S/MIME certificates

January 22, 2023 - 5 mins read

A S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate is a type of digital certificate that is used to encrypt and sign email messages. It allows the recipient of the email to verify the identity of the sender, and to ensure that the message has not been tampered with during transit.

There are multiple companies that offer S/MIME certificates, such as DigiCert, GlobalSign, Comodo, and GoDaddy. You can also find other providers by searching online.

The cost of a S/MIME certificate can vary depending on the provider and the type of certificate you choose. Basic certificates can be obtained for free, while more advanced certificates with additional features can cost several hundred dollars per year.

But, if you are like me, a student or a startup, which still wants some privacy and authority, but doesn’t want to spend a ton of money on it, you may choose a free S/MIME certificate, e.g. StartCom, CAcert, etc. But they were either shut down (StartCom) or very complicated to apply. Some may even use self-signed root, which obeys the principle of PKI.

So today, I am going to introduce a totally free S/MIME certificate issued by an Italian certificate authority – Actalis.

Actalis is a certificate authority (CA) based in Italy that provides digital certificate services, including S/MIME certificates, to customers around the world. The company is part of the Information Security Division of the Italian Post Office, and it operates under the name “Poste Italiane S.p.A.” (Italian Post Office). Actalis is a trusted provider of digital certificates and it is a member of the WebTrust and ETSI (European Telecommunications Standards Institute) programs, which are international standards for the issuance and management of digital certificates. Actalis provides a wide range of services and products to meet the needs of different sectors, such as public administration, healthcare, finance, and e-commerce. Actalis is a well-known and reputable provider of digital certificates, which are issued under the trust and security framework of the Italian Post Office.

Actalis is a very low-key and modest certificate authority. You can find little information about them on the Internet. It doesn’t even have a Wikipedia page. But actually, it is a pretty old CA, their Root CA was issued in 2011.

Common Name: Actalis Authentication Root CA

To apply for their free S/MIME certificate, you need to prepare an email address (well of course) and Internet connection. That’s it.

Open the website: https://extrassl.actalis.it/portal/uapub/freemail?lang=en and fill in your email address. Finish the CAPTCHA and click ‘Send verification email’. Their email is usually Italian, but the most important field should be easy to notice. (Their verification code is really long and confusing.)

After filling in the verification code, check both of the checkboxes and click ‘Submit request’.

Then you will see Procedure terminated with success and a string. You should keep it carefully, it’s generally recommended to print it and throw it in your vault. Or you can print it to PDF and use your PGP key to encrypt it. They will send you the certificate in PKCS#12 format (aka. PFX file), so you must use their password to decrypt and import it.

Shortly after, you will receive an email, attached with a ZIP file, inside it is a pfx file. And the content of the email is the credentials you will need to login into the client area (generally you don’t need it since we all use certificates to login.)

Save the zipped file somewhere safe. Decompress it. You should get a file looked like this.

Double-click it to import it to your local computer, and when importing, you will be prompted to enter the password you get on the last page.

If you worry about security, you can check the ‘Enable strong private key protection’ , but it troubles me a lot so I didn’t do that. If you worry that you can lose the pfx file, you can check the ‘Mark this key as exportable’ so that you can export it anytime.

You can also not import it to your local computer, but import it to hardware security module e.g. YubiKeys.

It’s worth noting that you can never export the private key from a YubiKey.

It’s pretty much done. You can use the certificate with your favorite email clients! (Mozilla Thunderbird, Windows Mail, Microsoft Outlook, etc. These are all great choices. Personally I use Microsoft Outlook.)

But first, let’s log in to their Client Area.

Open https://extrassl.actalis.it/portal/login (Click the GB flag if it shows as Italian.)

Click ‘Access the personal area’ and instead of using CRP to log in, we use certificates.

Choose the certificate that you want to use and click Next. Now you can manage your certificates. You can revoke it if it’s compromised (thanks to OCSP technology), and you can download the pfx file if you lost it (it doesn’t mean the CA still has your private key since what you get is essentially just an encrypted PKCS#12 file, you must use the password to decrypt it.

Here’s how to use your S/MIME certificate with Microsoft Outlook.

Open Outlook and click ‘File’, click ‘Options’ and in the sidebar, click ‘Trust Center’. Under the ‘Microsoft Outlook Trust Center’ section, click ‘Trust Center Settings’. Click ‘Email Security’ in the sidebar and check ‘Add digital signature to outgoing messages’ and ‘Send clear text signed message when sending signed messages’.

Click the button ‘Settings’ after ‘Default Settings’. Click ‘New’ to create a new profile. Give it a name and choose your Signing and Encrypting certificate. (You can choose whether you want to encrypt it or not when composing an email.)

If you put your certificate into a Smart Card i.e. a YubiKey, you will see the Smart Card logo, choose it. You will be prompted to enter the PIN when signing the email.

You should end up configuring it like this.

Make sure your hash algorithm is SHA256 or above.

That’s it. Comment down below if you have any problems!