End-to-end email encryption is one of the most secure ways to exchange messages. You can either buy certificates from a CA like Comodo (free options exist too) or generate your own using openssl. A few things to keep in mind either way.
This guide covers generating SSL/TLS certificates with openssl for a private or corporate environment and importing them into Outlook for signing and encrypting messages.
We want a certificate that's recognized as valid within our IT environment — so we create a root CA certificate first. If your internal PKI already has one, use that instead.
Get openssl from the official website. It's also often bundled with web server installations. The following assumes you've opened a console (CMD or PowerShell) and navigated into the openssl directory — this avoids confusion with paths.
Generate a 2048-bit private key (you'll be prompted for a password — remember it):
openssl genpkey -algorithm RSA -out CA.key -aes-256-cbc -pass pass:myPassword -pkeyopt rsa_keygen_bits:2048
# genpkey generates a private key. Docs: https://www.openssl.org/docs/manmaster/man1/genrsa.htmlopenssl req -x509 -new -nodes -extensions v3_ca -key .\CA.key -days 1024 -out CA.crt -sha512The -x509 and -out flags skip the CSR step and go straight to the certificate. You now have a CA to sign further certificates.
openssl genpkey -algorithm RSA -out my.key -aes-256-cbc -pass pass:myPassword -pkeyopt rsa_keygen_bits:2048Generate CSR
openssl req -new -key my.key -out my.csrTo generate a proper x509 v3 certificate, you need to supply Subject Alternative Names — most modern clients only check this field and will fail without it. Create a text file named extfile.cnf with the following content:
subjectAltName=DNS:my.mailaddress@domain.com
Replace with your actual email address.
openssl x509 -req -in .\my.csr -CA ./CA.crt -CAkey ./CA.key -CAcreateserial -out my.crt -days 365 -sha512 -extfile ./extfile.cnfBundle certificate and private key into a .p12 file (the user needs the private key to decrypt messages):
openssl pkcs12 -export -in .\my.crt -inkey .\my.key -out my.p12Steps for Outlook 2016 (2013 is identical):
The recipient of your digitally signed email simply right-clicks your name and adds you as an Outlook contact. They can then send you encrypted messages via Options → Encrypt in a new email — and only you, as the holder of the private key, can read them.
H@ppy H@cking