Wednesday, January 22, 2014

The annoyance that is encrypted internet mail

Okay.  To other people in the Domino world, getting an IBM Notes client configured to send encrypted email over the internet to a recipient may not be a big deal.  But to me, it has been a pain in my buttocks.  A royal one at that.  But this week, I was able to finally make some headway and get things working.  How you say?  Well, let me share with you my journey.

It all started a while ago when our director of tax for the company told me that the IRS has a rule that they can only send email back and forth with a client as long as it's encrypted.  Okay, that shouldn't be a big deal, right.  Well, it was.  Off to the Interwebs I dashed to find out how to do it right.  I found this article. If you look at it, it appears to be a VERY straight forward step-by-step. However, there were hidden land mines riddled along the path.

First, getting a certificate from Symantec, (that's who owns Verisign now), is not a big deal.  Go to the site, put in your information and have a cert generated.  You can get a 25 day trial or pay around $21 for a full year.  Once you complete the steps of the request and have it approved, the website then allows you to import that certificate into Internet Explorer and then export the certificate out of there into a file that you can import into your Notes ID file.  Well, that all seemed good until the part where it tried to add that certificate from Symantec/Verisign to the browser.  Regardless of what machine in the office I tried to add it to, I got the following error:
Again, I only tried this on computers in the office, so I'm assuming that something in our security policy is blocking this certificate from being installed.  So, I opened Firefox and was successful there.  Except, when I got the certificate and imported it into my Notes client, I saw this:
The "Issued To" information says Symantec Corporation and not the email address that requested it.  The email is listed in the blacked out email field, but when you look at the certificate in Firefox, you see a "Persona Not Validated" message:
So it's almost like it is and isn't registered to the appropriate email address.  I have a ticket open with Symantec on this so hopefully they can shed some light on it because the internet searches I did didn't come up with anything that looks right.
Well, now that I had gotten the certificate merged with the Notes ID, the steps listed on the link above says to, " Once the certificate is part of the ID file, you will need to send a signed message to the recipient you intend to start sending encrypted mail between."  Okay, tried that.  However, the individual at the IRS didn't get anything in that from that signed document that allowed them to send encrypted mail over to my user.  So after going down the support route, I put out a frustration tweet.  That's when our pal Mitch Cohen came to the rescue.  It appears he has had to do the same setup for his company at one time and he shared with me the key step that they did to get this to work.  The steps are simple:
1.  In the Notes client, select File-Security-User Security
2.  Enter a password if needed.
3. In the User Security windows, expand the Your Identity-Your Certificates and click the drop down to select "Your Internet Certificates"
4.  Select the Other Actions button to the right, and select Export Certificate.
5.  Now this is the tricky part.  There are four options in which to select:

Without going into too much detail here, for security reasons, you have to work with the recipient to find out which certificate you need to send them because one of them may not work.  In my case, it was found out my doing trial and error.
It's also important to note that when you export out the internet certificate from Notes, you MUST include the file extension in the file name.  Notes will not add that in automatically.  To find out the proper extension, just look under the file name and it will give you examples.
6.  So with the cert exported out of Notes, we attached it to an email and sent it along to the IRS person.  Luckily they were on site so I was able to watch the steps she did.
7.  She opened the email and Outlook recognized that the file attachment was a certificate.  She double clicked the file and it merged into the contact information she had for my person.  Once she had it installed, she was able to send him encrypted mail.  Huzzah!   Release the pigeons!
BUT WAIT!  We were able to get her encrypted mail, but we still needed to be able to get a certificate from them to merge into my users address book.  That was actually pretty easy.  I first removed the entry for that recipient from my users local address book.  The IRS agent then sent out a .vcf file.  In that file, it contained the x.509 info that was needed so Notes knew how to encrypt the message.  With that correct entry in the address book, we got encrypted two way communication working!  Whew!
I couldn't have done it without Mitch's help.  Again, a situation where maybe some more documentation on the support site could have helped.  But luckily I have champs like Mitch out there who have my back. If I get any clear information why I was getting that error from Internet Explorer, I will post it so that it may help someone else down the road.
On to Orlando!
UPDATE - I got my answers. Read all about it here!


IdoNotes said...

Hahah we are just doing this for a client with the IRS too whio refuses to buy a cert and wants self signed

Andy Donaldson said...

OUCH! Good luck with that!

Chris Whisonant said...

What about SMTP TLS? Though that wouldn't guarantee that only the recipient would see the message.

Andy Donaldson said...

Not good enough for the IRS. They want it desktop to desktop.