with higher encryption algorithms.
- For the different uses for "signature" and "encryption", the same key pair is generated so that a so-called combined certificate is issued and used.
You can integrate our certificate into your e-mail client and, when composing e-mails, decide whether you want to sign or encrypt the e-mail. You do not need another certificate for this.
- Certificates must provide advanced electronic signature.
Our S/MIME certificates can be issued as a Class 1 or Class 2 certificate. In particular for companies we recommend the use of our Enterprise Secure Email Certificate, which allows advanced signature.
- The certificate must ensure identification and association with the company/service provider or organization that operates the e-mail address. This means that in the field O of the certificate must be the legal entity that operates the e-mail inbox for the e-mail address for which the certificate was issued, and under which the signed and encrypted e-mails are sent and received.
With our Enterprise Secure Email Certificates, your company will be validated and the existence of your certificate of incorporation will be checked. This ensures that the issued certificate can only be assigned to your company.
Algorithms and key lengths for S/MIME certificates
According to the guidelines under 5.5.3 of the Federal Network Agency, the following algorithms and keys with the specified key lengths must be used:
- hash function:
- SHA-256 or SHA-512
our certificates are issued with a SHA-256 hash function.
- SHA-256 or SHA-512
- signature methods
- Since January 1, 2018, only the RSAES-OAEP signature procedure can be used.
Our RSASSA-PSS certificates fulfills this signature procedure. Certificates from Sectigo currently use the SHA-256 signature method.
- Since January 1, 2018, only the RSAES-OAEP signature procedure can be used.
- Content encryption:
- AES-128 CBC or AES-192 CBC
Our certificates meet the standard of content encryption through advanced technology.
- AES-128 CBC or AES-192 CBC
- Key encryption:
- RSA key length at least 2048 bits
see points "Signature method"
- RSA key length at least 2048 bits
E-mail certificates: recommended actions
Our Enterprise Certificates meets the requirements of the Federal Network Agency and thus offer a high degree of security. Our certificates undergo validation processes according to strict guidelines before they are issued. Our certificates will continue to evolve in the future to continuously meet updated standards and ensure the security of your e-mail communications.
You have questions or are not sure which is the right certificate for you? Our support team will be happy to help you on the phone on +41 41 514 31 33, via live chat or by e-mail at firstname.lastname@example.org.
What are the benefits of email certificates?
S/MIME e-mail certificates enable the sending of encrypted and/or digitally signed e-mails using your current client software - Microsoft® Outlook Express, Microsoft® Outlook®, Microsoft Office 365, Netscape Messenger, or any other S/MIME compliant software.
The certificates are compatible with over 99% of all email clients and gateways. With our certificates, you bind your email identity (email address and, if desired, company name, address, first and last name) to the cryptographic key used to sign and encrypt emails, thus protecting your data from third parties.
FAQ about your order
How does the order & installation process work? (UPDATE AFTER WHMCS TEST)
Step 1: Select your certificate and go to shopping cart
Navigieren Sie mit dem Button „Jetzt Bestellen“ zu unseren Zertifikaten um das für Sie passende S/MIME zu finden. Nachdem Sie ein Zertifikat durch Klick auf den Button „Jetzt Bestellen“ ausgewählt haben, wählen Sie im ersten Schritt die Laufzeit Ihres gewünschten Zertifikats aus der Liste aus. Wir empfehlen Ihnen, aufgrund des Installationsaufwands und der Preisstruktur eine möglichst lange Laufzeit zu wählen. Sobald Sie sich für ein Zertifikat entschieden haben, können Sie dieses mit nur einem Klick in den Warenkorb legen.
Schritt 2: Eingabe Ihrer persönlichen Kontaktdaten & Zahlung
In step 2, enter your personal contact information. If you order an Enterprise S/MIME certificate, the data will be verified by us before the certificate is issued.
Im nächsten Schritt wählen Sie die gewünschte Bezahlmethode aus und bestätigen unsere AGB’s und Ihr Widerrufsrecht. Durch Klick auf den Button „Zahlungspflichtig bestellen“ senden Sie Ihre Bestellung an uns ab. Damit bieten Sie uns den Abschluss eines Kaufvertrags an. Direkt nach dem Kauf erscheint ein zusätzliches Feld, um die Transaktion per Kreditkarte vorzunehmen. Die Verbindung ist SSL-gesichert. Nach erfolgreichem Abschluss Ihrer Bestellung erhalten Sie eine Rechnungsbestätigung sowie Instruktionen dazu, wie Sie das Zertifikat technisch beantragen können.
Schritt 3: Beantragung des Zertifikates
Nach erfolgter Zahlung erhalten Sie in einer E-Mail Instruktionen für die Beantragung Ihres Zertifikates. Wichtig: Please use the appropriate browser to apply for the certificate (Internet Explorer for Windows / Safari for Apple). Please follow the steps below:
Personal Secure E-Mail Certificate
Please select the ordered validity to avoid a cancellation of your certificate. All settings from Advanced Security Options können standardmässig belassen werden. Es handelt sich hierbei um einen neuen Account (nicht um den Account von secorio.com).
Personal PRO E-Mail Certificate
Bevor wir das Zertifikat validieren und ausstellen können, benötigen wir von Ihnen eine Kopie Ihres Personalausweises – bitte übermitteln Sie uns diesen über den folgenden Link mit sicherer SSL Verbindung: via E-Mail an email@example.com oder über unser Übermittlungsformular: Send Personal ID
Order: All settings after Advanced Security Options können standardmässig belassen werden. Es handelt sich hierbei um einen neuen Account (nicht um den Account von secorio.com).
Enterprise Secure E-Mail Certificate
Until the application process, the procedure for this certificate is identical. After this extended validations must be carried out and completed by us, which is why the issuance takes more time. A desciption can be found on Process for applying for an Enterprise Secure E-Mail certificate
Schritt 4: S/MIME Installation
Sie erhalten eine E-Mail mit der Aufforderung, das Zertifikat abzuholen. Wichtig: Verwenden Sie hierfür den selben Rechner (Laptop oder PC) und identischen Browser, den Sie bereits für die Beantragung verwendet haben. Im Anschluss darauf können Sie das Zertifikat gemäss unserem installation Guide. Do not forget to create a backup afterwards.
–> Das Zertifikat wird bei Windows nicht automatisch heruntergeladen / das S/MIME Zertifikat installiert sich in Ihrem Browser und muss von da aus exportiert werden.
How do I get my certificate after ordering?
1.) You will receive an email ("Applying for your Corporate Secure Email Certificate") asking you to send a PIN via hyperlink.
IMPORTANT - please use:
Internet Explorer on Windows
Safari on Apple devices
-> the use of other browsers will not lead to success!
When you have submitted the PIN, the private key is generated in the browser. In most cases, the certificate then automatically gets installed in the browser after completion of the next steps.
2.) Obtain the certificate after receiving another email ("Collecting your Corporate Secure Email Certificate") and if the certificate was not installed in Step 2.
IMPORTANT - please use the same computer and browser as in step 2
Internet Explorer on Windows
Safari on Apple devices
3.) Click the Submit & Continue button (see screenshot below) to receive the digital e-mail certificate -> the certificate will be created in the browser and must be exported from there. Therefore you will not find the certificate in the download folder.
I have to organize certificates for my employees - what should I do best?
We would like to offer S / MIME certificates to our customers? Is there a reseller solution?
Administration of EPKI solution for your customer:
You create an EPKI managed solution on behalf of your customers and manage it for them. If required, we will invoice you - so the customer will not get in contact with us and you can invoice your customers directly for your services. Please let us know how you would like to be invoiced.
WebHost Reseller / Ordering URL
Affiliate Reseller/First Partner Program for S/MIME Certificates:
How do I send my S / MIME certificate to someone so that they can send me crypted e-mails?
After receiving your email certificate, you will need to send your public key to the people you want to exchange encrypted email with. Simply send a digitally signed email, which automatically sends your public key. Recipients then only need to add your email address to their address book (point the cursor to the email address, click on the right mouse button, select option "Add Outlook Contacts"), which automatically saves your public key.
IMPORTANT: Encryption is only possible if both sender and recipient have a valid S/MIME certificate and the public keys have been exchanged in advance.