S ECURE E MAIL U SER G UIDE – O UTLOOK 2000
WELLS FARGO AUTHENTICATION SERVICES
DATED: MAY 2003
INSTALLING THE WELLS FARGO ROOT CERTIFICATE CHAIN.. 2
INSTALLING THE CERTIFICATES INTO IE... 3
SETTING UP THE SECURITY PROFILE IN OUTLOOK ... 15
USING THE CERTIFICATES IN OUTLOOK MAIL ... 20
SENDING ENCRYPTED EMAIL... 25
BACKING-UP DIGITAL CERTIFICATES ... 28
RESTORING YOUR DIGITAL CERTIFICATE... 31
STORING PUBLIC ENCRYPTION KEYS ... 34
SENDING SIGNED / ENCRYPTED MAIL USING OUTLOOK ... 34
READING AN ENCRYPTED MESSAGE... 38
CUSTOMIZING OUTLOOK FOR SINGLE-CLICK SIGN AND ENCRYPT ... 39
MESSAGES / SYMBOLS ... 41
General Information
Purpose of Using Encryption
Use encryption to secure email whenever you send confidential data across the Internet. Public key encryption ensures that only the intended recipient can open and read the email message and that it cannot be intercepted or tampered with by someone else.
Requesting the Service
Use of digital certificates issued out of the Wells Fargo PKI requires a sponsor within Wells Fargo to submit a request for a certificate on your behalf. Speak with your account representative about acquiring a digital certificate for yourself or others in your organization if using secure email to protect confidential data in transit could facilitate your business dealings with Wells Fargo.
1. Click on the appropriate button for you browser type.
IE users will see the following screen:
1. Click on Yes.
The Wells Fargo root certificate will now appear in your trusted root store.
Installing the Certificates into IE
The following steps are general instructions for users and may not exactly apply to your situation.
In all cases, adjust the specific instruction to your situation.
Use your passphrase to open the .p12 file you received from the Wells Fargo PKI. Save the certificate files to a local drive – do not change their names.
1. Navigate to your personal drive (here, the H:/ drive is used) in the Save in: field 2. Do not change the name or file type in the File name: and Save as type: fields 3. Click on the Save button
4. Repeat for both files, the Signing and the Encryption certificate
1. Using Windows Explorer, navigate to your personal drive.
2. Open the Signing certificate first by double clicking on it.
The Certificate Import Wizard will begin automatically.
1. Click on the Next > button.
The File name: field will automatically be populated.
1. Click on the Next > button
1. Enter the passphrase that you previously entered when requesting the PKI certificates.
The same passphrase is used throughout the installation process.
2. Select the Enable strong private key protection field 3. Select the Mark the private key as exportable field 4. Click on Next >
1. Select Automatically select the certificate store based on the type of certificate field 2. Click on Next >
1. Click on the Finish button
1. Click on Set Security Level
0. Select the security level
a. Selecting “High” will offer the greatest protection. It will require you to create a password to access your certificate that only you will know and which you will have to remember to use your digital certificates. Every time you access your certificate, you will be required to input the password that you created.
i. Recommended for high risk transactions, and ii. High-risk workstations.
b. If you select Medium, you will not be required to create a password, or to input the password every time you use the certificate. The system will tell you when the private key of the key pair is being accessed, and you will be required to approve that use, but there will not be any password or strong security attached with the use of the certificate. Medium users can skip the next screen, and the screen after that, the security level will be set to Medium.
i. Recommended for lower risk transactions, and
ii. Secured workstations (nobody uses it but the certificate owner).
1. In the Password for: field, enter your first name (space) sig, (as shown in example above)
2. Create a new password in the Password: field 3. Re-enter the new password in the Confirm: field 4. Click on Finish
1. Click on OK
Once complete, you will see the successful window.
1. Click on OK.
Now you must import the encryption file, using the same screens.
1. Using Windows Explorer, navigate to your personal drive.
2. Open the Encryption certificate by double clicking on it.
3. Click on the Next > button
1. Click on the Next > button
1. Enter the same, (one and only) password you originally obtained to access the PKI system, (not the password you just made up in recent steps).
2. Select Enable strong private key protection 3. Select Mark the private key as exportable 4. Click on Next >
1. Select Automatically select the certificate store based on the type of certificate 2. Click on the Next > button
1. Click on the Finish button
1. Click on Set Security Level…
1. Select the security level
a. Selecting “High” will offer the greatest protection. It will require you to create a password to access your certificate that only you will know and which you will have to remember to use your digital certificates. Every time you access your certificate, you will be required to input the password that you created.
i. Recommended for high risk transactions, and ii. High-risk workstations.
b. If you select Medium, you will not be required to create a password, or to input the password every time you use the certificate. The system will tell you when the private key of the key pair is being accessed, and you will be required to approve that use, but there will not be any password or strong security attached with the use of the certificate. Medium users can skip the next screen, and the screen after that, the security level will be set to Medium.
i. Recommended for lower risk transactions, and
ii. Secured workstations (nobody uses it but the certificate owner).
2. Click on Next >
1. In the Password for: field, enter your first name (space) enc (as shown in example above)
2. Enter the same new password as created for the signature certificate steps in the Password: field
3. Re-enter the same password in the Confirm: field 4. Click on the Finish button
1. Click on the OK button
You will see the successful window.
1. Click on OK
Setting up the Security Profile in Outlook
1. On the main menu in Outlook 2000, click on Tools 2. Click on Options
1. Click on the Settings… button
1. Click on the New button
1. Enter your name in the Security Settings Name: field 2. Click on the Choose… button in the middle of the screen
1. Highlight the “signing” certificate, titled Signing Key 2. Click on OK.
Click on the Choose… button on the lower portion of the screen
1. Highlight the encryption certificate.
2. Click on the OK button.
1. Click on OK
1. In Outlook, create a new email message 2. Click on the Options… button
1. Click in the Add digital signature to outgoing message field 2. Click on Close
Do not select this option
Now you must enter the new password you created when downloading the certificates. You should have only used one password.
1. For those with the security level set to High, enter your password in the first field.
If you selected High security, do NOT click in the Remember password field. By doing so the system would never ask you for your password again. This would defeat the purpose of using encrypted emails, which require both the sender and receiver to enter their passwords.
Send the email message. You will see a red and yellow certificate symbol on any emails that are sent using certificate keys, as noted in the first email on the screen above.
When you open the email, you will see the same red and yellow certificate symbol on the right side of the email message, in the shaded area.
The other party must also have secure email certificates on their side. Have the person send you an email message with their digital signature certificate attached. When received, add the person to your contacts as follows.
1. Open the email message
2. Right click on the senders name, in the shaded area 3. Select Add to Contacts
Enter any data about your new Contact that you need to have beyond the information automatically captured – name and email address, and the certificate.
1. Click on the Certificates tab
2. Click on the Properties… button to view their certificate information
1. Click on OK
2. Click on Save and Close near the top left of the screen.
Once both sides have saved the other person to their contacts, you will be able to exchange signed and/or encrypted emails.
Sending Encrypted Email
Encrypted email may be sent once signature keys are exchanged.
From a New Message Window, click on the “To” button. Select the recipient from your Contacts List.
1. In Outlook, create a new email message 2. Click on the Options… button
1. Click in the Encrypt message contents and attachments field 2. Click on Close
Do not select this option
Now you must enter the new password you created when downloading the certificates. You should have only used one password.
1. For those who have set the security level to High, enter your password in the first field.
Do not click in the Remember password field. By doing so the system would never ask you for your password again. This would defeat the purpose of using encrypted emails, which require both the sender and receiver to enter their passwords.
2. Click on OK
3. Send the encrypted email.
You will see a blue certificate on any emails sent to you indicating they are encrypted.
All new messages sent encrypted will have the blue lock symbol as displayed above in the
1. From the Outlook Main menu select Tools 2. Click on Options
3. Click on the Security tab 4. Click on Import/Export…
The Import/Export Security Information and Digital ID dialog box will be displayed.
1. Click on the Export your Exchange or S/MIME Security Information 2. Click on the Select button.
3. The Certificate Store will be displayed; highlight the digital certificate to export 4. Click OK.
1. Enter your certificate passphrase.
Do NOT select “Delete Security Information Digital ID from the system.”
2. Click OK.
Restoring Your Digital Certificate
Complete the following steps to restore your digital certificate.
1. From the Outlook Main menu select Tools 2. Click on Options
3. Click on the Security tab
4. Click on Import/Export Digital ID…
1. Click on Import existing Digital ID from a file option 2. Click on the Browse… button
1. Select the security file to import 2. Click Open
The Import/Export Security Information and Digital ID dialog box will be displayed.
1. Enter the password for the file and a Friendly Name for the certificate.
2. Click Ok.
Your certificate will be imported into the Certificate Store
to persons for whom you have the certificates through Contacts.
Sending Signed / Encrypted Mail using Outlook
Signing and/or encrypting mail messages in Outlook can be set at a global level or for each message as desired by the user. Each time a message is sent, Outlook will sign the message with the private key of the certificate owner’s signing certificate and send the public key of certificate owner’s encryption key. The steps are outlined below.
Note: Selecting Signing at a global level will require the certificate owner to enter their password each time they send a signed message.
Note: Wells Fargo has many different configurations of Internet Explorer and Outlook in place.
Not all Outlook configurations can accept signed email. In most case users with IE 5.5 and Outlook 98 and higher can accept signed messages. If you will be sending a signed message to an internal recipient you for the first time, you may want to follow up and determine if they could successfully open the signed message. If not, an upgrade may be required.
Global Signing
1. From the Main Outlook screen select Tools/Options/Security.
2. Click “Add digital signature to outgoing messages” box.
3. Click OK to accept the changes.
Global Encryption
1. From the Main Outlook screen select Tools/Options/Security.
2. To encrypt all outgoing messages select the “Encrypt contents and attachments for outgoing messages” box.
3. Click OK to accept the changes.
1. From a message screen, click the “Options” button.
2. In the Message Options screen select “Add digital signature to outgoing message”.
3. Click on “Close”.
Encrypting a Single Message
1. From a message screen, click the “To…”click the “Options” button.
2. In the Message Options screen select “Encrypt message contents and attachments”
3. Click on “Close”.
1. Enter your password in the space provided.
2. Click OK.
Customizing Outlook for Single-Click Sign and Encrypt
To setup native Outlook for single-click sign and/or encrypt control:
1. Open a new email message 2. Select Tools on the menu bar 3. Click on Customize…
1. Click on the Command tab
2. Highlight “Standard” in the Categories: box
3. Scroll down and find the following 2 choices in the Commands: box – Encrypt Message Contents
– Digitally Sign Message
4. Highlight these choices and drag and drop these icons to your message toolbar 5. Click on Close
Now you can digitally sign and/or encrypt by clicking a single button.
Messages / Symbols
Non-Secure Recipients
The system cannot find the recipient’s public key to encrypt the message.
Remedy: If you do not have the recipient’s public key, ask the recipient to send you a signed message, store their key in your local Contacts List, the try re-sending the message.
If you have the recipient’s public key, then address the message from your Contacts List.
Secure Message Icons
When you receive a secure message – either signed and/or encrypted, Outlook with display a sealed envelope with a blue lock.
Blue Pen
The message was sent using Exchange Server security.
Red Certificate
• The message was sent using S/MIME and has an invalid certificate or a certificate with an unknown verification source.
• The message was sent using S/MIME and includes a digital ID that is clear signed.
To include a digital ID, follow these steps:
1. On the Tools menu, click Options.
2. On the Security tab, click Add digital signature to outgoing messages, and Send clear text signed message.
message. The ribbon indicates the message is signed.
Encryption Algorithm Message
Double-click on an encryption icon from within a message will display a message identifying the encryption algorithm
Certificate
Clicking on “Encryption Certificate” or “Signing Certificate” button will display the digital certificate.
You can view the detail, certificate path or trust by clicking on the appropriate tabs.
Out of Memory or System Resources
Outlook is unable to open a signed message, or you have aborted a signing operation.
Key Not Found
Outlook was unable to locate your private key to decrypt. Your key may have been deleted or lost.
Password Mismatch
You entered your password incorrectly.