connect. communicate. collaborate.

Email Security

Digital credentials are available for all current KU faculty, staff, and student staff.

KU uses DigiCert certificates for email signing and encryption. Because the DigiCert root is widely distributed, you can digitally sign email to anyone—on or off campus—with no special setup required by the recipient.

Whether you already use encryption or are signing up for the first time, use the three steps below to set up email encryption with DigiCert certificates.

Note: If you currently have KU encryption credentials and have encrypted email in any of your mailboxes be sure to leave the expired credentials in place for reading email encrypted with them. This will not interfere with installing and configuring new DigiCert certificates.

KU IT supports encryption for the following email clients:
  • Outlook (2007, 2010, 2011, 2013)
  • Entourage (2008, EWS)
  • Outlook Web Access (OWA) (requires Internet Explorer (IE) with S/MIME extension)
For general information, or to determine if encryption is for you, contact the IT Security Office at 785-864-9003 or For technical questions or help, call the IT Customer Service Center at 785-864-8080.

Set up email encryption and digital signing

1. Request DigiCert KU digital credentials. This requires a KU Online ID. 

You will receive two separate emails from DigiCert. Read the instructions for this step BEFORE opening the emails. Use Internet Explorer (on Windows) or Safari (on Macintosh) to process the links in the emails you receive in this step. If you use Firefox, you will need to manually export the certificates it generates, and then import them for use with Outlook.

2. Process email from DigiCert to create certificates

After requesting KU digital credentials you will receive two email notices from DigiCert: one for creating a digital ID for escrowed encryption, and one for creating a digital ID for email authentication. You need both of these. The emails will come from DigiCert Support ( and the links will be to and will not request any personal information. Be sure to process both of the emails. Select a system below for specific instructions: Please read the instructions for the system you are using before you open the email from DigiCert and generate your certificates. After installing the two certificates, configure your email program to use them as shown in step 3, below. If you have questions, please contact your departmental technical support staff or the Information Technology Customer Service Center (785-864-8080 or

3. Configure your email program to use the certificates.

KU Digital Credentials: Certificate Directory

Access to the KU Certificate Directory requires logging in with a KU Online ID. If you are already logged in, clicking the link below will take you directly to the directory. If you are not logged in it will take you to the login page.

Go to Certificate Directory

Import/Export Certificates and Keys

Your certificates and the corresponding private keys can be stored in various places depending on the system and browser you use to generate them and the applications in which you will use the certificates. Use the links below if you need to export your certificates from one location and import them into another. This can be moving from one location to another on a single computer or using a file to move certificates from one computer to another.

Remember that the .p12 or .pfx files generated by the export procedures contain a copy of your private key. It is extremely important to keep the files you export secure even though their contents are protected by a password you enter as you export the certificate key.


Best Practices for Secure Email Use

For the highest security:
  1. Always digitally sign your email messages unless you know that a recipient is unable to read email with a digital signature.
  2. Encrypt email that contains information that should be seen only by the intended recipient.

A few examples of information that should always use email encryption (or not be sent via email) include:

  • Non-directory student or prospective student records as defined by the Family Educational Rights and Privacy Act (FERPA) and the University Student Records Policy (including grades, exams, rosters, official correspondence, etc.)
  • Financial aid and scholarship records
  • Individually identifiable personnel records
  • Personal information used to verify identity, including but not limited to Social Security numbers (SSN) and University of Kansas ID numbers (KU ID)
  • Passwords and PINS
  • Individually identifiable health information protected by state or federal law (including but not limited to “protected health information” as defined by the Health Insurance Portability and Accountability Act (HIPAA)
  • Individually identifiable information created and collected by research projects
  • Credit card numbers and financial transactions covered by the Payment Card Industry (PCI) Standard
  • Physical building details
  • Donor or prospect information Information resources with access to confidential or sensitive data

More Information

Availability and Terms

Certificate-based KU Digital Credentials are available to faculty and staff who need to send and receive email that contains information which must be protected with encryption or that needs a digital signature that the recipient can use to confirm the sender's identity and message contents.

Certificates are issued in accordance with DigiCert Certification Practices.

Types of KU Credentials

There are three types of certificate-based KU digital credentials. Each identifies the user by name and email address but the type of certificate used by each one, and the method of handling the corresponding private key, is different. Currently only two of the three types are used.

For Email Security Plus (encryption) certificates DigiCert generates both the private key and certificate. It distributes these to the user and keeps a copy of the private key in escrow for the University's benefit. This may be retrieved by the person whose email address is in the certificate if they need to recover it for any reason. It may also be retrieved through an administrative procedure if it becomes necessary to recover encrypted material and the user cannot provide the key.

For Digital Signature Plus (authentication) certificates private key is generated directly on the user's computer so the user has the only copy. The user's computer sends the corresponding public key to DigiCert in a certificate signing request (CSR) and DigiCert returns a signed certificate. This provides "nonrepudiation" for use of the identity. The user controls the private key from the moment it is generated, so no one else can generate a signature or access a system using this identity.

For multi-purpose certificates (called Premium in DigiCert's product line and not currently used by KU), a single key/certificate pair can be used for both encryption and signing. The private key is generated on the user's computer and is not escrowed. If it is lost or unavailable, any material encrypted with it cannot be read, making it unsuitable for University business purposes.

Users will normally get both escrowed encryption and email authentication certificates. They then configure their email program to use the first for encryption and the other for signing. Encryption certificates can be published to the Exchange Global Address List to make them available to people who need to send encrypted email or documents. The process for this is documented in the email setup instructions. Prior to October 2011 KU used certificates signed by a KU-based Certification Authority. These required installation of the KU root certificate on any systems where they were used. The last of these expired on October 1, 2011. Users who have email encrypted with them should leave the certificate/key pairs installed for reading old email but the certificates cannot be used for encrypting new messages.

Technical Information

A set of digital credentials consists of two parts:

  1. a private key
  2. a public key certificate, which includes the public key, validity period, identification, and Certification Authority signature

Private keys are used to generate digital signatures and to decrypt email or files encrypted using the corresponding public key. It is important to keep them secret. Public keys, as the name implies, can be made available to anyone. They are used to verify digital signatures and to encrypt email or files and are often published in directories.

Because private keys for signing and encryption must be managed differently, each faculty or staff member using KU digital credentials will have a separate key and certificate pair for authentication and encryption.

The digital signature generated using a private key can be verified using the corresponding public key. Identity information contained in the public key certificate confirms the identity of the signer. The certificate, in turn, is signed by a Certification Authority (CA). The CA for KU escrowed encryption and email authentication certificates is DigiCert. DigiCert issues these certificates based on requests from KU after KU confirms the addresses and associated names through its identity management system.

The certificate specifies the identity of its subject, its validity period, permitted uses, identity of the issuer, and where information about revocation status and the issuer's policies and practices can be found.

Technology Help
IT Knowledgebase
Knowledge Base
FAQs & more
Phone support
Phone support
Support via email
Virtual Service Desk
Virtual Service Desk
Online help

Comments or ideas on how we can serve you better? Send us your feedback!

One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
23rd nationwide for service to veterans —"Best for Vets," Military Times