Noe C. Michel
Posted on November 21, 2021
ThioJoe, an American Tech YouTuber with over 2,8 million subscribers, revealed in a new video a hidden feature, extremely rare, how to get a badge like the one of "those influencers who think they're cool with their verified badge" on Twitter or Instagram.
But there is a verified badge that everyone can get and actually nobody has… It's for your email account.
Example of certified badge on Apple Mail client. Credit: ThioJoe
You might think if everyone can get one, why is it so rare? The answer is because it's usually hard to setup if you don't know what you're doing, which by the end of the tutorial you will.
Watch this high-quality step-by-step tutorial on YouTube and understandable even for non-tech-savvy.
Video
S/MIME certificates
You see these "verified" badges in the email
software are not actually like verified badges on social media. But rather they signify that an email has been sent with a certain security protocol called S/MIME
, which is a feature supported by almost all email clients.
And I guess it's just rarely used because this level of security is just not really necessary. However, I think once people realize that you can get a super rare badge appearing next to your emails, that might get people's attention.
When I found one
What's really funny is the S/MIME
protocol has been around since around 2004. But despite that, I have literally only seen it used ONCE, which was an email from some crypto exchange marketing email. And it had a badge in Apple Mail and immediately my reaction was just... what. is. that. I had never seen it before.
So I saw that when you click on the thing with a badge, it says "The sender signed this message with a trusted certificate", and I also looked in the Gmail web interface which said something similar, so I knew it wasn't just an Apple thing. And long story short, after quite a bit of digging, I figured out that it uses that S/MIME
protocol I already mentioned, and specifically you need - tech jargon warning, an: S/MIME
What are S/MIME certificates?
Email Certificate from a Root Certificate Authority, sometimes just called an "email certificate". And to answer a few more quick things you're probably wondering: It should not matter what service you use for email, whether Gmail, Verizon, AT&T, Comcast, whatever. Instead what matters is the email client software, such as Outlook, or Apple Mail, whatever.
Most web interfaces for email services like Gmail do not actually let you add certificates to emails when sending, but if you use Outlook for example to send through Gmail it will work.
Another thing I'll point out is the person on the other end does NOT need to do anything special for the badge to show up, this is supported by default by almost all email clients. Again it will be presented differently depending on the client, but considering Apple Mail alone on iOS, iPad, and Mac makes up over 50% of the email client market share, most people will see some kind of badge like this one.
What do they really mean ?
Now before I get into how to get one of these certificates and how to set it up, let me quickly and simply explain what it even is, without getting too technical. And yes, it is important to know so just bear with me.
In the simplest terms possible, an email certificate is like a two-part digital key (made of a public and a private key) that is tied to your email address.
You can use the certificate to 'sign' your emails in such a way, that the person receiving the email KNOWS that only the person with that original certificate and the private key could have done so. The purpose of the public key is to send along basically, as an identifier, you can think of it as.
But here's the other important part of this. You see, anyone can just create their own certificate and say "uh yea I own this email address".
Certificate Authorities role
That's where the Certificate Authorities come in. These are companies that make all sorts of other certificates like SSL ones for encrypting websites.
There are only a handful of these companies relatively speaking, and all of them are universally considered trustworthy and secure by every other company around the world. So what these companies do, is they have their own secret so-called root
certificates, again that is universally recognized, and they can use to sign and verify all sorts of other lesser certificates for anyone who wants one, usually for a price though.
So in the context of this video, a really easy way to understand it, is what happens is we go to a certificate authority, who first confirms we control some email address like "whatever@example.com".
Then they issue a signed certificate, so that when we send it along with our emails, then Apple, or Gmail, or whatever service sees it, they'll say "ah an email from whatever@example.com, oh what's this? It included a certificate, well it matches the email address, but that doesn't mean much, anyone could have made this... Oh, wait I see the certificate was signed by XYZ authority who I do trust..."
Then they'll check, "hey XYZ authority, did you actually sign this certificate?" to which they'll respond "yea I did it's legit before I gave them that certificate I made sure they own that email address."
And then, the email service will be like 'cool' and show the badge that it was a trusted certificate.
And just a contrary example, if you were to
just send along some random certificate you made yourself, it would look like this on the other hand, because even though it matches the email, the software has no idea where it came from, so it's basically useless.
Requirements
Warning: this is going to get somewhat technical at times. It's not hard once you know the steps, but you'll soon see why I wanted to explain all the certificate stuff before because it will make it easier to follow along if you sort of know what's going on at each step. And think of it this way, maybe it's not a bad thing that it's not easy, because it makes it more exclusive for you.
Step 1 - get a S/MIME Email certificate from a trusted authority
Years ago there were plenty of them offering these certificates for free, so if you were to now search "free S/MIME
email certificates" you'll mostly find older articles, and even an old web page from Comodo who used to offer them, the page is still there, but the links on it are dead and they no longer offer these. And most of the articles and posts I've been reading recently were all saying there is no way to get free certificates anymore, but that is not true.
I was able to find the last certificate authority that is offering free S/MIME
certificates, and that company is called Actalis.
They're an Italian certificate authority, but it doesn't matter where they're based, because they're recognized as a root authority globally, that's the whole point. And you can see even on Google's support page listing trusted certificates for S/MIME
, there they are. (Source - Google Workspace)
And real quick by the way, the reason I emphasized
that they're the last one, is if this video becomes popular enough and a ton of demand appears for these certificates, nothing is guaranteeing they won't start charging in
the future, in which case you'd just have to instead go to the company of your choice and buy one.
These certificates really aren't expensive anyway, other authorities offer them for only about $20 per year, but still.
So if you ever need some business services this Actalis company offers, give them a shot. This isn't sponsored or anything, I think we should just support companies that do things we like, like offering free certificates when no one else will.
OK... with all that being said...
I mean jeez how long are we into this video and I'm only now starting the walkthrough.
Well just think of it as filtering out the lazy people, so it's more exclusive for you patient viewers.
Get the certificate
So go to Actalis' page where you'll enter the email you want to verify
https://extrassl.actalis.it/portal/uapub/freemail?lang=en
You just type in your email, prove you're not a robot and click send the verification email. After a couple of minutes you should receive it, but be sure to check your spam box too, it went in there for one of mine.
Now at first, you'll see in the email that it's all in Italian but just scroll down because they included the same text in English too.
Though all you need is the long verification code anyway, so just copy that, and paste it into the box back on the first page.
Then you should "obviously" read the different terms and conditions, and if you agree, check those boxes and click Submit Request.
Next this critically is important, it will now take you to a page with a password, which you'll need to install the certificates on
your devices.
This password won't be shown to you ever again and can't be recovered, so make sure you save that in a safe place maybe print it out, we will need it shortly.
But don't just leave it lying around on your desktop either. Because if someone somehow gets hold of your certificate file we'll look at in a second, they could use the password and that together to impersonate your email address.
Next you can go to your email and wait for the email with your new certificate attached.
Now this certificate will be valid for 1 year, and then you'll have to get a new one. 1 year might not seem that long but actually it's pretty good. Even if you were to buy one somewhere, they usually max out at 3 years, and a lot of other free ones used to be for like 30 days.
Also you actually don't want it to be valid forever, because if somehow it got stolen, someone could just impersonate you forever
until you realize it, or they could save it and use it years down the line at the perfect or worst opportunity.
Whereas if it expires, even if the worst happens and someone is able to steal it, it's only useful to any bad guys for a limited time. However if you do find out it's stolen, you
can actually report it stolen and they can invalidate it so it can't be used anymore. To do that you just use the link in the email along with the User code and Private code listed there.
Step 2 - Setup
So download the zip file and extract the pfx
certificate file somewhere you'll remember, and actually give it's own folder, it will make things easier later. You should also probably back it up, but since it's only valid for 1 year, as long as your email service saves your emails at least that a year, you could always just redownload the attachment.
But again, you will need that password shown to you before. So now that you have your certificate, next we need to install it on our devices.
First I'm gonna do on Windows and Outlook, and then on your iOS or mac for Apple Mail, since those are by far the most popular clients. Unfortunately the Gmail web client does not let you attach a certificate to get this verified thing. To be clear again though, that's just the gmail web interface, if you have a gmail email address it's fine, you just have to send the email with supporting software like Outlook or Apple mail or something.
Alright now no matter what email client you're gonna use, even if you just want to use this on your phone, you'll still need to install this on Windows first, and I'll show you why in a second.
To install it, just double click the pfx file you downloaded, and select 'current user', then click next.
Here it will already have the file location entered so you can click next again, and here is where you need to enter the certificate password, which is the one from that page. On the import options, the only one you might want to change, if you want to change the password later, is to check the box to enable
"Mark this key as exportable".
I'm not going to get into how to re-export the key and all that, that's something you can look up by yourself.
And that's because as the file is delivered here, it should work on all the devices.
You might also choose the option that makes you enter the password every time you want to use it, but that might be a pain, so it's up to you, I didn't bother.
Also I want to be clear the settings you choose are only going to apply on this Windows computer, it's not changing the certificate file in any way, it's just importing it into Windows with these settings.
On the next page, just let it automatically select the certificate store, hit next, then finish, and it should say import was successful.
Step 3 - Get the intermediate certificates for the authority
Next, before we configure our email clients, there is one more important step that might be necessary for certain software, which is to get the intermediate certificates for the authority, but don't worry it's way easier than it sounds.
In the start menu just type certificate
and click the result called Manage User Certificates
. There's another one called manage computer certificates
, but that's different the one we're looking for is not going to show up in there.
Now this will bring up a window showing any other certificates for the user, which there are many for all sorts of purposes, but we want to go to Personal
, then Certificates
, and look for the one that has our email address.
If for some reason there's others in there that mentions your email address, just look for the one that says issued by Actalis, and also the expiration date is exactly 1 year from today when you registered it, plus or minus a day because of time zones.
So double click the correct certificate and then go to the Certification Path
tab. This shows basically the chain of custody
(you can think of it) of signatures on your certificate, leading back to the root authority.
Our is at the bottom, which was actually signed by an intermediate certificate, which was in turn signed by the root certificate. And yes this will become relevant it wasn't
a useless tangent, but for now we need to actually export the intermediate certificate for later, you'll see why then.
So click to highlight the middle one, then click View Certificate
, and go to the Details
tab.
And also drag this window to the side a bit
so it's not on top of the other one, you'll want to be able to read off the bottom one. So in this new window, click 'Copy to File', then click Next, then keep the default format and click next again, and it will ask you where to save it.
Just browser to wherever you have the main
pfx
file and put it in the same place just so they're together, that's why I suggested to give it's own folder. And for the name, you can just read off the window below and name the file the same as the certificate to make it easy. Then just hit next, then finish, and it will say successful.
Optionnal step
Now this next bit probably isn't actually be necessary, but I would just do it anyway, which is to do the same thing and export the root certificate also, which is the top one in the chain. Then just put it the folder with the other two and name it as the root name.
That way you have a copy of the whole chain just in case, but you'll realistically only need the middle one and your personal one.
Step 4 - Configuring the email client
Alright now we're getting to the good part. At this point we have all the certificates ready to go and organized, so we can actually get into actually configuring the different software to send those emails.
For Outlook
If you use Apple Mail for Mac or Apple Mail for iOS, skip this part and scroll down.
Don't work with neither Outlook for Web nor Windows mail app.
So now let's configure Outlook to send signed
emails.
And I'm using Office 365 Outlook specifically, which is the latest version but it should be basically the same for Outlook 2019 and 2016.
Alright so in Outlook I'm assuming you already connected outlook to your email account so you can send emails from outlook and stuff like that.
After you do that, go to the top left and click File > Options
at the bottom > Trust Center > Trust Center Settings
button > Email Security.
The first thing to do is go through a few checkbox options.
Here, make sure you DO check "Send clear text signed message when sending signed messages".
This basically makes it like a regular email, we just send the signature along with it, so if the recipient's client for some reason doesn't support S/MIME
protocol, it's no big deal, they'll still be able to read it.
Finally, if you want to enable signing emails automatically by default, at least for email addresses that have certificates, you can check "Add digital signatures to outgoing messages", but I would hold off on that for now until you've tested it out and made sure everything works first.
Now what we need to do is click the settings button here.
The window it pops up will probably be all blank the first time, but if it's not, such as if you're doing this for multiple emails, or maybe there's some other existing security policy in there, if there is, be sure to first click New
, which will create a new separate entry we can use.
And in that case, if there was an existing one and you click New, the previous entry will be still available through the dropdown.
Otherwise if you don't click new and just start changing stuff, it would overwrite your existing entry, which you don't want.
In any case though, once you have a new blank entry, type in a name to make it easy to identify, like your email address then email certificate
or something like that.
Then Uncheck the top checkbox talking about default security setting.
We don't want these as default, just for their corresponding email accounts.
Now, next to where it says 'Signing Certificate', click choose.
This will bring up a window to select the certificate, you might have to click "more choices", but just look for the same certificate we've been using, which has your email address in it.
Because we installed it to our Windows profile, it should be right in there, so click to select the right one, make sure it the info at the top is for the correct one, and then click OK.
Ok this next bit is important so pay attention.
You'll see it has filled in the rest of the boxes, but where it says "hash algorithm", we need to change that to "SHA256". If you keep it on SHA1, which is an outdated algorithm, it will work for some email software like Apple Mail, but for others it might not.
In Gmail for example if you use SHA1, it will say "The signature uses an unsupported algorithm. The digital signature is not valid". Which is obviously not good, so make sure these are set to SHA256 and AES 256 Bit.
Finally, make sure the bottom check box is enabled, the one talking about sending the certificates.
I think it is on by default, just double check.
Now we can just click OK on all the windows to go back down, and we are finally ready to test it out!
So go to your inbox, click New Email, just make sure it's from the right one we just set up. Then add whatever text to the subject and body, this is just going to be a test email to yourself or another email account you have.
But before you click send, we have to choose to sign it. This can be found at the top in the Options
tab, then look for the Sign
icon that looks like this ribbon. When you click it, it, will darken to show it's enabled, and you're ready to send!
Before the moment a truth, a couple notes here. If you want to add the Sign button to the main tab for easier access like I did here, just right click the ribbon menu and hit customize ribbon
, then on the right, click New Group
to make a custom group, name it what you want, then on the left, just go to the dropdown to All Commands and scroll down to where you
see the Sign icon.
Now I have a second orange one which some other software added as a plugin, just ignore that.
So just make sure the custom group is selected on the right, then click the 'Sign' icon on the left, and hit "Add", then OK. Now it should be right there always easily accessible on the main tab.
Second note, you will have to remember to click and enable the sign
button for every email you send.
You can go back to that other setting I showed you before, which will make it enabled by default, then if that's enabled, you can individually select when not to sign.
Third note, if you do set up multiple certificates with multiple emails, outlook will automatically sign the emails with the correct one for that address, so you don't have to pick which certificate to use every time, it does it automatically.
And now with that being said, we can click Send
and see what happens. If you sent it to yourself, you'll probably see it show up right in Outlook, and it will have a similar looking ribbon to the right of it.
If it's a Gmail address, you can also look at the Gmail web interface and make sure it shows up right there too, with the green check. Although unfortunatelly you have to click the dropdown to see the green check, but whatever better than nothing.
And you can also look on your phone, like Apple mail, and there it should show the check all good. It's also good to check it on your phone because you can be sure it shows up on devices even without any extra certificates installed yet, so you know it will show on everyone elses too.
Note that on iPhone it will say it was signed with a trusted certificate, but if you click view certificate
it will actually say "Not Trusted". That's not a problem, that just means you personally have not installed that certificate on the phone, but obviously it's still signed by a trusted root certificate so it got the check mark and everything.
What that feature is basically if you and your friend or someone created your own certificates, you can choose to trust them even if they weren't signed by an authority.
For an iOS Device
Alright now let's move on to setting this
up on an iOS device which should not take as long, we already did most of the legwork at the computer.
To get the certificates to your phone, the easiest thing to do is email them to yourself. So take all three from the folder, and attach them to an email to yourself, then just open the email on your iphone.
First we can install the personal certificate simply by clicking the attachment, and then just choose to install it on the iPhone. Then you need to go into the Settings app, and near the top you'll see a new thing that says "Profile Downloaded", so click into that.
It should say something like "Identity Certificate", and will probably say "not signed" in red, which is fine we'll fix that. So just click Install, then type in your passcode. Click install again at the top, and then install yet again at the bottom.
And now it will ask you for that password from before, so type that in. Then you click Next, and it will say "Profile
Installed", so click Done. We're not done yet, but you can find the installed certificates or profiles on iOS, if you go to Settings > General > Profiles. In here notice how if you click into the profile we just installed, it says "Not Verified". That's because for some dumb reason, the iPhone doesn't fetch the intermediate certificate, whereas windows did, so we didn't have to worry about it before.
If you were to try and send an email now without installing the intermediate certificate, it would actually show up to the other person like this, all in red, with a thing that says "Unstrusted Signature", not a good look, that's worse than nothing at all.
The solution is really easy though, just go back to the email with the attachements, and click the attachment for the intermediate certificate, which is probably called "Actalis Client Authentication CA G3" or whatever you called it, and do the same thing as before. Click it, install it to the iphone, go to settings, install it from the 'profile downloaded' thing at the top, and it should not require any kind of password because this is a public certificate.
You'll also notice that this one will probably say "Verified" in green unlike the other one that's red, and that's because this one was actually signed by the root certificate directly, which is preinstalled on basically every device, because it's a root, that's the point.
And also, now that this one is installed, if you go into your personal certificate profile again, this time it should indeed say "Verified" in green, because now the phone has the whole chain, so it can verify it originally came from the root certificate.
One quick important question you might have, is "wait a minute, if I had to install the intermediate certificate to make it show up as trusted, won't anyone I send an email to have to do that to on their phone?" and the answer is no. As long as you, the sender, have the whole chain installed, the phone sends the whole chain along with it in the email, so it doesn't matter if it's installed on the receiving device.
So yes, it is stupid that the phone couldn't get the intermediate certificate automatically when you installed it, when windows can, but whatever.
I'll also point out that I believe all of these free certificates issued by Actalis have the same intermediate certificate, you
should only have to install that one once on your phone, even if you add more personal certificates for more email addresses.
Of course you'll want to double check that.
Also like I've said a couple times, you really should not have to install the third root certificate, but it's still good to check
anyway.
Alright so now that the certificates are installed,
there's one more step, which is to enable the signing on outgoing emails. To do that, go back to Settings > Mail > Accounts
Click the relevent one you're setting up > Click 'Account' again > Then 'Advanced'. Here near the bottom you'll see some options under
S/MIME
. Click on 'Sign', and make sure you select
the correct certificate for the email address if there are multipl certificate options there. Then toggle the thing to enable signing, and now it should say 'Yes' in the previous one next to sign. Also make sure that next to 'Encrypt by Default'
that says No. We do not want that for our purposes and might
not work at all depending on the recipient's device.
Finally I would just go into your other email accounts and make sure it didn't for some reason enable Signing for any other ones besides the one we just did. It shouldn't have, but just check a couple to make sure they say No.
And now, we are again ready for the moment of truth. So go back to the Mail app, go into the relevant email account, compose an email and just send it to yourself, and it should come through
and have a check mark next to it. And here's anothing thing, every time you set up a certificate on a new device, make sure you send a test email AND look at the test email on all your other devices. That way you can make sure nothing went wrong
either on the sending side, or any receiving sides.
The example I gave before, was in Outlook, I had the wrong hash algorithm set, and while it showed up fine in Apple Mail (it didn't care about the outdated algorithm), in Gmail it did give that error, so just check everywhere to be sure.
Because we just set it up on iPhone, I will point out that on Mac the process is basically the same, you just open the email with the certificates, then you choose to install it to Sign In
, not iCloud like it has by default. For some reason for me it won't work with iCloud. However, for me, my Mac actually did sync
the certificates from my phone to my mac automatically, so you might not even need to install them, you can check.
Once they're installed on your Mac, now when you go to compose an image, by default you'll see a verification badge on the right next to the subject line to show it will be signed, which you can click to disable if you want. If you're on an android device it should really be a similar process to iPhone, where generally you just open the attachments for the certificates, click them to install them, then it's just a matter of whether your email app will support it.
And of course no matter what email app you're using, you can just look up the instructions for how to enable signing. And like I said, I don't believe Gmail supports sending with S/MIME
either on Desktop interface, or the Gmail mobile apps.
So now that you know how to get the badge
set up on your email accounts, the last thing I want to point out is that if you do this on a work email account or work computer, I'm not totally sure if this will work all the time.
For example, if your email is managed through an Azure Directory or something like that, they might have Microsoft Outlook set on all computers to disable those S/MIME
settings. At the same time, you might still be able to do it on your phone even if it's a work email.
I really have no idea whether that's something companies can restrict, but I'm just pointing it out as a possibility, because I do know some companies actually use S/MIME
internally. Anyway though, hopefully now all of you learned something new.
And I bet least a few of you are going to get some questions by people about how you got that cool checkmark next to your email. Be sure to give this post a like and also follow me because I make new videos every week, and let me know what you think in the
comments.
Noé C. Michel - @noe
With ThioJoe - youtube.com/c/ThioJoe
Posted on November 21, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.