Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

Email Certificates (SMIME Certificates)

Email Certificates

Email certificates, also known as SMIME certificates, are digital certificates that can be used to sign and encrypt email messages. When you encrypt an email using an email certificate, only the person that you sent it to can decrypt and read the email.  The recipient can also be sure that the email hasn’t been changed in any way.

Why do I need email certificates?

If you don’t use an email certificate, your emails can be read by anyone, or any server, that is used to pass the emails to the recipient. This can be a lot people. This would be like sending a postcard through the mail so that all of the postal workers and anyone who really wants to can read it. With an email certificate, you are 100% guaranteed to have secure email while it is being transmitted.

Some email servers use a different kind of certificate called a server authentication SSL certificate. This secures all email transmissions from the server to your local computer, but once you send an email to another email account on another email server, it leaves that safe haven and travels to the unprotected lines of the Internet where anyone can read it. An SMIME certificate ensures end-to-end security.

How do I get email certificates?

The process of getting an email certificate is very simple. You simply apply for one from an SSL Certificate Authority and then prove that you own your email address. You’ll typically respond to an email that the certificate provider sends to your address. They will then send you the certificate file that you can install to your email client using the instructions below.

Some email certificates are free for personal use while others cost money. Use the following chart to find an email certificate provider:

Provider

Cost

CA Rating

Trusted By Default?

More Info

SSL.com

$30 for 1 Year

SSL.com Email Certificates

Sectigo

$13 for 1 Year for Basic

Sectigo Email Certificates

DigiCert

$34 for 1 Year

DigiCert Email Certificates

CACert

Free

 

Email and Client Certificates

How do I install an SMIME certificate?

For step-by step instructions on how to order and install an SMIME certificate, see the following tutorials:

How does an SMIME Email Certificate work?

Once you install the SMIME (Secure / Multipurpose Internet Mail Extensions) certificate in your email client, you will send a signed email to people that need to send encrypted emails to you. Your contacts’ email client should automatically download your certificate add it the address book. From then on, your contacts can send you encrypted emails by clicking the “Encrypt” button when creating a new email. Different email clients handle this differently than others so make sure to check the documentation of the email client that you use.

What email clients can I use with an SMIME certificate?

Unfortunately, most webmail clients (OWA, Gmail, Hotmail, Yahoo), do not currently support SMIME certificates, but most desktop email clients, including the following, do support email certificates:

  • Microsoft Outlook
  • Outlook Express
  • Mozilla Thunderbird
  • Apple Mail.app
  • Netscape Messenger
  • Qualcomm Eudora

Problems with Email certificates

  • Not all email clients support SMIME certificates so users may be confused by the smime.p7s attachment on emails.
  • Email certificates aren’t normally considered practical for webmail clients because the private key would need to be kept on the server, preventing end-to-end encryption.
  • Malware can be sent to in an encrypted email without being stopped by a company gateway.
  • The private key of the SMIME certificate could be lost and the messages would not be readable.

Originally posted on Tue Sep 15, 2009

Comments


Bernd Webster(2014-12-13)

S/Mime is also supported by Lotus Notes since Version 7 ;-).

Dean Stefanov(2014-12-13)

Signing an encrypting an e-mail are two separate processes.

The statement "when you sign an email using an email certificate, only the person that you sent it to can decrypt and read the email." is not correct.

If you have a SMIME certificate you can sign your outgoing e-mails. The recipients, will know that the e-mails were send really from you, and that the e-mails were not tampered with. These e-mails are not encrypted, though!

Once the recipient has your public key (an email signed with your digital signature), he can decide to encrypt the e-mails he is sending back to you, with your public key. These emails are encrypted, and can be decrypted only by you (or a person, having your private key).

Regards,

Dean

Johan Fransson Zenzén(2017-01-16)

Startcom are not trusted any more...

SSL Shopper(2017-01-16)

Thanks, Johan. I removed them from the list.

shubhangi suralkar(2017-03-23)

The private key of the SMIME certificate could be lost and the messages would not be readable is any action can we take if pvt key has been lost.?????

SSL Shopper(2018-03-09)

Thanks, Shane. I'll update the wording to be more clear.

D K(2018-09-03)

My Yubkeys (Yubikey 4, Yubikey NEO ) both report my commercially available S/MIME certs exceed the bytes allowed (for example for the Yubikey 4 the limit is 3049 bytes. Yubico sez it "does not keep lists..." so I am stuck as to a source. I can't use self-signed keys. Please is there a brand of commercial cert that allows you to limit the size of the certificate requested?
Thanks for ANY help. d

MrCalvin(2018-09-15)

Symantec and GeoTrust don't provide those email/ s/mime certificate anymore!

Andrew(2019-04-19)

Looks like the free COMODO certificates are now only valid for 1 month!

SSL Shopper(2019-04-20)

Thanks, Andrew. I'll work on updating that.

Andrew(2019-04-20)

I did find one provider still doing 1 year for free for personal use:

https://www.actalis.it/prod...

They appear to be trusted / have well distributed root certs.

Stephen Zurcher(2019-04-29)

Since they are an Italian company it makes sense, but unfortunately I don't read Italian and could only find their Terms and Conditions pdf in Italian. I know folks generally at best skim T&C docs, but for something like encryption/security I think it's probably required reading.

Jake Segundo(2021-04-03)

I got one and it works, one year expiry - but they want your consent first that they can use your email for marketing etc, so they'll probably also sell it. So there's a price you pay anyway, I guess.

gdeff(2019-06-18)

GeoTrust no longer offers My Credential and EPM credential certificates.
https://www.geotrust.com/si...

SSL Shopper(2019-06-18)

Thanks! I'll update the page.

Advertisement • Hide