Category: Issue Certificates
Complexity: * (Medium-High)
Prerequisites: CSR with email address
Estimated Time: 10-15 minutes </WRAP> —- ===== Description ===== This scenario describes issuing an S/MIME certificate for email encryption and signing. S/MIME certificates enable secure email communication through digital signatures and encryption. Functions: * Email signing (authenticity, integrity) * Email encryption (confidentiality) * Sender verification —- ===== Code Example (C#) ===== <code csharp> using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using var ctx = PqCryptoContext.Initialize(); var caCert = ctx.LoadCertificate(„user-ca.crt.pem“); var caKey = ctx.LoadPrivateKey(„user-ca.key.pem“, „CaPassword!“); var csr = ctx.LoadCertificateRequest(File.ReadAllText(„smime.csr.pem“)); Issue S/MIME certificate var smimeCert = ctx.IssueCertificate( csr, issuerCert: caCert, issuerKey: caKey, serialNumber: ctx.GenerateSerialNumber(), validDays: 365, extensions: new ExtBuilder() .BasicConstraints(ca: false, critical: true) Key Usage for signing AND encryption .KeyUsage( KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment | KeyUsageFlags.DataEncipherment, critical: true ) Extended Key Usage: Email Protection .ExtendedKeyUsage(ExtKeyUsage.EmailProtection) Email address as SAN (REQUIRED for S/MIME!) .SubjectAlternativeName(new[] { „email:john.doe@example.com“ }) .SubjectKeyIdentifier(csr.PublicKey) .AuthorityKeyIdentifier(caCert) .Build() ); smimeCert.ToPemFile(„smime.crt.pem“); PFX for email client import var pfx = ctx.ExportToPfx(smimeCert, smimeKey, new[] { caCert }, „Password!“); File.WriteAllBytes(„smime.pfx“, pfx); </code> —- ===== S/MIME Certificate Types ===== ^ Type ^ Validation ^ Usage ^ | Class 1 | Email control | Personal, free | | Class 2 | Identity verification | Business | | Class 3 | Extended verification | Enterprise, Qualified | —- ===== Key Usage Details ===== ^ Flag ^ Usage in S/MIME ^ | digitalSignature | Sign email | | keyEncipherment | Encrypt session key (RSA) | | dataEncipherment | Encrypt data directly | | nonRepudiation | Legally binding signature (optional) | —- ===== Outlook / Thunderbird Import ===== <code> 1. Double-click PFX file 2. Follow import wizard 3. Enter password 4. „Automatically select store“ 5. In Outlook: File → Options → Trust Center → Email Security </code> —- ===== Related Scenarios ===== ^ Relationship ^ Scenario ^ Description ^ | Related | 8.1 Sign Document | Email as document | | Related | 7.1 Hybrid Encryption | Email encryption | | Prerequisite | 2.2 Client CSR | CSR with email | —- « <- 3.3 Code-Signing | ^ Certificates Overview | 3.5 Wildcard Certificate -> »