Purpose
Install a free email certificate so it can be used in an Outlook Email Client using reasonably secure settings. This included installing a replacement certificate when a certificate is beyond its validity period. Creation of email signing policies is not covered except as required for the installation of a certificate.
Browsers and platforms
My installation steps are known to work on Windows machines in Firefox 46, IE 11 and Outlook email client 2010, but probably will work, possibly slightly adapted, in other versions of the same products. Possibly also they can be adapted for Web-based Outlook, but more changes may be needed. Possibly they will work in IceDragon too (not tested - try Firefox instructions). On Apple machines you can apparently use the Apple version of Firefox (not tested - try Firefox instructions) and presumably OSX Office Outlook client. . They currently will not work, because the Comodo installation wizard will not work, in Google Chrome, Dragon or Edge - you will end up with unsigned certificates.
Best browser
Out of IE and Firefox, I would choose Firefox as the installation process gives more security control. For example you can set a password to authorise use every time you use the certificate if you wish.
Summary of how this is done. You install a signed email certificate into the Windows personal certificate store, then pick it up and apply it in Outlook. Back it up as part of the process. The instructions ask you to cut and paste the relevant URLs instead of clicking on buttons to avoid assuming that the recommended browsers are your default browser.
Using Firefox and Outlook - tested
[ol]- In Firefox, paste the following URL in the browser address bar: Free Secure Email Certificate with Digital Signature 2022 and press the sign-up now button
- Fill in the form, choosing ‘High Grade’ as the Key Size and press OK, a key generation message should flash up. Please note the email address you use must be the one you wish a certificate for.
- Await the email - this may take 30 minutes, then choose the second installation method, NOT the button - that is paste the URL https://secure.comodo.com/products/!SecureEmailCertificate_Collec2 into the Firefox browser, and enter the email address you used on the form and the password from the email
- The cert is now in the Firefox store. In Firefox Go to Options ~ Advanced ~ Certificates ~ View certificates ~ Select the certificate and choose to back it up to a PKCS12 File, and save the backup file in a place where you will keep it long term. Retain the backup password. This backs up the certificate signing key as well as the certificate.
- Open Outlook and navigate to Options ~ Trust Centre ~ Trust Centre Settings ~ Email Security ~ and Choose to import a Digital ID. Choose to import from the file you just backed up, using the email you supplied on the application form as the digital id, and the backup password. As part of this process you will be asked for a security policy level - choose medium if you can guarantee no-one else could use your account on your computer, high (and supply a password to be used whenever your certificate is requested) otherwise. Take a note of the password.
- In the same place in Outlook, loook under the Heading ‘Encrypted email’ for ‘Default setting’ and choose ‘Settings’. If there is no existing Default, you may need to create a new one by entering a settings name. Under ‘Signing certificate’ press the ‘Choose’ button and choose the certificate you just imported. (If unsure single click on a cert and choose to examine its properties - the email address will be under ‘issued to’). In the next setting choose the Signing Hash as SHA256, Under ’ Encryption certificate’ press the ‘Choose’ button and choose the certificate you just imported, and select the ‘Encryption algorithm’ as AES (256 bit).
- At this point you can create or amend your signing and encryption policy for emails. This FAQ does not deal with this - please refer to Comodo FAQs or this very useful guide here: Email encryption in Outlook - how to encrypt messages with digital ID
- OK out of all dialogs and restart Outlook
- Done![/ol]
Using IE and Outlook - tested
- In IE go to Tools ~ Internet Options ~ Security ~ Trusted Sites ~ Sites ~ Add and add secure.comodo.com and secure.instantssl.com. Then press OK and, still in Trusted Sites, set the Security Level for trusted sites to Low. Restart IE.
- In IE paste this URL into the address bar: Free Secure Email Certificate with Digital Signature 2022 and press the sign-up now button. The page will likely ask for permission to redirect you to a trusted site, possibly twice. Then it may ask you permission to run digital certificate operations, which you should approve
- Fill in the form, ignoring the ‘Advanced options’ unless you want a super high key size (the default for the IE installation process seems to be 2048 bits which is reasonable) and press OK, a key generation dialog will be shown, which you should approve again, and it will tell you to wait for an email. Please note the email address you use must be the one you wish a certificate for.
- Await the email - this may take 30 minutes, then choose the second installation method, not the button - that is paste the URL https://secure.comodo.com/products/!SecureEmailCertificate_Collec2 into the IE browser, and entering the email address you used on the form and the password from the email. You will again need to approve a digital certificate operation.
- The cert is now in the Windows store. It has got into that store without you being asked for a security policy level and medium has been set by default. Which is a pity - in the Firefox process you can choose medium if you can guarantee no-one else could use your account on your computer, high (and supply a password to be used whenever your certificate is requested) otherwise.
- Open Outlook and navigate to Options ~ Trust Centre ~ Trust Centre Settings ~ Email Security and look under the Heading ‘Encrypted email’ for ‘Default setting’ and choose ‘Settings’. If there is no existing Default, you may need to create a new one by entering a ‘Settings name’. Under ‘Signing certificate’ press the ‘Choose’ button and choose the certificate you just imported. In the next setting choose the ‘Signing Hash’ as ‘SHA256’, Under ’ Encryption certificate’ press the ‘Choose’ button and choose the certificate you just imported, and select the ‘Encryption algorithm’ as ‘AES (256 bit)’. Finally OK Out.
- Still in Email security settings choose to ‘Export a digital ID’, choosing the ID you just created. Choose to export to a PKCS12 File (it presumably exports the key and chain certs by default). Place this file in a long term secure place on your disk, and make a note of the password you use.
- At this point you can create or amend your signing and encryption policy for emails if you wish. This FAQ does not deal with this - please refer to Comodo FAQs or this very useful guide here: Email encryption in Outlook - how to encrypt messages with digital ID
- OK out of all dialogs and restart Outlook
- Done! You may wish to reset your IE security settings, changed under (a) above, to their previous values.
This is compiled by a moderator on a best endevours basis, with initial input from Comodo SSL support. Please do make suggestions for improvements in the trace below.
Comodo SSL chat support if this does not help: Sectigo