2025/26: Segurança em Sistemas Informáticos (Computer Systems Security) - 1.o M.EIC

Lab 2: Digital Certificate

Getting a free Digital Certificate for email usage: the right way!

Goal:

You, and all members of your group, are required to obtain your own personal X.509 Digital Certificates that will be useful for the protection of your S/MIME email conversations!
If you do not mind to pay for such certificates, there is a whole lot of possibilities, as there are dozens of commercial Certificate Authorities (CA) all over the world!
But if you want to get free ones - and that is the recommendation here! - you can, but currently there are very few possibilities.

Free!

The few possibilities are:

• Sectigo, that used to have an agreement with University of Porto through FCCN (Fundação para a Computaçãoo Científica Nacional) allowing every member of U.Porto to get (in the right way!) a personal email digital certificate for free. Unfortunately, the point of access to Sectigo certificate services through U.Porto has been closed some months ago; however, the point of access through FCCN seems to remain active:
  • https://cert-manager.com/customer/fccn/idp/clientgeant
• CAcert, a community-driven Certificate Authority, that issues free digital certificates of different types, including "Email (S/MIME) certificates". Unfortunately, the access to its website is problematic with some web browsers as its root certificates do not come pre-installed; so, you should have to add them to the Certificate Store of your computer, browser or email client. Nothing special, just a bit more work. CAcert operation has been successfully tested in a security course unit in the 1st semester of 2025/26:
  • https://www.cacert.org/
• Actalis is a kind of last resource alternative. You can try to get a free for one-year, email digital certificate from them; unfortunately, in the wrong way. Actalis operation also has been successfully tested in a security course unit in the 1st semester of 2025/26:
  • https://www.actalis.com/s-mime-certificates

How:

To get your personal email S/MIME digital certificate in the right way, you have to place the request to a Certificate Authority through a standard "Certificate Signing Request", CSR; that implies first generating locally your pair of cryptographic keys.

There are a few possibilities of achieving that:

• through the OpenSSL toolkit:
  • https://openssl-library.org/
• through CAcert's own tool:
  • https://community.cacert.org/
• through Thunderbird email client's own tool:
  • https://support.mozilla.org/en-US/kb/instructions-smime-certificate-using-csr

Then, what?

Once you and your group colleagues got your very personal S/MIME email digital certificates, you should:

• pack in a ZIP file the following documents:
  • a (group) concise report of the operations you conducted to get the certificates;
  • the CSR file one of you used;
  • the digital certificate of the same you, in PEM (Privacy Enhanced Mail) file format;
  • the private cryptographic key of the same you, in PEM file format.
• send the ZIP file in a cryptographically signed, confidential email message to jmcruz@fe.up.pt.

Additional help:

• some basic help for the generation of a CSR file
  • https://www.digicert.com/easy-csr/openssl.htm
• jmcruz's actual PEM certificate, issued by Sectigo,* and the CSR file he used to ask for the certificate
  • jmcruz_fe_up_pt.pem and jmcruz_fe_up_pt.csr
• Cyberchef utilities, useful for seeing PEM certificates and CSR files
  • https://gchq.github.io/CyberChef/

** in reality, jmcruz's certificate was issued by "GEANT Personal CA 4", whose certificate was issued by "USERTrust RSA Certification Authority", whose certificate was issued by "AAA Certificate Services" of "Comodo CA Limited" whose certificate was issued by... "AAA Certificate Services" of "Comodo CA Limited"!
[Look up "certificate chain", "intermediate CA"...]