SECURE EMAIL USER GUIDE – OUTLOOK 2000
WELLS FARGO AUTHENTICATION SERVICES
DATED: MAY 2003
SECURE EMAIL USER GUIDE – OUTLOOK 2000
TABLE OF CONTENTS
GENERAL INFORMATION................................................................ 1
INSTALLING THE WELLS FARGO ROOT CERTIFICATE CHAIN.. 2
INSTALLING THE CERTIFICATES INTO IE..................................... 3
SETTING UP THE SECURITY PROFILE IN OUTLOOK ................ 15
USING THE CERTIFICATES IN OUTLOOK MAIL ......................... 20
SENDING ENCRYPTED EMAIL...................................................... 25
BACKING-UP DIGITAL CERTIFICATES ........................................ 28
RESTORING YOUR DIGITAL CERTIFICATE................................. 31
STORING PUBLIC ENCRYPTION KEYS ....................................... 34
SENDING SIGNED / ENCRYPTED MAIL USING OUTLOOK ........ 34
READING AN ENCRYPTED MESSAGE......................................... 38
CUSTOMIZING OUTLOOK FOR SINGLE-CLICK SIGN AND
ENCRYPT ........................................................................................ 39
MESSAGES / SYMBOLS ................................................................ 41
5/22/2003
Page: ii
SECURE EMAIL USER GUIDE – OUTLOOK 2000
General Information
Purpose of Using Encryption
Use encryption to secure email whenever you send confidential data across the
Internet. Public key encryption ensures that only the intended recipient can open
and read the email message and that it cannot be intercepted or tampered with by
someone else.
Requesting the Service
Use of digital certificates issued out of the Wells Fargo PKI requires a sponsor within
Wells Fargo to submit a request for a certificate on your behalf. Speak with your
account representative about acquiring a digital certificate for yourself or others in
your organization if using secure email to protect confidential data in transit could
facilitate your business dealings with Wells Fargo.
5/22/2003
Page: 1
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Installing the Wells Fargo Root Certificate Chain
To trust certificates issued out of the Wells Fargo PKI, including your own, you must install the
Wells Fargo root certificate chain. To do this, link to http://www.wellsfargo.com/cps.
1. Click on the appropriate button for you browser type.
IE users will see the following screen:
1. Click on Yes.
The Wells Fargo root certificate will now appear in your trusted root store.
5/22/2003
Page: 2
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Installing the Certificates into IE
The following steps are general instructions for users and may not exactly apply to your situation.
In all cases, adjust the specific instruction to your situation.
Use your passphrase to open the .p12 file you received from the Wells Fargo PKI. Save the
certificate files to a local drive – do not change their names.
1.
2.
3.
4.
Navigate to your personal drive (here, the H:/ drive is used) in the Save in: field
Do not change the name or file type in the File name: and Save as type: fields
Click on the Save button
Repeat for both files, the Signing and the Encryption certificate
5/22/2003
Page: 3
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Importing the certificates
The two files you just saved are located in your personal drive where you saved them – in this
example, the drive used is H:/. The next process is to import the certificates into your browser,
where the Outlook email client can use them.
1. Using Windows Explorer, navigate to your personal drive.
2. Open the Signing certificate first by double clicking on it.
The Certificate Import Wizard will begin automatically.
1. Click on the Next > button.
5/22/2003
Page: 4
SECURE EMAIL USER GUIDE – OUTLOOK 2000
The File name: field will automatically be populated.
1. Click on the Next > button
1. Enter the passphrase that you previously entered when requesting the PKI certificates.
The same passphrase is used throughout the installation process.
2. Select the Enable strong private key protection field
3. Select the Mark the private key as exportable field
4. Click on Next >
5/22/2003
Page: 5
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Select Automatically select the certificate store based on the type of certificate field
2. Click on Next >
1. Click on the Finish button
5/22/2003
Page: 6
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click on Set Security Level
0. Select the security level
a. Selecting “High” will offer the greatest protection. It will require you to create a
password to access your certificate that only you will know and which you will
have to remember to use your digital certificates. Every time you access your
certificate, you will be required to input the password that you created.
i. Recommended for high risk transactions, and
ii. High-risk workstations.
b. If you select Medium, you will not be required to create a password, or to input
the password every time you use the certificate. The system will tell you when
the private key of the key pair is being accessed, and you will be required to
approve that use, but there will not be any password or strong security
attached with the use of the certificate. Medium users can skip the next
screen, and the screen after that, the security level will be set to Medium.
i. Recommended for lower risk transactions, and
ii. Secured workstations (nobody uses it but the certificate owner).
1. Click on Next >
5/22/2003
Page: 7
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. In the Password for: field, enter your first name (space) sig, (as shown in example
above)
2. Create a new password in the Password: field
3. Re-enter the new password in the Confirm: field
4. Click on Finish
1. Click on OK
5/22/2003
Page: 8
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Once complete, you will see the successful window.
1. Click on OK.
Now you must import the encryption file, using the same screens.
1. Using Windows Explorer, navigate to your personal drive.
2. Open the Encryption certificate by double clicking on it.
3. Click on the Next > button
5/22/2003
Page: 9
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click on the Next > button
1. Enter the same, (one and only) password you originally obtained to access the PKI
system, (not the password you just made up in recent steps).
2. Select Enable strong private key protection
3. Select Mark the private key as exportable
4. Click on Next >
5/22/2003
Page: 10
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Select Automatically select the certificate store based on the type of certificate
2. Click on the Next > button
1. Click on the Finish button
5/22/2003
Page: 11
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click on Set Security Level…
1. Select the security level
a. Selecting “High” will offer the greatest protection. It will require you to create a
password to access your certificate that only you will know and which you will
have to remember to use your digital certificates. Every time you access your
certificate, you will be required to input the password that you created.
i. Recommended for high risk transactions, and
ii. High-risk workstations.
b. If you select Medium, you will not be required to create a password, or to input
the password every time you use the certificate. The system will tell you when
the private key of the key pair is being accessed, and you will be required to
approve that use, but there will not be any password or strong security
attached with the use of the certificate. Medium users can skip the next
screen, and the screen after that, the security level will be set to Medium.
i. Recommended for lower risk transactions, and
ii. Secured workstations (nobody uses it but the certificate owner).
5/22/2003
Page: 12
SECURE EMAIL USER GUIDE – OUTLOOK 2000
2. Click on Next >
1. In the Password for: field, enter your first name (space) enc (as shown in example
above)
2. Enter the same new password as created for the signature certificate steps in the
Password: field
3. Re-enter the same password in the Confirm: field
4. Click on the Finish button
1. Click on the OK button
5/22/2003
Page: 13
SECURE EMAIL USER GUIDE – OUTLOOK 2000
You will see the successful window.
1. Click on OK
5/22/2003
Page: 14
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Setting up the Security Profile in Outlook
1. On the main menu in Outlook 2000, click on Tools
2. Click on Options
1. Click on the Security tab
5/22/2003
Page: 15
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click on the Settings… button
1. Click on the New button
5/22/2003
Page: 16
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Enter your name in the Security Settings Name: field
2. Click on the Choose… button in the middle of the screen
1. Highlight the “signing” certificate, titled Signing Key
2. Click on OK.
5/22/2003
Page: 17
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Click on the Choose… button on the lower portion of the screen
1. Highlight the encryption certificate.
2. Click on the OK button.
5/22/2003
Page: 18
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click on OK
5/22/2003
Page: 19
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Using the Certificates in Outlook Mail
In order to send or receive secure email messages, you must exchange certificates. The first
step is to email your signature certificate to the person you want to communicate with via secure
email.
1. In Outlook, create a new email message
2. Click on the Options… button
5/22/2003
Page: 20
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click in the Add digital signature to outgoing message field
2. Click on Close
Do not select this option
Now you must enter the new password you created when downloading the certificates. You
should have only used one password.
1. For those with the security level set to High, enter your password in the first field.
If you selected High security, do NOT click in the Remember password field. By
doing so the system would never ask you for your password again. This would
defeat the purpose of using encrypted emails, which require both the sender and
receiver to enter their passwords.
2. Click on OK
5/22/2003
Page: 21
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Send the email message. You will see a red and yellow certificate symbol on any emails that
are sent using certificate keys, as noted in the first email on the screen above.
When you open the email, you will see the same red and yellow certificate symbol on the
right side of the email message, in the shaded area.
5/22/2003
Page: 22
SECURE EMAIL USER GUIDE – OUTLOOK 2000
The other party must also have secure email certificates on their side. Have the person send
you an email message with their digital signature certificate attached. When received, add the
person to your contacts as follows.
1. Open the email message
2. Right click on the senders name, in the shaded area
3. Select Add to Contacts
Enter any data about your new Contact that you need to have beyond the information
automatically captured – name and email address, and the certificate.
5/22/2003
Page: 23
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click on the Certificates tab
2. Click on the Properties… button to view their certificate information
1. Click on OK
2. Click on Save and Close near the top left of the screen.
5/22/2003
Page: 24
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Once both sides have saved the other person to their contacts, you will be able to exchange
signed and/or encrypted emails.
Sending Encrypted Email
Encrypted email may be sent once signature keys are exchanged.
From a New Message Window, click on the “To” button. Select the recipient from your Contacts
List.
1. In Outlook, create a new email message
2. Click on the Options… button
5/22/2003
Page: 25
SECURE EMAIL USER GUIDE – OUTLOOK 2000
1. Click in the Encrypt message contents and attachments field
2. Click on Close
Do not select this option
Now you must enter the new password you created when downloading the certificates. You
should have only used one password.
1. For those who have set the security level to High, enter your password in the first field.
5/22/2003
Page: 26
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Do not click in the Remember password field. By doing so the system would
never ask you for your password again. This would defeat the purpose of using
encrypted emails, which require both the sender and receiver to enter their
passwords.
2. Click on OK
3. Send the encrypted email.
You will see a blue certificate on any emails sent to you indicating they are encrypted.
All new messages sent encrypted will have the blue lock symbol as displayed above in the
circled area.
5/22/2003
Page: 27
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Backing-Up Digital Certificates
It’s important that you make a back-up copy of your signing and encryption certificates for
emergency use. These steps will take you through the certificate export process.
1.
2.
3.
4.
From the Outlook Main menu select Tools
Click on Options
Click on the Security tab
Click on Import/Export…
5/22/2003
Page: 28
SECURE EMAIL USER GUIDE – OUTLOOK 2000
The Import/Export Security Information and Digital ID dialog box will be displayed.
1.
2.
3.
4.
Click on the Export your Exchange or S/MIME Security Information
Click on the Select button.
The Certificate Store will be displayed; highlight the digital certificate to export
Click OK.
5/22/2003
Page: 29
SECURE EMAIL USER GUIDE – OUTLOOK 2000
After selecting the certificate to back up, you will be returned to the Import/Export Security
Information dialog box. The Digital ID box will be filled in with the certificate’s Friendly Name.
Enter an export file name for the certificate
1. Enter your certificate passphrase.
Do NOT select “Delete Security Information Digital ID from the system.”
2. Click OK.
5/22/2003
Page: 30
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Restoring Your Digital Certificate
Complete the following steps to restore your digital certificate.
1.
2.
3.
4.
From the Outlook Main menu select Tools
Click on Options
Click on the Security tab
Click on Import/Export Digital ID…
5/22/2003
Page: 31
SECURE EMAIL USER GUIDE – OUTLOOK 2000
The Import/Export Security Information and Digital ID dialog box will be displayed.
1. Click on Import existing Digital ID from a file option
2. Click on the Browse… button
1. Select the security file to import
2. Click Open
5/22/2003
Page: 32
SECURE EMAIL USER GUIDE – OUTLOOK 2000
The Import/Export Security Information and Digital ID dialog box will be displayed.
1. Enter the password for the file and a Friendly Name for the certificate.
2. Click Ok.
Your certificate will be imported into the Certificate Store
5/22/2003
Page: 33
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Storing Public Encryption Keys
Until public key certificates are available through a publicly accessible directory, store public keys
locally. In Microsoft, that means saving to Contacts, and it may mean addressing encrypted mail
to persons for whom you have the certificates through Contacts.
Sending Signed / Encrypted Mail using Outlook
Signing and/or encrypting mail messages in Outlook can be set at a global level or for each
message as desired by the user. Each time a message is sent, Outlook will sign the message
with the private key of the certificate owner’s signing certificate and send the public key of
certificate owner’s encryption key. The steps are outlined below.
Note: Selecting Signing at a global level will require the certificate owner to enter their password
each time they send a signed message.
Note: Wells Fargo has many different configurations of Internet Explorer and Outlook in place.
Not all Outlook configurations can accept signed email. In most case users with IE 5.5 and
Outlook 98 and higher can accept signed messages. If you will be sending a signed message to
an internal recipient you for the first time, you may want to follow up and determine if they could
successfully open the signed message. If not, an upgrade may be required.
Global Signing
1. From the Main Outlook screen select Tools/Options/Security.
2. Click “Add digital signature to outgoing messages” box.
5/22/2003
Page: 34
SECURE EMAIL USER GUIDE – OUTLOOK 2000
3. Click OK to accept the changes.
Global Encryption
1. From the Main Outlook screen select Tools/Options/Security.
2. To encrypt all outgoing messages select the “Encrypt contents and attachments for
outgoing messages” box.
3. Click OK to accept the changes.
5/22/2003
Page: 35
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Signing a Single Message
1. From a message screen, click the “Options” button.
2. In the Message Options screen select “Add digital signature to outgoing message”.
3. Click on “Close”.
5/22/2003
Page: 36
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Encrypting a Single Message
1. From a message screen, click the “To…”click the “Options” button.
2. In the Message Options screen select “Encrypt message contents and attachments”
3. Click on “Close”.
5/22/2003
Page: 37
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Reading an Encrypted Message
When you receive a message that is encrypted with your public key, only your private key can
decrypt the message. When an attempt is made to open the message, Outlook will prompt for
your password. The message will be decrypted and displayed. When you close the message it
will return to its encrypted state.
1.
2.
Enter your password in the space provided.
Click OK.
5/22/2003
Page: 38
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Customizing Outlook for Single-Click Sign and Encrypt
To setup native Outlook for single-click sign and/or encrypt control:
1. Open a new email message
2. Select Tools on the menu bar
3. Click on Customize…
1. Click on the Command tab
2. Highlight “Standard” in the Categories: box
3. Scroll down and find the following 2 choices in the Commands: box
– Encrypt Message Contents
– Digitally Sign Message
4. Highlight these choices and drag and drop these icons to your message toolbar
5. Click on Close
5/22/2003
Page: 39
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Now you can digitally sign and/or encrypt by clicking a single button.
5/22/2003
Page: 40
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Messages / Symbols
Non-Secure Recipients
The system cannot find the recipient’s public key to encrypt the message.
Remedy: If you do not have the recipient’s public key, ask the recipient to send you a signed
message, store their key in your local Contacts List, the try re-sending the message.
If you have the recipient’s public key, then address the message from your Contacts List.
Secure Message Icons
When you receive a secure message – either signed and/or encrypted, Outlook with display a
sealed envelope with a blue lock.
Blue Pen
The message was sent using Exchange Server security.
Red Certificate
• The message was sent using S/MIME and has an invalid certificate or a certificate with
an unknown verification source.
•
The message was sent using S/MIME and includes a digital ID that is clear signed.
To include a digital ID, follow these steps:
1. On the Tools menu, click Options.
2. On the Security tab, click Add digital signature to outgoing messages, and Send
clear text signed message.
5/22/2003
Page: 41
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Blue Lock
• The message was sent using S/MIME and the digital ID was not sent using clear text.
Send clear text signed message is not selected. The digital ID was sent encrypted.
• The message is sent using S/MIME and is encrypted.
These icons will be displayed within the secure message. The lock indicates an encrypted
message. The ribbon indicates the message is signed.
Encryption Algorithm Message
Double-click on an encryption icon from within a message will display a message identifying the
encryption algorithm
5/22/2003
Page: 42
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Certificate
Clicking on “Encryption Certificate” or “Signing Certificate” button will display the digital certificate.
You can view the detail, certificate path or trust by clicking on the appropriate tabs.
5/22/2003
Page: 43
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Digital Signature Validation Message
Out of Memory or System Resources
Outlook is unable to open a signed message, or you have aborted a signing operation.
Key Not Found
Outlook was unable to locate your private key to decrypt. Your key may have been deleted or
lost.
5/22/2003
Page: 44
SECURE EMAIL USER GUIDE – OUTLOOK 2000
Password Mismatch
You entered your password incorrectly.
5/22/2003
Page: 45