Secure your e-mails by digitally signing and encrypting the communication with our e-mail certificates, also known as personal ID certificates. The Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol ensures message integrity so that email senders and recipients can verify that the content they share is legitimate and trusted. Email Certificates are supported by all major e-mail applications, including Microsoft Outlook, Exchange, popular mobile operating systems, etc.
EMAIL DIGITAL SIGNING AND ENCRYPTING
How are S/MIME certificates being used?
S/MIME e-mail certificates improve the security profile of your e-mail communication in three ways:
- Authenticates the sender - Each S/MIME e-mail certificate contains the sender's authenticated e-mail address. In this way, recipients can confirm that requests for information, transfers or other actions really comes from authorized parties.
- Encrypts the email content and attachments - E-mail clients can encrypt and decrypt e-mail content (including attachments) if certificates are present. This prevents malicious software from intercepting e-mail communication during transmission and reading its contents.
- Ensures message integrity - If a signed e-mail or its attachments are changed in any way, the validation fails and the user is warned by the e-mail client.
Which validation levels are available for S/MIME certificates?
The growing requirement for secure and confidential email delivery is the topic of almost every company today. Giving the customer the certainty of your identity is a key success factor in online business. S/MIME certificates take this into account and allow you to digitally sign and encrypt emails and their attachments with all common email clients and programs. The EPKI Manager gives you secure access to your web-based console, which allows you to administrate S/MIME Email Certificates for employees and partners in a simple way.
S/MIME class 1 (Personal)
Class 1 certificates validates that the email address exists. These certificates are ideal for both private and professional use.
S/MIME Class 2 (Personal PRO & Enterprise)
For class 2 certificates, it is checked that the email address exists, that the company owns the domain, and that the company is registered as such in a commercial register. Class 2 certificates also include the company name, making them more trustworthy than Class 1 certificates.
Email certificates enable encrypted emails and allow recipients to verify the sender's true email address. These certificates protect your online identity from being used in email spoofing attacks and prevent unwanted third parties from reading the content of your email. With the Personal Secure E-Mail Certificate you can digitally sign e-mail messages as well as encrypt them under the usual conditions.
Important note: S/MIME certificates can only be ordered using Microsoft Edge in Internet Explorer Mode (Windows). All other browsers do not support the key generation required for this process.
Validation via e-mail address.
With the Personal PRO S/MIME e-mail certificate, you can digitally sign and encrypt messages. In addition to simple validation using your email address, we also carry out additional person validation using an official document as well as a selfie you presenting your photo-ID. As a result, the certificate is recognized as a class 2 mail certificate. This certificate is particularly suitable for individuals or for micro-entrepreneurs who value digital identity and security.
Important note: S/MIME certificates can only be ordered using Microsoft Edge in Internet Explorer Mode (Windows). All other browsers do not support the key generation required for this process.
Validation via e-mail address, photo-ID and selfie showing photo-ID.
Enterprise Secure E-Mail Certificates guarantee a higher validity of the digital certificates due to the extended persons and company validation. In addition to the personal validation (first and last name of the employee), the entire company address of your company / organization is also validated and entered in the certificate. This offers the highest possible protection and is therefore issued as a class 2 certificate and in accordance with the requirements of the GDPR.
Important note: S/MIME certificates can only be ordered using Internet-Explorer Mode on Microsoft Edge (Windows). All other browsers do not support the key generation in this process.
Validierung via E-Mail Adresse, Unternehmens-Datenbank, Personalausweis (Photo-ID), Selfie mit Personalausweis sowie telefonischem Verifizierungsanruf über die Hauptnummer.
FAQ on S/MIME
S/MIME encryption - do I need that at all?
Basically, the use of e-mail certificates is recommended when sending confidential content. E-mail certificates enables the sending of signed and encrypted e-mails. With our globally recognized certificates encrypted e-mails can be opened and read by the intended recipient. Digitally signed e-mails give you and the recipient the assurance that the certificates really come from you. This way the recipient has an instrument to check whether the email was changed during the transfer.
Under the Data Protection Act in the EU, all companies that provides personalized data must ensure secure transmission. It is therefore essential that law firms, hospitals, insurance companies as well as small businesses use S/MIME and encrypt their e-mail communication.
How does S/MIME help with fulfilling GDPR / DSGVO?
In 2016, the European Union passed the General Data Protection Regulation (DSGVO). This replaces the 1995 Data Protection Directive with a stricter data protection, and has since become law across the EU. Article 25 of the GDPR demands data protection for all companies "by default" when handling personal data, which implies that e-mails with personal data must be transmitted in a safe and trustworthy way.
DSGVO penalty fee
Encypted email considerably reduces the risk of data breaches for companies. In case of a data breach, the company can reduce their penalties by demonstrating that appropriate security measures have been implemented to prevent data theft, such as S/MIME. The GDPR dictates that penalties for loss, alteration or unauthorized disclosure of data are imposed an amount of up to four percent of the worldwide annual turnover or EUR 20 million.
Leading technology solution
Secorio is a leading provider of digital identities with public-key technology. These identities are for a variety of uses in enterprise applications, such as mobile applications, device authentication in wireless networks, for encryption and digital signing of emails using S/MIME standards.
Earlier S/MIME solutions were sometimes costly to implement, with the result that employess could not routinely encrypt all emails. To solve this challenge, Secorio's technology partner has developed the industry's first X.509 Zero Touch Certificate management system This system automatically provides each user with a digital identity.
How can I use S/MIME as a college/student?
Through the long-standing partnership with Sectigo (formerly Comodo) Secorio offers interesting conditions for S/MIME e-mail certificates for students and universities as well as non-profit organizations. In a time when SPAM, misuse of data and forgery of identities are a reality, we want to offer you an effective measure with our email certificates. As registrar within the Sectigo network, we can validate and issue S/MIME e-mail certificates.
But why should you use S/MIME certificates as a student or university? Already starting from EUR 1.08 per month (with a 3-year term) you can strengthen the security of your e-mail communication with our Personal Secure E-Mail Certificate and you no longer have to fear misuse of your identity.
By signing and encrypting emails with S/MIME, you as a lecturer can communicate with students via an encrypted connection. In addition, the physical dispatch of grades and study letters will be a thing of the past.
As Registration Authority, we offer you the opportunity to run your own EPKI management solution. This means you can act independently of us and issue certificates for your employees, lecturers and also for your students.
Students can purchase a 30-day, free S/MIME via the following link: free S/MIME certificate
How do doctors and hospitals use S/MIME Email encryption?
Patient information is sent to doctors' offices, hospitals and rehabilitation centers every day. For several years it has been said that unencrypted e-mails are comparable to a postcard. Postcards can be read by anyone if you have access to them. Third parties entitled to do so may, without the knowledge of the intended recipient, read along with e-mails and/or change their content.
Why should we encrypt our e-mails?
Unencrypted e-mails are in conflict with the current privacy policy. There may be several reasons why third parties would like to gain access to your e-mails or read the entire e-mail correspondence of your practice. Do you send patient data unencrypted? Since the introduction of the current Data Protection Act, you can be held accountable if data can be read by unauthorized third parties.
Encrypted emails: do not give readers a chance
The situation is different with encrypted emails: they can not be read by any attacker at a reasonable cost. Thanks to the public key encryption, these emails are only assigned to a specific recipient. This means that only the recipient of an e-mail can open and read the e-mail. To read the e-mail a certificate is required, which in turn is located on the computer of the recipient. This allows the message to be decrypted and read.
Digital sign with your signature
One last question remains: How does the recipient of your e-mail know that a particular public key actually belongs to you? This is listed in the S/MIME e-mail certificate. At least the e-mail address is listed in the certificate. For businesses, we recommend that you use the Enterprise Secure E-mail Certificate, as this validates the company and the full address. Who checks this information? We work closely with CA Sectigo and check your certificate in a 2-step process. This will ensure that you can use your certificate for Extended Signature/Electronic Signature.
We recommend doctors/medical practices/ therapists our Enterprise Secure E-Mail Certificate, which meets the highest safety requirements.
How law firms and trustees cost-effectively can implement email encryption with their clients?
Simply sending all the information and documents by e-mail - that's what the company has become accustomed to. Many are unaware that strangers are able to read or even modify the e-mails. Especially when sending trusted data caution is required.
With S/MIME (Secure/Multipurpose Internet Mail Extensions) e-mail certificates, you, as a lawyer/attorney, can keep your e-mail communication with your clients confidential. With little effort you can establish a secure connection, without sacrificing the usual comfort when sending e-mails.
How does S/MIME encryption work with your clients?
With our S/MIME certificates, your emails are encrypted or decrypted using a public and a private key and the corresponding Mail Gateway software. However, this requires that the sender and receiver have used the same standard (S/MIME) and have exchanged their public key. The exchange takes place after the first signed message.
Complicated?
No problem - our support team is at your disposal and can support you during the ordering and installation process. Our installation guide will help you integrate your certificates in your usual email environment and guide you step by step. You do not need additional software to use our certificates, and you can integrate an S/MIME certificate into any popular e-mail program - even on your smartphone.
We recommend for lawyers and law firms our Enterprise Secure E-Mail Certificate, which was designed according to the highest requirements of the CA/B. This will keep you and your clients safe from the misuse of your digital identity.
You have questions or you are not sure which is the right certificate for you? Our support team is available by phone on +41 41 514 31 33, on live chat or by email at info@s-mime.info.
How do I fulfill the E-Mail encryption as public utilities/companies from the energy industry?
Each municipal utility is obligated under the provisions of EDIFACT to offer at least one encrypted communication channel. In addition, it is recommended to assign a certificate to each employee so that the S/MIME standard is continuously introduced in the respective departments.
As a partner and registrar of the CA Sectigo, Secorio offers inexpensive and trusted mail certificates. Already from EUR 1 per month, private customers can build encrypted communication through our solution. For companies and public utilities, however, we recommend to use the more extended and qualified signatures.
Thanks to the long-standing cooperation with Sectigo, we offer all municipal utilities and electricity, gas and water suppliers, our free EPKI managed solution for managing our certificates. Each certificate, which is issued via the EPKI Manager, automatically contains the extended signing, as the certificate contains the company name and address as well as the employee's e-mail address and first and last name.
As a municipal utility, you can set a good example. The Data Protection Act recommends encrypted communication for all e-mails containing personal data. With the PKI solution from Secorio, you make the right choice: As an administrator, you independently manage your EPKI solution and can within a few seconds, apply for new certificates for your employees, which you can also revoke if necessary.
What are the requirements of the Federal Agency/Federal Network Agency?
Many companies currently have to deal with the topic of S/MIME e-mail certificates. We would like to familiarize you with the requirements of the Federal Network Agency.
The Federal Network Agency's goal is to introduce secure communication within Germany and in the EU. There are various ways to encrypt the e-mail communication. The most widely used technology worldwide for this are S/MIME certificates. In one Document the Federal Network Agency has created a regulation for the secure exchange of EDIFACT transmission files. It contains all regulations for a secure transmission of e-mails. In order to get the most important information from 26 pages shortly, we have summarized the conditions and requirements for the certificates.
Guidelines for the transmission way
Already since June 1, 2016, all e-mails in the German energy industry have to be signed or encrypted. For signing, the regulations listed below counts:
- In terms of 1: 1 communication, the data exchange is business-process-independent, ie the encryption and signature of the e-mail is uniform for all message types. All transmission files from a sender to a recipient must therefore be encrypted and signed.
- Encrypting and signing of e-mails is only permitted using the S/MIME standard, and it must be at least version 3.2 (IETF RFC 5751, release year 2010)
that is being used - Each market partner must use only one certificate for the email address used (more precisely the associated private key) for the signing. The same private key is used to decrypt the email sent to this email address by the other market partners.
Choosing the right certification authority
For your e-mail certificate to be valid, it must be issued by a trusted Certification Authority (CA). For the CAs, the conditions described in 5.5.1 apply:
- The CA has a callback service that can be used to revoke certificates. For this purpose, it keeps a so-called certificate revocation list (CRL),
which is publicly accessible.
Our certificates are cryptographed and issued by CA Sectigo (formerly Comodo). All certificates can be revoked by phone on +41 41 514 31 33 or by e-mail info@secorio.com. - The IT security of the CA operation is audited by an audit/certification according to a recognized audit/certification standard. There is a certification according to BSI TR03145, Secure Certification Authority operation recommended.
Secure Certification Authority operation empfohlen.
Our certificates are validated according to the guidelines of the CA / Browser Forum. Regular examinations are carried out by an external partner (Ernst & Young) . - The registration service, including service outsourced to service providers (registrars), is performed with a high level of security.
Secorio itself is a registry authority of Sectigo. For over 10 years, the two companies have maintained a close and strategic partnership to provide a high level of security. All certificates are checked and validated by at least 2 parties.
Further requirements of EDIFACT
Further requirements can be found in the EDIFACT document. Currently, the requirements for certification bodies are fully complied - the final implementation will take place in Q4 2019. Therefore, Secorio works closely with other certificate authorities to offer the appropriate certificates.
Requirements for e-mail certificates
The requirements for e-mail certificates are clarified in 5.5.2:
- The e-mail certificate has to be issued by a CA that meets the requirements just mentioned.
All requirements are fully met. - All certificates issued until 31.12.2017 must be signed with at least sha-256RSA signature algorithm. Certificates newly issued from 01.01.2018 to 31.12.2018 must be signed using either the RSASSA-PKCS1-v1_5 signature procedure (sha-256RSA or sha-512RSA signature algorithms) or RSASSAPSS. These certificates can be used to the maximum certificate validity (maximum 3 years) in the interim model of market communication.
Our S/MIME e-mail certificates contains the signature algorithm sha-256RSA and are issued with a maximum term of 3 years. An RSASSA encryption can optionally be added. - All S/MIME certificates issued after 01.01.2019 must be signed with RSASSA-PSS.
Sectigo is currently not supporting the RSASSA-PSS algorithm. This is expected to be implemented in Q1 2020. Through our contact to an alternative international supplier, we have the opportunity to issue certificates with higher encryption algorithms. - For the different uses for "signature" and "encryption", the same key pair is generated so that a so-called combined certificate is issued and used.
You can integrate our certificate into your e-mail client and, when composing e-mails, decide whether you want to sign or encrypt the e-mail. You do not need another certificate for this. - Certificates must provide advanced electronic signature.
Our S/MIME certificates can be issued as a Class 1 or Class 2 certificate. In particular for companies we recommend the use of our Enterprise Secure Email Certificate, which allows advanced signature. - The certificate must ensure identification and association with the company/service provider or organization that operates the e-mail address. This means that in the field O of the certificate must be the legal entity that operates the e-mail inbox for the e-mail address for which the certificate was issued, and under which the signed and encrypted e-mails are sent and received.
With our Enterprise Secure Email Certificates, your company will be validated and the existence of your certificate of incorporation will be checked. This ensures that the issued certificate can only be assigned to your company.
Algorithms and key lengths for S/MIME certificates
According to the guidelines under 5.5.3 of the Federal Network Agency, the following algorithms and keys with the specified key lengths must be used:
Signature:
- hash function:
- SHA-256 or SHA-512
our certificates are issued with a SHA-256 hash function.
- SHA-256 or SHA-512
- signature methods
- Since January 1, 2018, only the RSAES-OAEP signature procedure can be used.
Our RSASSA-PSS certificates fulfills this signature procedure. Certificates from Sectigo currently use the SHA-256 signature method.
- Since January 1, 2018, only the RSAES-OAEP signature procedure can be used.
encoding
- Content encryption:
- AES-128 CBC or AES-192 CBC
Our certificates meet the standard of content encryption through advanced technology.
- AES-128 CBC or AES-192 CBC
- Key encryption:
- RSA key length at least 2048 bits
see points "Signature method"
- RSA key length at least 2048 bits
E-mail certificates: recommended actions
Our Enterprise Certificates meets the requirements of the Federal Network Agency and thus offer a high degree of security. Our certificates undergo validation processes according to strict guidelines before they are issued. Our certificates will continue to evolve in the future to continuously meet updated standards and ensure the security of your e-mail communications.
You have questions or are not sure which is the right certificate for you? Our support team will be happy to help you on the phone on +41 41 514 31 33, via live chat or by e-mail at info@secorio.com.
What are the benefits of email certificates?
S/MIME e-mail certificates enable the sending of encrypted and/or digitally signed e-mails using your current client software - Microsoft® Outlook Express, Microsoft® Outlook®, Microsoft Office 365, Netscape Messenger, or any other S/MIME compliant software.
The certificates are compatible with over 99% of all email clients and gateways. With our certificates, you bind your email identity (email address and, if desired, company name, address, first and last name) to the cryptographic key used to sign and encrypt emails, thus protecting your data from third parties.
FAQ about your order
I have to organize certificates for my employees - what should I do best?
We, Secorio AG, offer enterprise customers free E-PKI (management solution for SSL & S/MIME certificates) EPKI Manager an für vereinfachte und rasche Zertifikatsbeantragungen. So werden Sie innert wenigen Minuten S/MIME Zertifikate ausstellen und produktiv einsetzen können. In einem ersten Schritt klären wir gemeinsam mit Ihnen den Bedarf an S/MIME E-Mail Zertifikaten, und lassen Ihnen ein passendes Angebot zukommen. Danach wird der EPKI Account aufgesetzt, validiert und aktiviert. Anschliessend können Sie die gewünschten Zertifikate rasch und unabhängig von uns über das S/MIME Verwaltungstool ausstellen. Mindestanzahl Zertifikate für E-PKI Verwaltungslösung: 10 Zertifikate.
We would like to offer S / MIME certificates to our customers? Is there a reseller solution?
There are various ways in which you as an IT service provider can order S/MIME certificates for your customer. Secorio is very flexible in terms of billing and communication - just contact us with your wishes.
Administration of EPKI solution for your customer:
You create an EPKI managed solution on behalf of your customers and manage it for them. If required, we will invoice you - so the customer will not get in contact with us and you can invoice your customers directly for your services. Please let us know how you would like to be invoiced.
WebHost Reseller / Ordering URL
Through our reseller solution you can send an order link directly to your customer. you can authorize the individual orders and thereby have the control and the overview of the individual certificates. We will invoice you based on your needs. You can easily and flexibly issue any S/MIME certificate for your customers.
Affiliate Reseller/First Partner Program for S/MIME Certificates:
Thanks to our affiliate program, you can provide your customers with a link to order any e-mail certificate. As a partner you receive a commission of 25% on all purchases of your customer, which are registered via the tracking code. Send an E-Mail to info@secorio.com to receive more Information about our Affiliate Program.
How do I send my S / MIME certificate to someone so that they can send me crypted e-mails?
After receiving your email certificate, you will need to send your public key to the people you want to exchange encrypted email with. Simply send a digitally signed email, which automatically sends your public key. Recipients then only need to add your email address to their address book (point the cursor to the email address, click on the right mouse button, select option "Add Outlook Contacts"), which automatically saves your public key.
IMPORTANT: Encryption is only possible if both sender and recipient have a valid S/MIME certificate and the public keys have been exchanged in advance.
S/MIME EMAIL CERTIFICATES
OFFER FOR S/MIME
Are you planning to use S / MIME e-mail certificates in your company or do you already have certificates from another provider? We are pleased to send you an individual offer.