In my last article I made a stupid mistake regarding a free S/MIME certificate for signing and encrypting emails. In the last article, I recommended the CA DGNCert, which offers free S/MIME certificates, but the CA itself is not stored as a "Trusted Root Certification Authority" in Windows. As long as the root certificate from DGNCert is not manually stored in the "Trusted Root Certification Authority" store, the certificates are considered untrusted.
I had not noticed that the CA DGNCert only registers itself as a "Trusted Root Certification Authority" when the S/MIME certificate is created and does not already exist as assumed.
I therefore had to retract my original article and admit that I made a mistake here. I only realized this thanks to the comments on the original article. I would therefore like to take this opportunity to thank you once again for your comments, without which I would probably not have noticed my mistake.
On 19.02.2019, however, I had to update the original article again, as the alternative link from the comments has now also been taken offline and only returns a 404 page. Sectigo, the new owner of Comodo, no longer offers free S/MIME certificates.
However, I had promised to look for an alternative for free S/MIME certificates. I also found one and have now paid more attention, so there is now a new version of the article.
I finally came across a free S/MIME certificate at Actalis:
Actalis offers S/MIME certificates trusted on all major platforms and supported by e-mail applications conformant to the S/MIME standard. Thanks to Actalis S/MIME certificates you can make your email really secure, regardless of the features of the email service you use. Actalis provides different S/MIME certificate services according to different applicable policies. See below the essential information about the services available to date.
As you know, you learn from your mistakes, so I have now checked in advance whether there is a corresponding certificate from Actalis in the store for trusted root certification authorities:
A certificate for the "Actalis Authentication Root CA" is available on my Windows 10 computer, so I have requested an S/MIME certificate:
I had to wait a while for the verification code by e-mail, which arrived after about 15 minutes. The verification code from the email must now be copied:
The verification code is then entered in the form:
The next page now shows the password for the PFX file. This password should be kept in a safe place:
A short time later, Actalis sends the certificate by e-mail. The PFX file is protected with the password that the website displayed in the last step (see criticism):
The PFX file can now be imported and you are now in possession of a valid S/MIME certificate:
The S/MIME certificate is issued by the sub-CA "Actalis Client Authentication CA G1", this CA was in turn signed by the "Actalis Authentication Root CA", which is located in the repository for trusted root certification authorities of Windows.
Criticism
The big problem with the S/MIME certificates from Actalis is that the private key is generated on the Acatlis servers. If Actalis stores the private key, the company is in principle able to decrypt the encrypted mails. Since the private key (as the name suggests) is not private in this case, but was created by the provider, you have to trust the provider Actalis accordingly. Everyone can decide for themselves, as there are also other CAs that issue S/MIME certificates, but these are subject to a fee.
If anyone knows of other CAs that issue free S/MIME certificates, please send me a note or comment and I will publish it accordingly.