====== Scenario 3.4: Issue S/MIME Certificate ======

<WRAP round info>
**Category:** [[.:start|Issue Certificates]] \\
**Complexity:** *** (Medium-High) \\
**Prerequisites:** CSR with email address \\
**Estimated Time:** 10-15 minutes
</WRAP>

----

===== Description =====

This scenario describes issuing an **S/MIME certificate** for email encryption and signing. S/MIME certificates enable secure email communication through digital signatures and encryption.

**Functions:**
  * Email signing (authenticity, integrity)
  * Email encryption (confidentiality)
  * Sender verification

----

===== Code Example (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

var caCert = ctx.LoadCertificate("user-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("user-ca.key.pem", "CaPassword!");

var csr = ctx.LoadCertificateRequest(File.ReadAllText("smime.csr.pem"));

// Issue S/MIME certificate
var smimeCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        // Key Usage for signing AND encryption
        .KeyUsage(
            KeyUsageFlags.DigitalSignature |
            KeyUsageFlags.KeyEncipherment |
            KeyUsageFlags.DataEncipherment,
            critical: true
        )
        // Extended Key Usage: Email Protection
        .ExtendedKeyUsage(ExtKeyUsage.EmailProtection)
        // Email address as SAN (REQUIRED for S/MIME!)
        .SubjectAlternativeName(new[] {
            "email:john.doe@example.com"
        })
        .SubjectKeyIdentifier(csr.PublicKey)
        .AuthorityKeyIdentifier(caCert)
        .Build()
);

smimeCert.ToPemFile("smime.crt.pem");

// PFX for email client import
var pfx = ctx.ExportToPfx(smimeCert, smimeKey, new[] { caCert }, "Password!");
File.WriteAllBytes("smime.pfx", pfx);
</code>

----

===== S/MIME Certificate Types =====

^  Type  ^  Validation  ^  Usage  ^
| Class 1 | Email control | Personal, free |
| Class 2 | Identity verification | Business |
| Class 3 | Extended verification | Enterprise, Qualified |

----

===== Key Usage Details =====

^  Flag  ^  Usage in S/MIME  ^
| digitalSignature | Sign email |
| keyEncipherment | Encrypt session key (RSA) |
| dataEncipherment | Encrypt data directly |
| nonRepudiation | Legally binding signature (optional) |

----

===== Outlook / Thunderbird Import =====

<code>
1. Double-click PFX file
2. Follow import wizard
3. Enter password
4. "Automatically select store"
5. In Outlook: File -> Options -> Trust Center -> Email Security
</code>

----

===== Related Scenarios =====

^  Relationship  ^  Scenario  ^  Description  ^
| **Related** | [[en:int:pqcrypt:szenarien:signaturen:dokument_signieren|8.1 Sign Document]] | Email as document |
| **Related** | [[en:int:pqcrypt:szenarien:verschluesselung:hybrid_encryption|7.1 Hybrid Encryption]] | Email encryption |
| **Prerequisite** | [[en:int:pqcrypt:szenarien:csr:csr_client|2.2 Client CSR]] | CSR with email |

----

<< [[.:codesign_cert|<- 3.3 Code-Signing]] | [[.:start|^ Certificates Overview]] | [[.:wildcard_cert|3.5 Wildcard Certificate ->]] >>

{{tag>scenario certificate smime email encryption signature}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//