S/MIME Email Encryption in LegalServer

Purpose: Enable LegalServer to send encrypted S/MIME email messages to end recipients. S/MIME is a standard for public key encryption that is supported by most major email systems, including Gmail and Microsoft Office.

Status: This is still in beta. Please email support@legalserver.org if you are interested in being part of the beta testing.

Cost: TBD

Setup

The setup generally consists of taking a S/MIME certificate that has been uploaded to the recipient’s email and adding the Public Key for that certificate to LegalServer. Then when emails are sent to that email address, the Public Key is used to encrypt the email. If the end user already has an S/MIME certificate, skip to the step to Add Certificate to LegalServer.

Getting an S/MIME Certificate

From a site such as Actalis, request a free email certificate.

You’ll have to enter your email address, send a verification email and then enter the verification code from your email. Note that Actalis is an Italian company, so your verification email is likely to be in both Italian and English.

After you enter the Verification Code and submit the request, it will display a password on the screen. This is the only time you will see the password, so be sure to save it somewhere safe. The certificate itself will arrive in your email as a .zip attachment.

Note: There are many places to get an S/MIME certificate besides Actalis. Be sure that you are getting one from a location that you (and others) trust.

Convert Your Key to PEM Format

If you received your key as a .ppk or pfx file, you will need to convert it to .pem to use it with LegalServer. This will extract the Public Key from the Certificate.

If you have OpenSSL, you can run the following command:

openssl pkcs12 -in PKCS12_Credential_username@email.pfx -clcerts -nokeys -out legalserver-username@email-smime.pem

Where username@email is the email address you used in generating the certificate. OpenSSL is available for Linux natively or for Windows via Shining Light Productions. You will be asked for a password and use the password you got when the certificate was generated.

Add Certificate to LegalServer

Open the new .pem file with a text editor like Notepad. You will just see the Public Key from the certificate. This needs to get added to LegalServer for LegalServer to know it should encrypt an email.

While including the BEGIN CERTIFICATE and END CERTIFICATE lines, copy the certificate code from notepad into LegalServer at https://YOURSITEHERE.LegalServer.org/mail/certificate.

Add Certificate to Your Email Provider

The final step is to ensure that the end user has S/MIME configured in their email provider. Google Workspaces has a help page available. Office 365 has one as well here. This is not available from all email providers.

Once S/MIME is enabled, via the help documentation above, you’ll have to upload the generated certificate to make use of it. In Gmail, those steps look like this:

Click the Settings Cog and then click the link for “All Settings”.

Under the “Send Mail As” section, click “Edit info”. You’ll get a popup with details about enabling “Enhanced encryption (S/MIME)”. Below that is a link to upload your certificate. Select the original .pfx file that was created. This will then ask you for your password, use the same password you received when the certificate was created. After you get confirmation that it uploaded properly, be sure to say “Use this certificate” to enable the encryption.

Usage

Emails sent via the Case Note block to the recipient whose public key was added will be encrypted using S/MIME. The message will come through as a smime.p7m attachment to the email. That will then need to be decrypted locally through a third party tool if the email address doesn’t support decryption natively.

A list of certificates loaded into LegalServer can be found at https://YOURSITEHERE.legalserver.org/mail/list_certificate.