COMP3371 Practical Session 4 the PKI, Secure Email Certificates, and SSL Certificates

COMP3371 Practical Session 4 – The PKI, Secure Email Certificates, and SSL certificates

The purpose of this session is to demonstrate how you can actually try out the PKI (Public Key Infrastructure) and Verisign’s role in supporting it. You will then be able to download and install software from the Verisign website that will associate a digital ID with your email address.

You can then use the digital certificate to encrypt your email messages and send a “freebie” digital ID to assist with decryption, when using email client software such as Outlook Express or Mozilla Thunderbird.

You can then make your private key available to selected email addresses, so that other people can read your email and send secure email back to you. The ID will only be valid for a short time period, so you are recommended to use it as much as possible before it expires.

Advantages of a digital certificate (or digital ID – essentially the same thing!) include:

• Guaranteeing your identity to a remote computer
• Ensure email came from sender
• Protect email from tampering
• Ensuring that contents of email messages cannot be viewed by others

Exercise 4(a): The Verisign Digital-ID Repository

This provides access to all the stored information about the various digital IDs that the PKI provides. This was previously managed by Verisign but now is part of Symantec, a huge, global company. Take a look at their website:

Take a quick look. Navigate to… products… then website security… then click on the video. TLS is the secure equivalent of TCP, which sits below SSL in the 7 layer OSI stack.

So much for SSL… for now!

Go to this link:

This will provide information about digital IDs that have been previously allocated, and stored in the repository I was telling you about in the lecture.

Put in an email address (you can try mine, if you like!) and see what happens… if nothing back maybe that person never had a digital ID. Try again through the name search… as you can imagine this is a massive database.

The rest of this session will focus on creating your own digital ID based on an email address that doesn’t already have a digital ID, which will be free for you to use for a short period of time (25 days).

Exercise 4(b): Setting up an Outlook client to send and receive email(optional)

To set up a digital ID based on email address, a computer with an email client such as Outlook is required. These applications bothintegratereasonably seamlessly with The PKI.

The University of Worcester Internet firewall (like many organisational networks!) is configured to filter out SMTP and POP3 data.

We therefore don’t have the luxury of being able at access a POP3 or SMTP server, and so the only option for students from within the university is to use TCP port 80 to send and receive data.

You will therefore, have to use a local Outlook client.

1. Start up Outlook

1. Follow the wizard to set up an email client manually

1. Add a suitable email name for yourself – default may be OK

1. Add a screen name, and let Outlook set your client up.

1. Click again when finished (three green ticks).

1. Try to send/receive email through this channel.

1. Close Outlook, but stay logged on.

You now need to create your digital ID, and associate it with your email settings. You have only configured Outlook for this machine, and in any case all the settings will be lost when you log out.

Unfortunately, the university computers won’t let you set up a PKI email facility anyway, so you’ll need your own laptop, desktop, notebook or tablet for the next stage..

If you don’t have such a machine with you, you can wait and do this at home.

Otherwise, let’s proceed to the next stage…

Exercise 4(c): Getting a Digital ID for email

This is another exercise that you can only complete on your own computer, but you can get the process started on the university desktops with steps 1 and 2...

1.Go to

Until recently, it was possible to get a 25-day trial ID via this URL. However, that option has now gone. However, Symantec now have an offering in association with a partner organisation, Iden Trust:

Go to

As you can see, the Digital_ID will cost you $19 for one year (!) Don’t buy!

1. However… Microsoft have now created on option for encrypted email through their own email system. As before, be aware that settings will all be lost when you log out, but with the following exercise at least you’ll see how easy it is to set up an encrypted email facility .

Open Microsoft Outlook again, and follow this link for instructions on what to do next…

1. Once you have it, use your digital_ID to send and receive email messages… this is not guaranteed to work on the university computers, so try also on your laptop/desktop, etc.

Note on Outlook and Exchange

Outlook is the email client, and Exchange is the email server. If you use Outlook to send/receive emails you are most likely linking to an email server within the university. How do you normally send/receive email when logged on here? Which protocol(s) are being used for (a) sending (b) receiving?

Exercise 4(d): Getting an SSL Certificate

SSL Certificates are designed to be used with Web Servers. You will create a virtual web server over the next couple of weeks.

However, first of all, you need to find out how to access and download one.Symantec are expensive, as you will by now appreciate.

Go to:

Follow the instructions as far as you can. You will soon get to a point where you need a real server to continue…

There are two commonly used Web servers: Apache and Internet Information Server. SSL certificates are normally configured to work with either type.

OK, now let’s create that web server. Firstly, Installation of a Virtual Machine…

RCH161