With user certificates, you can digitally sign and encrypt your e-mails. The digital signature of an e-mail provides the following advantages:
The receiver of an e-mail is able to proof if a specific addresser has sent the message.
The receiver is able to recognize, whether or not a message has been manipulated during the transmission (integrity).
E-mails without digital signatures can be manipulated very easily and the addresser would not be identifiable.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is the standardised procedure for digitally signing e-mails.
To sign your e-mails digitally, you have to import your user certificate and possibly the certificate chain in the certificate memory of the e-mail client, respectively the Microsoft certificate memory.
The following describes the configuration of MS Outlook for the digital signature of e-mails.
To digitally sign your e-mails, first select your e-mail account in Outlook. Then go to "File" and afterwards to "Options" in the top menu.
Now click on "Trust Center" and then on "Trust Center Settings".
Now click "Import/Export".
Now select your certificate file via "Browse" and enter the password. Confirm this by clicking "OK".
Check the boxes "Encrypt contents and attachments for outgoing messages" and "Add digital signature to outgoing messages". You can adjust these settings as required when composing a message. Now click on "Settings".
Outlook uses the hash algorithm "SHA1" by default. Change this value to at least "SHA256". The encryption algorithm must be "AES (256-bit)". Click on "OK".
Confirm the Trust Center settings with "OK". From now on, you can digitally sign your e-mails in Outlook.
If you now write a new e-mail, it will be signed and encrypted by default. If the recipient does not have a certificate, you can deactivate the "Encrypt" and/or "Sign" settings under "Options" by clicking on the respective buttons and send the e-mail unencrypted.
Note: If the message 'Encryption problems' appears when you send a message using the new certificate, send yourself a one-off 'signed only' e-mail.