• Home
• News
• FAQ
• Products
• Features
• People
• Contact

I received an e-mail containing the following ...

This message could not be encrypted because no digital certificate
was found for your address. However, you can encrypt your reply with
the certificate attached below. Details at www.unicrypt.com.au

This message was sent to you by a Unicrypt Secure E-mail Server. The server tries to encrypt all the messages it sends, but it can only do so if it has a digital certificate for the recipient. Both S/MIME digital certificates and PGP key blocks are handled, but the server apparently couldn't find either for your address.

If you wish to obtain a digital certificate, there are a few options. You can download a free S/MIME certificate from Thawte or Verisign. You can generate your own using a toolkit such as OpenSSL. You can generate a PGP key with toolkits such as PGP or Gnu Privacy Guard. Or you can install a Unicrypt server, which will generate S/MIME and PGP certificates for you automatically.

There are a number of things you can do to let the Unicrypt server find your certificate. If you have an S/MIME certificate, simply send a digitally-signed message to a Unicrypt user. The digital signature contains a copy of the certificate, which the server will automatically add to its local address book. Similarly, if you have a PGP key, sending a message with the keyblock appended will ensure that the Unicrypt server gets a copy.

With a PGP key, you can make it accessible to all Unicrypt servers worldwide by registering it with MIT's PGP key server. There are no public registries for S/MIME certificates, but many of the certificates issued by Verisign are registered at directory.verisign.com and directory.megasign.nl, and these will be found by all Unicrypt servers. Finally, you can run a public key directory on your mail server, and register your S/MIME certificate there. For the technically-minded, this involves running an LDAP server with the inetOrgPerson schema and a null suffix, and storing the certificate in the userCertificate field.

How do I send encrypted e-mail to someone with a Unicrypt account?

You can send e-mail encrypted with either the S/MIME or PGP protocol. S/MIME is supported by most modern e-mail clients, such as Outlook, Netscape, and Lotus Notes, so it is probably the easier option. However, if you have a preference for PGP, you can use that as well.

In order to send an encrypted message with these applications, you first need to get a copy of the recipient's digital certificate (often referred to as a keyblock in PGP applications). For a Unicrypt recipient there are a few options. Firstly, if they have ever sent you an e-mail, it will be digitally signed as a matter of course, and this will include a copy of their certificate. Most e-mail applications will spot the certificate and allow you to put it in your address book. Secondly, you can find PGP certificates by querying MIT's PGP key server. Whenever an account is created on a Unicrypt server, a certificate is automatically generated and registered there.

Finally, you can query the public key registry running on the recipient's Unicrypt server. If the recipient's e-mail address is aaa@bbb.com, the registry will be accessible at ldap.bbb.com. Many e-mail applications will allow you to access the registry directly, or, if you have OpenLDAP 2.x installed on a Unix machine, you can run
ldapsearch -x -t -h ldap.bbb.com mail=aaa@bbb.com userCertificate
Having obtained the recipient's certificate, you should be able to install it in your e-mail application, and whenever you send a message to that user you will have the option of encrypting. However, the exact steps needed to carry this out vary between applications.

Why does my e-mail application say that a message from a Unicrypt server has an invalid signature?

E-mail applications that handle S/MIME signatures are pre-configured to trust a small number of root certificates, typically those produced by Verisign and Thawte. Root certificates are used to issue end-user certificates, which are in turn used to digitally sign messages. An e-mail application will usually indicate that a signature is invalid if the signing certificate was issued by a root certificate that it doesn't know about.

Unicrypt servers use certificates issued by the Unicrypt root certificate, which is not recognized by any e-mail applications, hence the warning message. However, you can make the warnings go away by explicitly configuring your application to trust the certificate. For example, under Netscape, click on the Invalid signature icon, and a window will pop up. Check the box saying that you trust the certificate, click OK, and you won't get the warning any more.