Signing email with Estonian ID-Card for Single Computer

%3CLINGO-SUB%20id%3D%22lingo-sub-49248%22%20slang%3D%22en-US%22%3ESigning%20email%20with%20Estonian%20ID-Card%20for%20Single%20Computer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49248%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EIntroduction%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EBy%20default%2C%20there%20are%20bunch%20of%20requirements%20for%20making%20digital%20operations%20with%20e-mails%20in%20Microsoft%20Office%20Outlook%202016%20and%20not%20all%20of%20those%20requirements%20are%20fulfilled%20by%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20need%20to%20make%20following%20changes%20to%20computer%20configuration%20to%20support%20digital%20e-mail%20signing%20with%20SK%20certificates%20in%20Windows%20environments%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EInstall%20ID-Card%20software%3C%2FLI%3E%3CLI%3EAdd%20intermediate%20certificate%20to%20intermediate%20certificates%20store%3C%2FLI%3E%3CLI%3EAllow%20certificates%20with%20different%20e-mail%20address%20to%20sign%20e-mails%3C%2FLI%3E%3CLI%3EConfigure%20Outlook%20Email%20Security%20settings%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EPreparations%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CEM%3EStep%201%3C%2FEM%3E%3A%26nbsp%3B%3C%2FSTRONG%3EFirst%20off%20lets%20install%20%3CA%20title%3D%22Estonian%20ID-Card%20Software%20Link%22%20href%3D%22https%3A%2F%2Finstaller.id.ee%2F%3Flang%3Deng%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEstonian%20ID-Card%3C%2FA%3Esoftware%20if%20you%20don't%20have%20it%20already%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EStep%202%3A%3C%2FSTRONG%3E%26nbsp%3BNext%26nbsp%3B%3C%2FEM%3Elets%20add%20intermediate%20certificates%2C%20download%20and%20save%20certificates%20to%20%3CU%3EC%3A%5Ctemp%5C%3C%2FU%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20title%3D%22ESTEID-SK_2011.der.crt%22%20href%3D%22https%3A%2F%2Fwww.sk.ee%2Fupload%2Ffiles%2FESTEID-SK_2011.der.crt%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EESTEID-SK_2011.der.crt%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20title%3D%22ESTEID-SK_2015.der.crt%22%20href%3D%22https%3A%2F%2Fwww.sk.ee%2Fupload%2Ffiles%2FESTEID-SK_2015.der.crt%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EESTEID-SK_2015.der.crt%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAdding%20certificates%20to%20from%20%3CU%3Eadministrative%20command%20prompt%3C%2FU%3Erun%20command%3A%3C%2FP%3E%3CPRE%3Ecertutil%20-f%20-addstore%20CA%20%22c%3A%5Ctemp%5CESTEID-SK_2011.der.cer%22%3CBR%20%2F%3E%0Acertutil%20-f%20-addstore%20CA%20%22c%3A%5Ctemp%5CESTEID-SK_2015.der.cer%22%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EResults%20should%20show%20following%20for%20each%20command%3A%3C%2FP%3E%3CPRE%3ECA%20%22Intermediate%20Certification%20Authorities%22%0ACertificate%20%22ESTEID-SK%202011%22%20added%20to%20store.%0ACertUtil%3A%20-addstore%20command%20completed%20successfully.%0A%0ACA%20%22Intermediate%20Certification%20Authorities%22%0ACertificate%20%22ESTEID-SK%202015%22%20added%20to%20store.%0ACertUtil%3A%20-addstore%20command%20completed%20successfully.%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EStep%203%3A%3C%2FSTRONG%3E%3C%2FEM%3ETo%20support%20different%20e-mail%20address%20in%20certificate%20we%20need%20to%20add%20registry%20key%20to%20our%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20%3CU%3Eadministrative%20command%20prompt%3C%2FU%3Erun%3A%26nbsp%3B%3C%2FP%3E%3CPRE%3EReg%20add%20HKCU%5CSOFTWARE%5CPolicies%5CMicrosoft%5Coffice%5C16.0%5Coutlook%5Csecurity%20%2Fv%20supressnamechecks%20%2Ft%20REG_DWORD%20%2Fd%201%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20confirm%20the%20registry%20key%20and%20value%20existence%20by%20running%20command%3C%2FP%3E%3CPRE%3EReg%20query%20HKCU%5CSOFTWARE%5CPolicies%5CMicrosoft%5Coffice%5C16.0%5Coutlook%5Csecurity%20%2Fv%20supressnamechecks%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EResult%20should%20show%20following%3A%3C%2FEM%3E%3C%2FP%3E%3CPRE%3EHKEY_CURRENT_USER%5CSOFTWARE%5CPolicies%5CMicrosoft%5Coffice%5C16.0%5Coutlook%5Csecurity%0A%20%20%20%20supressnamechecks%20%20%20%20REG_DWORD%20%20%20%200x1%3C%2FPRE%3E%3CP%3E%3CEM%3E%3CSTRONG%3EStep%204%3A%3C%2FSTRONG%3E%26nbsp%3B%3C%2FEM%3EConfiguring%20Outlook%20for%20email%20signing%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EOpen%20Outlook%3C%2FLI%3E%3CLI%3ENavigate%20to%20%3CSTRONG%3EOptions%3C%2FSTRONG%3Efrom%20%3CSTRONG%3EFile%3C%2FSTRONG%3Emenu%3C%2FLI%3E%3CLI%3EIn%20options%20window%20select%20%3CSTRONG%3ETrust%20Center%3C%2FSTRONG%3Eand%20click%20on%20%3CSTRONG%3ETrust%20Center%20Settings%3C%2FSTRONG%3E%2C%20select%20%3CSTRONG%3EEmail%20Security%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EClick%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%2C%20select%20%3CSTRONG%3EChoose%3C%2FSTRONG%3E(for%20signing%20certificate)%20and%20select%20your%20ID%20card%20authentication%20certificate%2C%20set%20other%20options%20as%20shown%20on%20following%20figure%20and%20click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E!%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20836px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F11295i110F21B1EA083919%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22outlook_options_trust_center.png%22%20title%3D%22outlook_options_trust_center.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESending%20signed%20e-mail%3C%2FSTRONG%3E%3C%2FP%3E%3COL%3E%3CLI%3EOpen%20outlook%20and%20select%20%3CSTRONG%3ENew%20mail%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EPrepare%20your%20e-mail%20as%20usual%2C%20then%20select%20%3CSTRONG%3EOptions%20tab%3C%2FSTRONG%3Eand%20select%20%3CSTRONG%3ESign%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EClick%20%3CSTRONG%3ESend%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EOutlook%20will%20ask%20for%20%3CSTRONG%3EPIN%3C%2FSTRONG%3Eto%20sign%20the%20e-mail.%20Enter%20PIN%20and%20click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3ERecipient%20will%20get%20digitally%20signed%20e-mail%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20804px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F11297i4D077F0C965D2829%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22outlook_sending_signed_email.png%22%20title%3D%22outlook_sending_signed_email.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EValidating%20such%20signed%20emails%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F11298iD6AC1DF7A870962E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22outlook_signed_email_validation.png%22%20title%3D%22outlook_signed_email_validation.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESupported%20versions%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ECurrent%20document%20describes%20what%20to%20do%20with%20Office%202016.%20The%20configuration%20is%20also%20supported%20in%20older%20versions%20of%20Offices%20and%20in%20Office%20365%2C%20but%20it%20can%20need%20minor%20changes%20for%20other%20versions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESources%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EGet%20Estonian%20ID-Card%20software%20right%20%3CA%20title%3D%22Estonian%20ID-Card%20Software%20Download%20Link%22%20href%3D%22https%3A%2F%2Finstaller.id.ee%2F%3Flang%3Deng%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FLI%3E%3CLI%3EFull%20sk.ee%20Certification%20Repository%20found%20%3CA%20title%3D%22SK.ee%20Certification%20Repository%20Link%22%20href%3D%22https%3A%2F%2Fwww.sk.ee%2Frepositoorium%2Fsk-sertifikaadid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FLI%3E%3CLI%3EFull%20guide%20for%20signing%20email%20with%20Estonian%20ID-Card%20%3CA%20title%3D%22SIGNING%20AND%2FOR%20ENCRYPTING%20E-MAILS%20WITH%20OFFICE%20OUTLOOK%202016%20USING%20SK%20CERTIFICATES%22%20href%3D%22http%3A%2F%2Fid.ee%2Fpublic%2FOutlook_2016.pdf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-49248%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEmail%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

Introduction

By default, there are bunch of requirements for making digital operations with e-mails in Microsoft Office Outlook 2016 and not all of those requirements are fulfilled by default.

 

We need to make following changes to computer configuration to support digital e-mail signing with SK certificates in Windows environments:

 

  1. Install ID-Card software
  2. Add intermediate certificate to intermediate certificates store
  3. Allow certificates with different e-mail address to sign e-mails
  4. Configure Outlook Email Security settings

 

Preparations

Step 1 First off lets install Estonian ID-Card software if you don't have it already

Step 2: Next lets add intermediate certificates, download and save certificates to C:\temp\

Adding certificates to from administrative command prompt run command:

certutil -f -addstore CA "c:\temp\ESTEID-SK_2011.der.cer"
certutil -f -addstore CA "c:\temp\ESTEID-SK_2015.der.cer"

 

Results should show following for each command:

CA "Intermediate Certification Authorities"
Certificate "ESTEID-SK 2011" added to store.
CertUtil: -addstore command completed successfully.

CA "Intermediate Certification Authorities"
Certificate "ESTEID-SK 2015" added to store.
CertUtil: -addstore command completed successfully.

 

Step 3: To support different e-mail address in certificate we need to add registry key to our configuration.

 

From administrative command prompt run: 

Reg add HKCU\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security /v supressnamechecks /t REG_DWORD /d 1

 

You can confirm the registry key and value existence by running command

Reg query HKCU\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security /v supressnamechecks

 

Result should show following:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\security
    supressnamechecks    REG_DWORD    0x1

Step 4: Configuring Outlook for email signing

 

  1. Open Outlook
  2. Navigate to Options from File menu
  3. In options window select Trust Center and click on Trust Center Settings, select Email Security
  4. Click Settings, select Choose (for signing certificate) and select your ID card authentication certificate, set other options as shown on following figure and click OK!outlook_options_trust_center.png

 

Sending signed e-mail

  1. Open outlook and select New mail
  2. Prepare your e-mail as usual, then select Options tab and select Sign
  3. Click Send
  4. Outlook will ask for PIN to sign the e-mail. Enter PIN and click OK
  5. Recipient will get digitally signed e-mailoutlook_sending_signed_email.png

 

 

 

 

 

Validating such signed emailsoutlook_signed_email_validation.png

 

 

Supported versions

Current document describes what to do with Office 2016. The configuration is also supported in older versions of Offices and in Office 365, but it can need minor changes for other versions.

 

Sources

  • Get Estonian ID-Card software right here
  • Full sk.ee Certification Repository found here
  • Full guide for signing email with Estonian ID-Card here
0 Replies