A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How do I import a certificate?



 
 
Thread Tools Display Modes
  #1  
Old January 14th 18, 11:44 PM posted to microsoft.public.windowsxp.general
Andy[_17_]
external usenet poster
 
Posts: 594
Default How do I import a certificate?


The help file is very confusing.

I want to be able to encrypt some of my emails.

This is the helpfile for importing a certificate.

It's clear as mud. :-(

Andy

Managing S/MIME certificates Certificates allow you to communicate with others securely over an encrypted connection, or sign a message confirming your identity to the contact. These settings only apply to S/MIME encryption. You can import, view, edit (except for your own certificates), and delete your certificates under Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate issuer has been marked as not trusted by the user. (-8172) - Cannot add SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to Authorities and enable Trust this CA to identify email users for the certificate. Your Certificates displays a list of certificates that you own. To add a signing certificate, click Import, select the file to import, then click Open and enter a password. Contact Certificates displays a list of certificates that you have for contacts. These certificates allow you to decrypt messages as well verify signed messages. Authorities displays a list of trusted certificate authorities that verify that your own certificate is valid.
Ads
  #2  
Old January 15th 18, 06:52 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default How do I import a certificate?

Andy wrote:
The help file is very confusing.

I want to be able to encrypt some of my emails.

This is the helpfile for importing a certificate.

It's clear as mud. :-(

Andy

Managing S/MIME certificates Certificates allow you to communicate


with others securely over an encrypted connection, or sign a message
confirming your identity to the contact. These settings only apply
to S/MIME encryption. You can import, view, edit (except for your
own certificates), and delete your certificates under
Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate
issuer has been marked as not trusted by the user. (-8172) - Cannot add
SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to
Authorities and enable Trust this CA to identify email users for the certificate.
Your Certificates displays a list of certificates that you own. To add
a signing certificate, click Import, select the file to import, then click
Open and enter a password. Contact Certificates displays a list of certificates
that you have for contacts. These certificates allow you to decrypt messages
as well verify signed messages. Authorities displays a list of trusted
certificate authorities that verify that your own certificate is valid.


You should test this with two computers you own, and
send email to yourself on a second computer, to verify the
certificate and key pair, are working properly. Before you
spring this idea on a third-party.

*******

The text you quote, comes from the second link here, but I
can't really tell what email client it refers to:

https://help.gnome.org/users/evoluti...yption.html.en

https://help.gnome.org/users/evoluti...manage.html.en

The practical details are listed here. It appears to
be an end-to-end encryption scheme of some sort. Maybe GPG
is another way to do it ?

https://en.wikipedia.org/wiki/S/MIME...E_certificates

"Due to the requirement of a certificate for implementation,
not all users can take advantage of S/MIME

some may wish to encrypt a message, with a public/private key pair
for example, without the involvement or administrative overhead of certificates.

Any message that an S/MIME email client stores encrypted cannot
be decrypted if the applicable key pair's private key is unavailable
or otherwise unusable (e.g., the certificate has been deleted or lost
or the private key's password has been forgotten). However, an expired,
revoked, or untrusted certificate will remain usable for cryptographic
purposes.

Indexing of encrypted messages' clear text may not be possible with
all email clients. Neither of these potential dilemmas is specific
to S/MIME but rather cipher text in general and do not apply to S/MIME
messages that are only signed and not encrypted."

An example of a certificate can be seen here.

https://www.comodo.com/home/email-se...ertificate.php

They make it sound here, like a recipient needs your certificate
for this to work. In an organization, perhaps a company wide certificate
allows employees to be protected this way.

https://support.office.com/en-us/art...ID=HA104209995

There are some pictures here, but this still isn't enough
detail for me. Perhaps I need to read the PKI page as well.

https://technet.microsoft.com/en-us/...chg.65%29.aspx

"Understanding Public Key Cryptography"

https://technet.microsoft.com/en-us/...chg.65%29.aspx

I had to check the date on the articles, because this one references
3DES as the strongest encryption it's got. But the article is from 2005.
Something stronger is probably available today.

https://technet.microsoft.com/en-us/...chg.65%29.aspx

The author of this article, thinks it's pretty silly having Comodo
transmit a private key over the airwaves, as part of making
a new certificate. The recipe here, claims to hide the details
a bit better. It really depends on who you're protecting the
email stream from, as to what technique is best (from an
effort versus benefit point of view).

https://henrytodd.org/notes/2013/gen...ys-with-smime/

It kinda looks to me, like both parties need certificates. You have
your own private key used to encrypt outgoing messages. But when sending
the message, to keep it private to a particular recipient, the public
key of the recipient is also part of the crypto. So when you refer to
installing certificates, perhaps installing a recipient certificate
is also necessary, as well as your own (more secret) crypto details ?
I think the recipient certificate is the "Contacts Certificate" in Gnome,
and it might include email address and public key. The public key is
likely hashed into the message, so only the recipient can decrypt
with their private key.

https://support.deskpro.com/en/kb/ar...-encoded-email

Email encryption

To encrypt emails you need to add the public certificate of your
recipient in your system. The content will then be unreadable to
anyone who doesn't have the private key needed to decrypt it.

Yes, it's confusing.

If I wanted to test this, I would use:

1) Two brand new fresh email accounts.
2) Two computers.
3) A Comodo certificate for each computer.
4) Transmit an S/MIME message to the second computer,
copied to your "regular" email address. If the email
comes to you as well, it should be unreadable. Whereas
the second computer, will verify signing and present clear text.
5) While doing so, you'll want to run Wireshark and see how many
packets are sent to Comodo.

This will teach you the installation of the encryption certificate
on the one computer, and also carting the recipient certificate
from the second computer, to the first, to add the recipient
certificate to your local certificate store on the first computer.

Something along those lines.

Now, maybe it's possible to receive a crypto email, be looking
at "jumbled hex". But the thing is, installing the senders
certificate isn't going to help, because the message probably wasn't
prepared when the recipient certificate was in his certificate store.
The message in effect "isn't addressed to you" if he didn't have
the key at that point in time. I suspect both ends have to be using
certificates, before a clear channel can be achieved.

And the email client may refuse to send an S/MIME, unless at
least one recipient certificate is in the store and that
recipient is in the To: list.

Good luck, Mr. Snowden :-)

Paul
  #3  
Old January 15th 18, 11:31 AM posted to microsoft.public.windowsxp.general
Andy[_17_]
external usenet poster
 
Posts: 594
Default How do I import a certificate?

On Sunday, January 14, 2018 at 11:52:51 PM UTC-6, Paul wrote:
Andy wrote:
The help file is very confusing.

I want to be able to encrypt some of my emails.

This is the helpfile for importing a certificate.

It's clear as mud. :-(

Andy

Managing S/MIME certificates Certificates allow you to communicate


with others securely over an encrypted connection, or sign a message
confirming your identity to the contact. These settings only apply
to S/MIME encryption. You can import, view, edit (except for your
own certificates), and delete your certificates under
Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate
issuer has been marked as not trusted by the user. (-8172) - Cannot add
SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to
Authorities and enable Trust this CA to identify email users for the certificate.
Your Certificates displays a list of certificates that you own. To add
a signing certificate, click Import, select the file to import, then click
Open and enter a password. Contact Certificates displays a list of certificates
that you have for contacts. These certificates allow you to decrypt messages
as well verify signed messages. Authorities displays a list of trusted
certificate authorities that verify that your own certificate is valid.


You should test this with two computers you own, and
send email to yourself on a second computer, to verify the
certificate and key pair, are working properly. Before you
spring this idea on a third-party.

*******

The text you quote, comes from the second link here, but I
can't really tell what email client it refers to:

https://help.gnome.org/users/evoluti...yption.html.en

https://help.gnome.org/users/evoluti...manage.html.en

The practical details are listed here. It appears to
be an end-to-end encryption scheme of some sort. Maybe GPG
is another way to do it ?

https://en.wikipedia.org/wiki/S/MIME...E_certificates

"Due to the requirement of a certificate for implementation,
not all users can take advantage of S/MIME

some may wish to encrypt a message, with a public/private key pair
for example, without the involvement or administrative overhead of certificates.

Any message that an S/MIME email client stores encrypted cannot
be decrypted if the applicable key pair's private key is unavailable
or otherwise unusable (e.g., the certificate has been deleted or lost
or the private key's password has been forgotten). However, an expired,
revoked, or untrusted certificate will remain usable for cryptographic
purposes.

Indexing of encrypted messages' clear text may not be possible with
all email clients. Neither of these potential dilemmas is specific
to S/MIME but rather cipher text in general and do not apply to S/MIME
messages that are only signed and not encrypted."

An example of a certificate can be seen here.

https://www.comodo.com/home/email-se...ertificate.php

They make it sound here, like a recipient needs your certificate
for this to work. In an organization, perhaps a company wide certificate
allows employees to be protected this way.

https://support.office.com/en-us/art...ID=HA104209995

There are some pictures here, but this still isn't enough
detail for me. Perhaps I need to read the PKI page as well.

https://technet.microsoft.com/en-us/...chg.65%29.aspx

"Understanding Public Key Cryptography"

https://technet.microsoft.com/en-us/...chg.65%29.aspx

I had to check the date on the articles, because this one references
3DES as the strongest encryption it's got. But the article is from 2005.
Something stronger is probably available today.

https://technet.microsoft.com/en-us/...chg.65%29.aspx

The author of this article, thinks it's pretty silly having Comodo
transmit a private key over the airwaves, as part of making
a new certificate. The recipe here, claims to hide the details
a bit better. It really depends on who you're protecting the
email stream from, as to what technique is best (from an
effort versus benefit point of view).

https://henrytodd.org/notes/2013/gen...ys-with-smime/

It kinda looks to me, like both parties need certificates. You have
your own private key used to encrypt outgoing messages. But when sending
the message, to keep it private to a particular recipient, the public
key of the recipient is also part of the crypto. So when you refer to
installing certificates, perhaps installing a recipient certificate
is also necessary, as well as your own (more secret) crypto details ?
I think the recipient certificate is the "Contacts Certificate" in Gnome,
and it might include email address and public key. The public key is
likely hashed into the message, so only the recipient can decrypt
with their private key.

https://support.deskpro.com/en/kb/ar...-encoded-email

Email encryption

To encrypt emails you need to add the public certificate of your
recipient in your system. The content will then be unreadable to
anyone who doesn't have the private key needed to decrypt it.

Yes, it's confusing.

If I wanted to test this, I would use:

1) Two brand new fresh email accounts.
2) Two computers.
3) A Comodo certificate for each computer.
4) Transmit an S/MIME message to the second computer,
copied to your "regular" email address. If the email
comes to you as well, it should be unreadable. Whereas
the second computer, will verify signing and present clear text.
5) While doing so, you'll want to run Wireshark and see how many
packets are sent to Comodo.

This will teach you the installation of the encryption certificate
on the one computer, and also carting the recipient certificate
from the second computer, to the first, to add the recipient
certificate to your local certificate store on the first computer.

Something along those lines.

Now, maybe it's possible to receive a crypto email, be looking
at "jumbled hex". But the thing is, installing the senders
certificate isn't going to help, because the message probably wasn't
prepared when the recipient certificate was in his certificate store.
The message in effect "isn't addressed to you" if he didn't have
the key at that point in time. I suspect both ends have to be using
certificates, before a clear channel can be achieved.

And the email client may refuse to send an S/MIME, unless at
least one recipient certificate is in the store and that
recipient is in the To: list.

Good luck, Mr. Snowden :-)

Paul


Thanks. I found an easier way.

Getting a signing certificate is complex and you have to pay to get one.

I will encrypt my emails individually and send them to my spy friends. :-)

Linux uses gpg.

Is that included in WinXP and later versions?

If not, is there a Windows version that others can install?

Thanks,
Andy
  #4  
Old January 15th 18, 12:48 PM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default How do I import a certificate?

Andy wrote:
On Sunday, January 14, 2018 at 11:52:51 PM UTC-6, Paul wrote:
Andy wrote:
The help file is very confusing.

I want to be able to encrypt some of my emails.

This is the helpfile for importing a certificate.

It's clear as mud. :-(

Andy

Managing S/MIME certificates Certificates allow you to communicate
with others securely over an encrypted connection, or sign a message
confirming your identity to the contact. These settings only apply
to S/MIME encryption. You can import, view, edit (except for your
own certificates), and delete your certificates under
Edit â–¸ Preferences â–¸ Certificates. If you get the error "Peer's certificate
issuer has been marked as not trusted by the user. (-8172) - Cannot add
SMIMEEncKeyPrefs attribute" after adding your mail certificate, go to
Authorities and enable Trust this CA to identify email users for the certificate.
Your Certificates displays a list of certificates that you own. To add
a signing certificate, click Import, select the file to import, then click
Open and enter a password. Contact Certificates displays a list of certificates
that you have for contacts. These certificates allow you to decrypt messages
as well verify signed messages. Authorities displays a list of trusted
certificate authorities that verify that your own certificate is valid.

You should test this with two computers you own, and
send email to yourself on a second computer, to verify the
certificate and key pair, are working properly. Before you
spring this idea on a third-party.

*******

The text you quote, comes from the second link here, but I
can't really tell what email client it refers to:

https://help.gnome.org/users/evoluti...yption.html.en

https://help.gnome.org/users/evoluti...manage.html.en

The practical details are listed here. It appears to
be an end-to-end encryption scheme of some sort. Maybe GPG
is another way to do it ?

https://en.wikipedia.org/wiki/S/MIME...E_certificates

"Due to the requirement of a certificate for implementation,
not all users can take advantage of S/MIME

some may wish to encrypt a message, with a public/private key pair
for example, without the involvement or administrative overhead of certificates.

Any message that an S/MIME email client stores encrypted cannot
be decrypted if the applicable key pair's private key is unavailable
or otherwise unusable (e.g., the certificate has been deleted or lost
or the private key's password has been forgotten). However, an expired,
revoked, or untrusted certificate will remain usable for cryptographic
purposes.

Indexing of encrypted messages' clear text may not be possible with
all email clients. Neither of these potential dilemmas is specific
to S/MIME but rather cipher text in general and do not apply to S/MIME
messages that are only signed and not encrypted."

An example of a certificate can be seen here.

https://www.comodo.com/home/email-se...ertificate.php

They make it sound here, like a recipient needs your certificate
for this to work. In an organization, perhaps a company wide certificate
allows employees to be protected this way.

https://support.office.com/en-us/art...ID=HA104209995

There are some pictures here, but this still isn't enough
detail for me. Perhaps I need to read the PKI page as well.

https://technet.microsoft.com/en-us/...chg.65%29.aspx

"Understanding Public Key Cryptography"

https://technet.microsoft.com/en-us/...chg.65%29.aspx

I had to check the date on the articles, because this one references
3DES as the strongest encryption it's got. But the article is from 2005.
Something stronger is probably available today.

https://technet.microsoft.com/en-us/...chg.65%29.aspx

The author of this article, thinks it's pretty silly having Comodo
transmit a private key over the airwaves, as part of making
a new certificate. The recipe here, claims to hide the details
a bit better. It really depends on who you're protecting the
email stream from, as to what technique is best (from an
effort versus benefit point of view).

https://henrytodd.org/notes/2013/gen...ys-with-smime/

It kinda looks to me, like both parties need certificates. You have
your own private key used to encrypt outgoing messages. But when sending
the message, to keep it private to a particular recipient, the public
key of the recipient is also part of the crypto. So when you refer to
installing certificates, perhaps installing a recipient certificate
is also necessary, as well as your own (more secret) crypto details ?
I think the recipient certificate is the "Contacts Certificate" in Gnome,
and it might include email address and public key. The public key is
likely hashed into the message, so only the recipient can decrypt
with their private key.

https://support.deskpro.com/en/kb/ar...-encoded-email

Email encryption

To encrypt emails you need to add the public certificate of your
recipient in your system. The content will then be unreadable to
anyone who doesn't have the private key needed to decrypt it.

Yes, it's confusing.

If I wanted to test this, I would use:

1) Two brand new fresh email accounts.
2) Two computers.
3) A Comodo certificate for each computer.
4) Transmit an S/MIME message to the second computer,
copied to your "regular" email address. If the email
comes to you as well, it should be unreadable. Whereas
the second computer, will verify signing and present clear text.
5) While doing so, you'll want to run Wireshark and see how many
packets are sent to Comodo.

This will teach you the installation of the encryption certificate
on the one computer, and also carting the recipient certificate
from the second computer, to the first, to add the recipient
certificate to your local certificate store on the first computer.

Something along those lines.

Now, maybe it's possible to receive a crypto email, be looking
at "jumbled hex". But the thing is, installing the senders
certificate isn't going to help, because the message probably wasn't
prepared when the recipient certificate was in his certificate store.
The message in effect "isn't addressed to you" if he didn't have
the key at that point in time. I suspect both ends have to be using
certificates, before a clear channel can be achieved.

And the email client may refuse to send an S/MIME, unless at
least one recipient certificate is in the store and that
recipient is in the To: list.

Good luck, Mr. Snowden :-)

Paul


Thanks. I found an easier way.

Getting a signing certificate is complex and you have to pay to get one.

I will encrypt my emails individually and send them to my spy friends. :-)

Linux uses gpg.

Is that included in WinXP and later versions?

If not, is there a Windows version that others can install?

Thanks,
Andy


GPG is named after GNU, so it's freeware.

The program is "too quiet". It doesn't tell you what it's doing.
This is a pain in the ass.

One hint - it compresses the thing it is working on,
before encrypting it. If the output file seems
"tiny", that is why.

I also had trouble finding the encryption controls. They're
buried in there somewhere. I think it uses RSA2048 by default,
but I wanted to adjust that and try other things, like
maybe AES129 or AES256. The "engine" it uses, should have
a variety of algorithms available.

Sticking with the defaults, of course, increases the
odds your comms with work with your "spy friend".

The purpose of the program, is to offer crypto to people
who don't know what they're doing. And they didn't want
to "scare" people by providing status info.

*******

I fooled around with this a bit.

https://www.gpg4win.org/download.html

You could also read up on this. I've never used this
or tried it, but at least one other person on the
newsgroups uses this. The topic came up once.

https://en.wikipedia.org/wiki/Enigmail

When public keys are served from a central
server or from a keyring of some sort, they're
indexed by a personal identifier. For example,
. You end up trading a bit of your
privacy, to have your public key hosted in a publicly
available spot. Just a word of warning on your travels
through crypto-land, if you're wondering "why do they
need to know my email address or my name". In some cases,
it's to index a central storage facility.

This is also why your first experiment should be with a
throwaway setup, until you iron out the details. You
don't want your "official" key, indexed by your name,
to be screwed up in any way, so fooling with an
"Alfred E Neumann" public key is better for your
first attempt. Any public facility used to store
some metadata, you can bet it's going to be very
hard to contact an administrator and say "You know
that Andy thing I just put up there, could you
remove it for me ? I messed it up".

Good luck,
Paul
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 02:39 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.