KU uses DigiCert certificates for email signing and encryption. Because the root is widely distributed you can digitally sign email to anyone—on or off campus—with no special setup required by the recipient.
Whether you already use encryption or are signing up for the first time, use the three steps below to set up email encryption with DigiCert certificates.
Note: All KU-based certificates expired on October 1, 2011. If you currently have KU encryption credentials and have encrypted email in any of your mailboxes be sure to leave the expiring credentials in place for reading email encrypted with them. This will not interfere with installing and configuring DigiCert credentials.
- Outlook (2007, 2010, 2011)
- Entourage (2008, EWS)
- Outlook Web Access (OWA) (requires Internet Explorer (IE) with S/MIME extension)
Set up email encryption and digital signing
1. Request DigiCert KU digital credentials. This requires a KU Online ID.You will receive two separate emails from DigiCert. Read the instructions for this step BEFORE opening the emails. Use Internet Explorer (on Windows) or Safari (on Macintosh) to process the links in the emails you receive in this step. If you use Firefox you will need to manually export the certificates it generates, and then import them for use with Outlook.
2. Process email from DigiCert to create certificatesAfter requesting KU digital credentials you will receive two email notices from DigiCert: one for creating a digital ID for escrowed encryption and one for creating a digital ID for email authentication. You need both of these. The emails will come from DigiCert Support <email@example.com> and the links will be to https://www.digicert.com/enterprise/personal-ids/create-id.php and will not request any personal information. Be sure to process both of the emails. Select a system below for specific instructions: configure your email program to use them. If you have questions, please contact your departmental technical support staff or the Information Technology Customer Service Center.
3. Configure your email program to use the certificates. You need both of them.
Types of KU Credentials
For escrowed encryption certificates DigiCert generates both the private key and certificate. It distributes these to the user and keeps a copy of the private key in escrow for the University's benefit. This may be retrieved by the person whose email address is in the certificate if they need to recover it for any reason. It may also be retrieved through an administrative procedure if it becomes necessary to recover encrypted material and the user cannot provide the key.
For email authentication certificates the private key is generated directly on the user's computer so the user has the only copy. The user's computer sends the corresponding public key to DigiCert in a certificate signing request (CSR) and DigiCert returns a signed certificate. This provides "nonrepudiation" for use of the identity. The user controls the private key from the moment it is generated, so no one else can generate a signature or access a system using this identity.
For multi-purpose certificates a single key/certificate pair can be used for both encryption and signing. The private key is generated on the user's computer and is not escrowed. If it is lost or unavailable any material encrypted with it cannot be read. These are not currently used by KU. Users will normally get both escrowed encryption and email authentication certificates. They then configure their email program to use the first for encryption and the other for signing. Encryption certificates can be published to the Exchange Global Address List to make them available to people who need to send encrypted email or documents. The process for this is documented in the email setup instructions. Prior to October 2011 KU used certificates signed by a KU-based Certification Authority. These required installation of the KU root certificate on any systems where they were used. The last of these expired on October 1, 2011. Users who have email encrypted with them should leave the certificate/key pairs installed for reading old email but the certificates cannot be used for encrypting new messages.
KU Digital Credentials: Certificate Directory
Import/Export Certificates and Keys
Your certificates and the corresponding private keys can be stored in various places depending on the system and browser you use to generate them and the applications in which you will use the certificates. Use the links below if you need to export your certificates from one location and import them into another. This can be moving from one location to another on a single computer or using a file to move certificates from one computer to another.
Remember that the .p12 or .pfx files generated by the export procedures contain a copy of your private key. It is extremely important to keep the files you export secure even though their contents are protected by a password you enter as you export the certificate key.
- Export from Windows Firefox
- Export from Windows Certificate Store
- Export from Macintosh Firefox
- Export from Macintosh Keychain
Best Practices for Secure Email Use
- Always digitally sign your email messages unless you know that a recipient is unable to read email with a digital signature.
- Encrypt email that contains information that should be seen only by the intended recipient.
A few examples of information that should always use email encryption (or not be sent via email) include:
- Non-directory student or prospective student records as defined by the Family Educational Rights and Privacy Act (FERPA) and the University Student Records Policy (including grades, exams, rosters, official correspondence, etc.)
- Financial aid and scholarship records
- Individually identifiable personnel records
- Personal information used to verify identity, including but not limited to Social Security numbers (SSN) and University of Kansas ID numbers (KU ID)
- Passwords and PINS
- Individually identifiable health information protected by state or federal law (including but not limited to “protected health information” as defined by the Health Insurance Portability and Accountability Act (HIPAA)
- Individually identifiable information created and collected by research projects
- Credit card numbers and financial transactions covered by the Payment Card Industry (PCI) Standard
- Physical building details
- Donor or prospect information Information resources with access to confidential or sensitive data
Availability and Terms
- a private key
- a public key certificate [includes the public key, validity period, identification, and Certification Authority signature]
Private keys are used to generate digital signatures and to decrypt email or files encrypted using the corresponding public key. It is important to keep them secret. Public keys, as the name implies, can be made available to anyone. They are used to verify digital signatures and to encrypt email or files and are often published in directories.
Because private keys for signing and encryption must be managed differently, each faculty or staff member using KU digital credentials will have a separate key and certificate pair for authentication and encryption.
The digital signature generated using a private key can be verified using the corresponding public key. Identity information contained in the public key certificate confirms the identity of the signer. The certificate, in turn, is signed by a Certification Authority (CA). The CA for KU escrowed encryption and email authentication certificates is DigiCert. DigiCert issues these certificates based on requests from KU after KU confirms the addresses and associated names through its identity management system.
The certificate specifies the identity of its subject, its validity period, permitted uses, identity of the issuer, and where information about revocation status and the issuer's policies and practices can be found.