How to Install S/MIME (and PGP) Encryption Certificates into Major Email Clients

May 27th, 2009

We at LuxSci are always being asked questions about various email programs and their usage.  With HIPAA compliance becoming more and more important, we get a lot of inquiries regarding secure email. One of the most frequently asked questions is how to install S/MIME security certificates in various email programs that our servers support. Sometimes finding instructions on installing security certificates in various email clients is difficult, even with the help of search engines. To make your search easier, we have complied instructions for several of the the major email clients:

  • S/MIME for Outlook 2003
  • S/MIME for Outlook 2007
  • S/MIME for Mail.app
  • S/MIME for Entourage
  • S/MIME for Thunderbird
  • PGP for Thunderbird via the Enigmail Add-on.


These instructions have been put together by our Support staff and assume that you are using S/MIME certificates. S/MIME is natively supported by most major email clients. We also include instructions for setting up PGP with Thunderbird, as its Enigmail add-on makes PGP use simple. We hope that you find these instructions useful.

If you are using an S/MIME certificate issued by a 3rd party provider, like LuxSci’s SecureLine Email Encryption Service, you may need to also import the “Certificate Authority” certificate for that provider, so that your email program recognizes it as a valid provider.  We include instructions for importing Certificate Authority certificates as well. If you get your S/MIME certificate from a very widely used 3rd party, like Thawte Personal Email Certificates, you may not need to import the Certificate Authority certificate, as it will be built into your computer.

S/MIME in Microsoft Outlook 2003

Installing your personal S/MIME certificate in Outlook 2003.

When using Outlook you will need to export your certificates with a .pfx extension — this is the kind of file that generally contains both the public and private S/MIME key; it is password-protected.

  1. Go to “Tools” > “Options…”
  2. Select “Security” at the top of the window.
  3. Now select “Import/Export…” under “Digital IDs (Certificates)” at the bottom of the window.
  4. Browse to your digital certificate file and then press “Open”
  5. In the “Password” field type in the certificate’s password. Don’t make up a new one.
  6. Finally, in the “Digital ID Name” field enter anything you would like. Perhaps something like “My ID”. Anything you would like to use to identify the ID. This is typically your email address. It does not matter what you enter in this field, but there needs to be something.
  7. Now click on “OK” at the bottom of the screen.
  8. In the window that pops up choose “OK” as the default security level is ok to use.
  9. Once you are back to the “Options” screen select “Settings…” under “Encrypted e-mail”.
  10. Under “Security Settings Name” give you settings a name you would like. It could be your name or some other way to identify the settings.
  11. Don’t changed the settings for “Cryptography Format” (Should be set to S/MIME)
  12. Under “Certificated and Algorithms” select the button “Choose…” to the right of “Signing Certificate”. Select the Certificate Authority file, i.e. “cacert.pem”.
  13. Now select the button “Choose…” to the right of “Encryption Certificate:”. Do not select the Certificate Authority again. Select the regular certificate. This is the one you imported first.
  14. You do not need to change any other settings. Simply press “OK” at the bottom of the window.
  15. You have now successfully set-up a certificate in Outlook 2003. Just press “OK’ at the bottom of the window to save the settings.

S/MIME in Microsoft Outlook 2007

Installing your personal S/MIME certificate in Outlook 2007.

When using Outlook you will need to export your certificates with a .pfx extension — this is the kind of file that generally contains both the public and private S/MIME key; it is password-protected.

  1. Go to “Tools” > “Trust Center…”
  2. In the “Trust Center” go to “E-mail Security”
  3. Under “Digital IDs (Certificates)” select “Import/Export…”
  4. Make sure “Import existing Digital ID from a file” is selected. Then select “Browse”. Browse to where you saved the .pfx certificate file and select it. Then press “Open”
  5. In the “Password” field type in the certificate’s password, as you specified it when you created the certificate. Don’t make up a new one.
  6. Finally, in the “Digital ID Name” field, enter anything you would like. Perhaps something like “My ID”. Anything you would like to use to identify the ID. This is typically your email address. It does not matter what you enter in this field, but there needs to be something.
  7. Now click on “OK” at the bottom of the screen.
  8. In the window that pops up choose “OK” as the default security level is ok to use.

Importing Your Certificate Authority Certificate for Use with Outlook 2007

In Outlook 2007 there is no way to directly import your Certificate Authority certificate into Outlook. In order to import the Certificate Authority certificate you have to do import it through Internet Explorer. Here are the steps to do that:

  1. Open Internet Explorer on the machine that has Outlook 2007 installed
  2. Within Internet Explorer to go “Tools” then “Internet Options”
  3. Click on the “Content” tab
  4. Click on the ‘Certificates” button
  5. Click on the “Import” button then click on the “Next” button
  6. Click the “Browse” button and then browse to the cacert.pem file (or whatever you have named the Certificate Authority file)
  7. Click the “Next” button
  8. Click on the “Place all certificates in the following store” button
  9. Click the “Browse” button and then choose “Trusted Publishers” and “Ok”
  10. Click the “Next” button then the “Finish” button.


S/MIME in Apple Mail (mail.app)

Importing Your S/MIME Certificate Into Apple Mail (mail.app)

  1. Open up a new “Finder” window
  2. In the “Search” field search for “Keychain”
  3. Open up the application “Keychain Access.app”
  4. In the “Finder” window browse to where you saved your certification and authority file.
  5. Select the “Keychain” window and click on “My Certificates” under the “Category” menu on the left. Make sure you can see both the “Finder” window and the “Keychain” window. You need it to be like this so you can drag and drop files from the “Finder” window into the “Keychain” window.
  6. Drag the file USER@DOMAIN.COM.pfx from the “Finder” to the lower right section of “Keychain” (domain.com should be replaced with your domain name)
  7. It will ask you to enter the certificate password. Enter it now and press “OK”
  8. Now drag the file cacert.pem from the “Finder” to the “Keychain” window on top your cert USER@DOMAIN.COM (domain.com should be replace with your domain name)
  9. It may ask for the certification password. If it does enter it now and press “OK”. It may also ask if you should always trust “Lux Scientiae, Incorporated”. Select “Yes”/”OK”.
  10. You have now successfully imported a certificate into Apple Mail.

Using Your S/MIME Certificate in Apple Mail (mail.app)

  1. Open up Apple Mail. If Apple Mail is already open close it and re-open it. It will ask if you want to use “Keychain” to store private information. Select “Always Allow”
  2. Once mail is open click “New Message”. In the “New Message” window type in who you want to send it to and the email information (subject and message contents).
  3. To the right of “From: ….<USER@DOMAIN.COM>” Click the padlock (should be in a locked position). Click the button to the right of it as well. That will sign the message. It should be a star shape with a “Check” in the middle of it. (domain.com should be replaced with your domain name)
  4. Send your message

S/MIME in Entourage

Installing the S/MIME Certificate in Entourage

  1. Open up a new “Finder” window
  2. In the “Search” field search for “Keychain”
  3. Open up the application “Keychain Access.app”
  4. In the “Finder” window browse to where you saved your certification and authority file.
  5. Select the “Keychain” window and click on “My Certificates” under the “Category” menu on the left. *Make sure you can see both the “Finder” window and the “Keychain” window. You need it to be like this so you can drag and drop files from the “Finder” window into the “Keychain” window.
  6. Drag the file USER@DOMAIN.COM.pfx (domain.com should be replaced by your domain name) from the “Finder” to the lower right section of “Keychain”
  7. It will ask you to enter the certificate password. Enter it now and press “OK”
  8. Now drag the file cacert.pem from the “Finder” to the “Keychain” window on top your cert USER@DOMAIN.COM (domain.com should be replaced with your domain name)
  9. It may ask for the certification password. If it does enter it now and press “OK”. It may also ask if you should always trust your certificate supplier, Select “Yes”/”OK”.

Using the S/MIME Certificate in Entourage

  1. Open up Entourage. If Entourage is already open close it and re-open it. Once Entourage is open select “Tools” > “Accounts…”
  2. Select the account you wish to edit by double-clicking on it. Then go to “Mail Security” in the “Edit Account” window.
  3. Down under “Encryption” click on “Select…” and then select the certificate that you imported earlier and press “OK”
  4. Press “OK” at the bottom of the window and close out of the “Accounts” window. Now select “New” at the top of Entourage to compose a new message.
  5. Enter in who you want to send the message to, subject, and message content. Then at the top of the screen select “Message” > “Security” > “Digitally Sign Message” and then select “Message” > “Security” > “Encrypt Message”.
  6. You can now send your message. It will indicate at the top of the “compose” window that “This message will be Digitally Signed and Encrypted”.

S/MIME in Mozilla Thunderbird

Installing an S/MIME Certificate in Thunderbird

  1. Open up Thunderbird
  2. Go to “Tools” > “Options”
  3. In the “Options” window go to “Advanced” at the top
  4. You will be in the “General” tab under “Advanced”.
  5. Click on “Certificates”
  6. Click on “View Certificates”
  7. You are now in the “Certificate Manager” under “Your Certificates”.
  8. Select “Import” near the bottom of the screen.
  9. Browse to the location where you saved the certificate. Once it is selected select “OK”
  10. If you never set up the “Software Security Device” in Thunderbird it will ask you to create a new password. You may make this whatever you like and press “OK”.
  11. On the following screen it will ask you to enter the password you entered while creating the certificate. Once this is entered press “OK”.
  12. After you press “OK,” you will get a message stating you have successfully imported your certificate.
  13. In the “Certificate Manager” go to “Authorities” at the top.
  14. Select “Import” at the bottom of the window. Browse to where you saved the Certificate Authority file that you downloaded from your certificate provider. Once Selected press “Open”.
  15. You will see a new window titled “Downloading Certificate”. Check off the three boxes in this window.
  16. Press “OK” at the bottom right of the window

Using the Certificate in Thunderbird

  1. Open Thunderbird
  2. Go to the user which you wish to send an encrypted message “FROM”
  3. Click “Write” at the top to compose a new email.
  4. Enter in who you wish to send an email to and the email contents (Subject and message).
  5. Click the arrow to the right of “Security” and select “Encrypt This Message”
  6. A new window will appear indicating you need to set up one or more personal certificates before you can encrypt a message. Press “Yes” at the bottom of the window.
  7. This will bring you to your account settings “Security” section. Under “Digital Signing” press “Select…”
  8. You will be in the “Select Certificate” window. Select the certificate you imported earlier and press “OK”
  9. A new window will pop up asking if you wish to use the same certificate to encrypt and decrypt messages. Press “OK”.
  10. If you wish to always have your messages encrypted select “Required” under “Encryption” in the “Account Settings Security” window.
  11. Press “OK” at the bottom of the window.
  12. In the “Compose” window click on the arrow to the right of “Security” and click “Encrypt This Message”. Then Select the arrow again
    and click “Digitally Sign This Message”. You should see two icons appear near the bottom right of the “Compose” window. These indicate if the message is encrypted and signed.
  13. Press “Send” to send your encrypted and signed email

PGP in Mozilla Thunderbird via Enigmail

Installing PGP and Enigmail for Thunderbird

  1. Go to the Downloads page of GnuPG.org
  2. Download and install GNU Privacy Guard.
    1. Windows users should select the “Binary compiled for Windows” … see the “Binaries” area at the bottom of the page.
  3. Open Thunderbird
  4. Choose “Tools > Add-ons” from the Thunderbird menu
  5. Click on “Get Extensions” (bottom right of the Add-ons dialog box).
  6. Search for “Enigmail”
  7. Click on “Download now” to save the add-on file to your computer
  8. Back in the “Add-ons” dialog box, click on the “Install…” button.  Select and open the Enigmail file you downloaded.
  9. Choose “Install Now”.
  10. Close and re-open Thunderbird.

Installing an existing PGP Certificate in Enigmail.

  1. Open up Enigmail by going to “OpenPGP” > “Key Management”
  2. A new window will open and ask if you want to use the setup wizard. Press “Cancel”
  3. In the “OpenPGP Key Management” window click “File” > “Import Keys From File”
  4. Browse to where you saved your downloaded PGP key, select it, and press “Open”
  5. A message should pop up indicating the Key(s) were successfully imported. Press “OK”
  6. You have new successfully imported your PGP key into Thunderbird

Using a PGP Certificate in Enigmail with Thunderbird

  1. In Thunderbird, select the account you wish to send an email from. Then press “Write” at the top of the window to compose a new message.
  2. Fill out who you are sending the message to, subject, and message contents.
  3. Press the “OpenPGP” button at the top of the compose window.
  4. A new window will pop up asking if you want to configure OpenPGP for this user. Select “Yes”
  5. In the window “OpenPGP Options” check off “Enable OpenPGP support (Enigmail) for this identity.
  6. Select “Use specific OpenPGP key ID (0x1234ABCD):”
  7. Click on “Select Key…”
  8. Select the correct key for the account you are using and press “OK”
  9. Now check off any options you would like in the “Message Composition Default Options” section.
  10. Press “OK” at the bottom of the window.
  11. It will now ask you if you want to encrypt the message. Check off “Sign Message” and “Encrypt Message”, press “OK”.
  12. In the lower right hand corner of the “Compose” window you should see a green “Key” and a green “Pen”. This indicates that the message will be encrypted and signed. You may turn off encryption or signing the message by clicking on either the pen or key. *Green key or pen indicates it is enabled. A grey key or pen indicates it is disabled.
  13. You may now send the message.