J.D. Fox Micro Resource Center

Links

Digital Certificates for E-mail

Here are links to some providers of universally-trusted digital certificates for e-mail, also known as Digital IDs.

If you are new to e-mail digital signatures or Digital IDs, click here to read the introductory article about digital certificates for e-mail.

In the links below, you might see references to e-mail encryption. Keep in mind that e-mail encryption is completely different from e-mail digital signatures.

In fact, some of the marketing blurbs on the sites linked below get technical terms mixed up, describe things inaccurately, and in general make encryption and digital signatures more difficult to understand than they should be. For help figuring out how best to implement digital certificates, contact an IT services professional, such as J.D. Fox Micro.

Typically, digital certificate issuers will have you use your web browser to generate the certificate's key pair on your computer. This is the most secure way, because the private key never leaves your computer, which is critical for the integrity of digital certificates. Microsoft Internet Explorer and Google Chrome work very well if you run Microsoft Windows. Firefox works too, but it saves the certificate into its own store, not the Windows certificate store where you need it, requiring additional work to move it.

On an iMac or MacBook, acquiring a certificate for Mac Mail via the web is smooth, as the Safari browser works nicely in generating the certificate and installing it into the Keychain, where Mac Mail will find it. Google Chrome is surprisingly even easier.

Symantec/VeriSign

VeriSign was one of the first companies that issued digital certificates. It had the most reputable name in the security industry, and commanded very high prices for its certificates because of this. Symantec, publisher of the well-known Backup Exec and Norton Anti-Virus applications, purchased Verisign in 2010. Surprisingly, about a year later, they suddenly began to phase out the famous name, and now they use only the Symantec name for their e-mail certificates. If you are still interested in the new name, you can get an e-mail certificate from them with no identity verification (which they call a Class 1 Digital ID), but will pay about the same price as some others listed here that include verification.

During the process of acquiring the certificate, Symantec will send you a password through unencrypted e-mail, which represents a potential security flaw.

VeriSign offered certificates of a higher Class (that is, with identity verification), using a classification system they invented. A Class 2 Digital ID means the user's identity has been verified to some extent, and Class 3 indicates additional vetting. But, you couldn't just purchase certificates above Class 1 from VeriSign on their website; you had to get them as part of a larger package of security services. It is unclear what Symantec now offers in this realm.

GlobalSign

GlobalSign offers digital certificates ranging from $30 to $249 per year, all on one page. The difference is in the level of verification conducted. By purchasing a certificate with higher verification, you can provide that much greater assurance to recipients of the authenticity of e-mails you send. Like Symantec, the $30 certificate has no verification. Unlike Symantec, you can easily acquire certificates with verification through their website (Class 2 only in the United States). Notice that, although they are a separate company, they make reference in their table (in the row labeled "Digital Certificate Class") to what appears to be the same classification system created by VeriSign (now Symantec).

Acquiring a certificate from GlobalSign is smooth, and their methods are highly secure.

Comodo

Comodo offers free and inexpensive e-mail certificates.

This first link is for a completely free certificate, which requires no validation. The certificate will state that your identity has not been verified.

Next is what Comodo previously called their "corporate" certificate, although that term seems to have disappeared from their site. Anyway, this is the certificate that's not free. To issue it, Comodo requires some actual validation of your identity (such as scanning your driver license); this would enhance its value in the eyes of your recipients if you don't have other contact with them. Because of its very low price with verification, it appears to represent the best value of all the links listed on this page, so long as you have no hitches in getting your certificate. But, you very well might, because their system is somewhat unwieldy to begin with, and their customer service is poor. Also, their methods are slightly less secure; for example, the retrieval password is sent through unencrypted e-mail.

Entrust

Another well-known provider, offering different levels of e-mail digital signing certificates.

This first link is for individuals. It requires no verification, and therefore provides the lowest level of assurance. The cost is $20 per year. Frankly, you would only use this if you have some reason not to use a free offering from another provider for a non-verified certificate.

The next link is for certificates that go for $45 per year, and do require verification of your and your company's identity and ownership of your e-mail address. These are offered only with a minimum purchase of five certificates, but come with some extra services mostly related to encryption, which might be of interest to a small company with otherwise unmanaged e-mail security.

Note: Inexplicably, Entrust shows "SSL Certificates" in the title bar of the above two pages. This is just sloppiness on their part, since e-mail digital certificates do not use SSL.

GeoTrust

Until a few years ago, GeoTrust offered a certificate called My Credential, with telephone verification of identity and a low price of $20. The Equifax name appeared in their certificates, because GeoTrust purchased Equifax in 2001 and used their root certificates for many years after. GeoTrust was then purchased by VeriSign in 2006, which is now owned by Symantec. They half-heartedly continued offering My Credential for a few years, and have now finally discontinued the service. Their page now directs you to Symantec's website to buy a certificate. We leave the link here for reference only.