Search and retrieve certificates

Own certificates

Your own certificates are a core component of your digital IDs. To access the certificate, you can disassemble the digital ID.

Other certificates

In most cases there is no need to search for foreign certificates:

  • If you receive a signed email, all relevant certificates are included in the signature.

  • When you open a signed document, all relevant certificates are included in the signature.

  • If you install signed software, all relevant certificates are included in the signature.

  • If you establish a secure connection to a server, the server transmits all relevant certificates while the connection is being established.

  • If persons identify themselves to your server with a certificate, they, too, transmit all relevant certificates while the connection is being established.

However, if you want to send an encrypted email(*) it might be necessary to search and retrieve the recipient's certificate first. There are various possibilities to do so:

  • With the same email program, you have previously received and opened a signed email from this recipient. Then your email program has remembered the certificates contained in the signature and you can simply use them. (Only known exception is Microsoft Outlook. Here you must explicitly copy the certificates to your address book, see the last chapter of our guide.)

  • You ask the recipient by signed but unencrypted email to send you such a signed email.

  • You use an address book containing the certificate of the desired recpient.

    • The LDAP addressbook usercerts.uni-muenster.de (port 636 (LDAPS)) contains under the base DN ou=certs,dc=uni-muenster,dc=de all published email certificates of all users of the University of Münster. This addressbook can simply be added as external addressbook to Thunderbird and other email programs.

    • The central Microsoft Exchange system of the University of Münster contains all published email certificates of all users of this system.

* General notes on encrypting e-mails

(These notes apply to encrypting, not signing.)

As the successful EFAIL attacks have shown, there are a wide variety of vulnerabilities both in the S/MIME and PGP/MIME protocols themselves and in many implementations.

The flaws in the implementations could or can be fixed, but the fundamental vulnerabilities in the protocol itself are irreparable. (The problem is not so much in the encryption algorithms themselves, but in how they are used in the protocols and how these are realized in the software).

For securing moderately confidential communication without long-term safety requirements, S/MIME may still be sufficiently secure; however, when it comes to truly confidential data, we can no longer recommend exchanging it via e-mail.

Here you should use modern software designed for end-to-end-security from the very beginning and thoroughly analyzed and recommended by experienced cryptologists, for example, the messenger „Signal“.