4.9 Application Tasks

This section describes how to configure the GroupWise 6.x and 5.5 enhancement pack client, Groupwise 6.x, Outlook 98, Outlook 2000, and Netscape Messenger to use Novell certificates for secure e-mail. This section also describes how to configure other cryptography-enabled applications to use Novell certificates.

Some of the information in this section is dated but useful. For the latest information on using certificates with your cryptography-enabled applications, refer to the application's documentation.

The general process for enabling applications for secure e-mail is:

  1. Export your Organizational CA's self-signed certificate (see Exporting the Organizational CA's Self-Signed Certificate), your user certificate, and the matching private key to a .pfx file (see Exporting a User Certificate and Private Key).

  2. Import the .pfx file into your e-mail client. See Section 4.9.1, Importing the User Certificate and Private Key into Your E-Mail Client.

  3. Configure your e-mail client to secure your e-mail. See Section 4.9.2, Configuring Your E-Mail Client to Secure Your E-Mail.

4.9.1 Importing the User Certificate and Private Key into Your E-Mail Client

Installing a user certificate and private key (a .pfx file) into Internet Explorer automatically makes it available for use by GroupWise and Microsoft Outlook. The reverse is also true. Installing the certificate and private key into either e-mail application automatically makes it available for use by the other e-mail application and by Internet Explorer.

Installing a user certificate and private key into Netscape automatically makes it available for use by Netscape Messenger. The reverse is also true.

Groupwise 6.x and GroupWise 5.5 Enhancement Pack Client

  1. Launch GroupWise.

  2. Click Tools > Options.

  3. Double-click the Certificates icon.

  4. Click Import.

  5. Browse for and select or type the filename of your exported .pfx file.

  6. Enter your password, then click OK.

  7. Click Set Security Level if you want to change the default security level for your private key, then click OK.

  8. To select a default certificate to use for sending signed e-mail, you can now either select the check box next to the certificate or select the certificate and click Set as Default.

  9. Click OK.

Microsoft Outlook 98

  1. Launch Outlook.

  2. Click Tools > Options.

  3. Click the Security tab.

  4. Click Import/Export Digital ID.

  5. Select the Import existing Exchange or S/MIME Security Information radio button.

  6. For Import File and Password, type the filename and password of your exported .pfx file.

  7. For Keyset, type a nickname. This can be any text.

  8. Click OK to import the private key and certificate into Outlook 98.

Microsoft Outlook 2000

This procedure applies to Outlook 2000 with Microsoft Internet Explorer version 5.

  1. Launch Outlook.

  2. Click Tools > Options.

  3. Click the Security tab.

  4. Click Import/Export Digital ID.

  5. Select the Import existing Exchange or S/MIME Security Information radio button.

  6. For Import File and Password, type the filename and password of your exported .pfx file.

  7. For Digital ID Name, type a nickname. This can be any text.

  8. If you are prompted to add the Organizational CA certificate to the Root Store, click Yes.

Netscape Messenger 4.x

  1. Launch Netscape Messenger.

  2. Click the New Msg icon.

  3. Double-click the Security icon on the Navigation toolbar.

  4. Click Certificates > Yours.

  5. Click Import a Certificate. If you password-protected the Communicator Certificate database, enter the password.

  6. Type or browse for and select the filename of the exported .pfx file.

  7. Type the password you used to protect the .pfx file.

  8. Click OK.

4.9.2 Configuring Your E-Mail Client to Secure Your E-Mail

The following describes how to configure e-mail clients for secure e-mail.

GroupWise 6.x Client

You must have imported at least one certificate and private key (.pfx file) into GroupWise or Internet Explorer in order to make use of signed e-mail. You must also have a certificate available for each recipient that you want to send encrypted email to.

  1. Launch GroupWise.

  2. Click Tools > Options.

  3. Click the Security tab.

  4. Click the Send Options tab.

  5. To enable signing as the default for all outgoing email, select the check box next to Sign Digitally. To enable encryption as the default for all outgoing e-mail, select the check box next to Encrypt for Recipients.

  6. Click OK.

  7. Double-click the Certificates icon.

  8. Select the certificate that you want to use for signing, encryption, or both, then click the Set As Default button.

    If the certificate can be used for both signing and encryption, it is the default certificate used for both signing and encryption. If you have two certificates, one that can only be used for signing and one that can only be used for encryption, the former should be set as the default for signing and the latter as the default for encryption.

From an item view (send mail, post message, task, reminder note, etc.), you can change the default security options for this particular item by selecting File > Properties and clicking the Security tab. From here you can change the signing and encryption options.

From an item view (send mail, post message, task, reminder note, etc.), you can also toggle the selection of either signing or encryption for this particular item by clicking the Encrypt or Digitally Sign icons at the top of the view.

GroupWise 5.5 Enhancement Pack Client

You must have imported at least one certificate and key into GroupWise in order to make use of signed e-mail. You must also have a certificate available for each recipient that you want to send encrypted e-mail to.

  1. Launch GroupWise.

  2. Click Tools > Options.

  3. Double-click the Security icon.

  4. Click the Send Options tab.

  5. To enable signing as the default for all outgoing e-mail, select the check box next to Sign Digitally Using. You can then select a different certificate to use from the Certificate drop-down list below this option.

  6. To enable encryption as the default for all outgoing e-mail, select the check box next to Encrypt for Recipient Using, then select the encryption method from the Method drop-down list below this option. The available encryption methods depend on the security service provider you have selected.

  7. To select a different security service provider, select a provider from the Name drop-down list, then click OK.

From an item view (send mail, post message, task, reminder note, etc.), you can change the default security options for this particular item by selecting File > Properties and clicking the Security tab. From here you can change the signing and encryption options.

From an item view (send mail, post message, task, reminder note, etc.), you can also toggle the selection of either signing or encryption for this particular item by clicking the Encrypt or Digitally Sign icons at the top of the view.

Microsoft Outlook

  1. Launch Outlook.

  2. Click Tools > Options.

  3. Click the Security tab.

  4. Click either Setup Secure E-Mail or Change Settings, depending on whether you have previously entered security settings.

  5. Select S/MIME for the Secure Message Format.

  6. Click the Choose button on the Signing Certificate line.

  7. Select the certificate that you will use for digitally signing e-mail that you send to others, then click OK.

  8. Click the Choose button on the Encryption Certificate line.

  9. Select the certificate that others will use for encrypting e-mail that they send to you, then click OK.

  10. Select the Send These Certificates with Signed Message check box, then click OK.

  11. Select the combination of options you prefer in the Secure E-Mail section, then click OK.

Netscape Messenger

  1. Launch Netscape Messenger.

  2. Click the New Msg icon.

  3. Click the Security icon.

  4. Click Messenger.

  5. Select the certificate you will use for digitally signing your e-mail that you send to others under the Certificate Signed and Encrypted Messages heading.

    You can select other options as desired on this page. Refer to the Netscape help topics for further information on these options and their purposes.

4.9.3 Configuring Your Browser or E-Mail Client to Accept Certificates

In order to accept signed e-mail from another person or to create an SSL connection to a server on the Internet with your browser, you must trust the CA that signed the user or server's certificates. If you do not, your application might present you with an error. Some applications provide a warning with the ability to accept or reject the user or server certificate whose CA isn't yet known to the application.

Server and user certificates signed by a company's Organizational CA always generate such warnings and errors. This is because the Organizational CA is not listed as a trusted CA in your application. The warnings and errors can be prevented by installing the self-signed certificate of the Organizational CA into your application.

Installing the Organizational CA into Internet Explorer automatically adds it as a trusted CA to Microsoft Outlook and GroupWise. Installing the Organizational CA certificate into Netscape automatically adds it as a trusted CA to Netscape Messenger.

To accept the Organizational CA as a trusted CA in your application, first export the Organizational CA's self-signed certificate as described in Exporting the Organizational CA's Self-Signed Certificate. Then import it into your browser according to the directions below.

NOTE:The following Internet browsers only recognize certificates that have been exported in .der or a .crt format. Although .b64 is an optional export format, it is not recognized by these Internet browsers.

Microsoft Internet Explorer Version 5 and 6

If you are using Microsoft Internet Explorer version 5, complete the following to import the Organizational CA's certificate:

  1. Launch Microsoft Internet Explorer.

  2. Click File > Open.

  3. Type or browse for and select the filename of the exported Organizational CA's self-signed certificate, then click OK.

    This opens the Certificate dialog box.

  4. Select Install Certificate.

    This opens the Certificate Manager Import Wizard.

  5. Click Next.

  6. Select the area where you want to store the certificate, click Next, click Finish, then click Yes.

Netscape Navigator

If you have installed either Microsoft Internet Explorer 5.x or NT 4 Service Pack 4 or later on your workstation, you must complete the following steps to import the Organizational CA's self-signed certificate into Netscape Navigator. This is necessary because the Microsoft products intercept opening trusted root files with a .crt or .der extension.

  1. Run the x509.reg file to install the X.509 extension. On an NT\2000 server, this file is located in the drive_letter:novell\nds directory.

  2. Rename the Organizational CA's self-signed certificate file with an X.509 extension.

  3. Launch Netscape Navigator.

  4. Click File > Open Page.

  5. Enter or browse for and select the filename of the self-signed certificate with the X.509 extension.

  6. Click Open.

    The New Certificate Authority dialog box should appear. If it doesn't, you have not correctly installed the .x509 extension, or you have not correctly renamed the self-signed certificate.

  7. Follow the wizard. Make sure that the Accept this Certificate Authority for Certifying E-Mail Users check box is selected.

  8. Click Next until the dialog box to enter a short name for this Certificate Authority appears.

  9. Click Finish.

If you have not installed either Microsoft Internet Explorer 5.x or NT 4 Service Pack 4 or later, you must complete the following steps to import the Organizational CA's certificate into Netscape Navigator:

  1. Launch Netscape Navigator.

  2. Select File > Open Page.

  3. Enter or browse for and select the filename of the self-signed certificate you previously exported.

  4. Click Open.

  5. Follow the wizard. Make sure the Accept this Certificate Authority for Certifying E-Mail Users check box is selected.

  6. Click Next until the dialog box to enter a short name for this Certificate Authority appears.

  7. Click Finish.

4.9.4 Configuring Microsoft Internet Explorer (IE) for SSL with Novell Certificates

To configure IE to use Novell certificates for SSL, you must first install your self-signed Organizational CA certificate in your IE browser, as described in Configuring Your Browser or E-Mail Client to Accept Certificates. Otherwise, any attempt to use IE to connect to a server that is using Novell certificates for SSL only displays an error.

This configuration is not strictly necessary for the Netscape browser, which will present a dialog box for you to accept or reject a server certificate whose CA isn't yet known to the browser.

4.9.5 Configuring Microsoft IIS for Client Authentication with Novell Certificates

To perform client authentication to IIS with Novell user certificates, your self-signed Organizational CA certificate must first be installed in IIS as a trusted root. Use Microsoft Internet Explorer (IE) version 4 or later to install your Organizational CA certificate on the IIS computer as described in the IIS online documentation.

However, the IISCA program described in the IIS documentation does not work on Windows NT with Service Pack 4 or later. In this case, when you use IE to install the certificate and the Certificate Manager Import Wizard has started, perform the following to complete the process correctly:

  1. Select Place All Certificates into the Following Store.

  2. Click Browse to open the Select Certificate Store dialog box.

  3. Select the Show Physical Stores check box.

  4. Expand Trusted Root Certification Authorities and select Local Computer.

  5. Click OK > Next to open the Completing the Certificate Manager Import Wizard summary page.

  6. Verify that the summary displays Certificate Store Selected by User and Trusted Root Certification Authorities/Local Computer.

  7. Click Finish.

  8. Stop and restart the IIS services after installing your Organizational CA certificate.

For further information, refer to Microsoft Knowledgebase articles Q218445 and Q216339.

4.9.6 Requesting a Server Certificate for Microsoft IIS

When using the IIS management tools to create an SSL key pair and certificate signing request (CSR), select Put the Request in a File that You Will Send to an Authority in the Create New Key > Wizard.

Then edit the IIS CSR to delete all text that precedes the line:

----- BEGIN NEW CERTIFICATE REQUEST -----

This line must be the first line in the CSR input to the Novell Certificate Server. Refer to the IIS online documentation for further instructions on installing the resulting server certificate and configuring IIS for SSL.

You can then use your Organizational CA to issue a server certificate from the IIS CSR as described in Issuing a Public Key Certificate.