I use PGP on most days to send encrypted and digitally signed email to external clients. However, an increasing number of my clients are using the S/MIME standard to encrypt external email instead.
Since my company uses Lotus Notes, I went through the process of figuring out how to get Lotus Notes to send S/MIME encrypted or signed email (supported in recent versions - these screenshots are from Notes 6.5.3).
First of all, you will need to get an X.509 email certificate. You can get these for free from Thawte, or you can pay to get them from Verisign.
The example I am going to use is Thawte. For this example, I am assuming you have already requested the certificate using Internet Explorer, and you have already downloaded the certificate into IE. The guidance on the Thawte site should be able to get you to that point.
Firstly, for those not familiar with exporting certificates, you need to go to Tools -> Internet Options -> Content, and click on the Certificates button in the middle :-
You should then be presented with a screen as below where you can export the certificates installed. If you don't see a certificate issued by Thawte at this point, you haven't got the certificate installed in IE correctly.
At this point we click "Export" to start the export wizard - make sure that we export the private key, and use PKCS #12 format (a .pfx file). You will be required to pick a password - this is used to provide some security over the key, especially useful as we have the private key in the file.
At this point we can import the key into Lotus Notes. This is done using the File -> Security -> User Security menu. In the "Your Identity" section there is a subsection titled "Your Certificates". If you click on this subsection, you should get a screen similar to this one :-
If you click on "Get Certificates", and select "Import Internet Certificates", you should be prompted to select the PKCS #12 file created when the certificates were exported from IE. Select that file, enter the password you specified before, and you should see a screen similar to this :-
Click "Accept All", and you should be finished.
Note that in order to sign or encrypt email you will need to specify this in the delivery options for each message, or change your user options to automatically sign/encrypt all messages.
In order to import X509 certificates from people who have sent you signed messages, you will need to add them to your address book using Tools -> Add Sender to Address Book, making sure that on the Advanced tab, "Include X509 certificates when encountered" is checked.
Found this useful? Then Digg It.
