Creating a message that is both signed and encrypted by citidirect smimetool

Jephe Wu -

Objective: use citibank smimetool to create both signed and encrypted message for secure email transfer
Environment: Windows 2003 server sp2 with j2re 1.4.2_12 installed, as well as cygwin


1. download and Automated File and Report Delivery (AFRD) Utility Guide at

2. smimetool configuration
unzip smimetool to c:\smimetool, install j2re1.4.2_12 to c:\program files\java\, copy c:\program files\java\j2re1.4.2_12\bin\java.exe to c:\win2k03\system32\ so that you don't have setup PATH environment for c:\program files\java\j2re1.4.2_12

use echo %PATH% to verify path variable if you configure using system environment variables.

You can use md5sum to compare 2 java program to make sure they are the same one.

3. get certificates from trusted CA (e.g. Verisign)
you need to obtain a PKCS12 format certificate(.pfx) before you can use your private key and/or others’ public key(.cer) for secure email communication.

pfx ( file is PKCS#12 format which contains CA public certificates, including intermediate CA public certificates, user certificate and private key, according to wiki, pkcs#12 format defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12.

This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store. Usable by Tomcat, but not by Apache.

4. generate encrypt.ini, decrypt.ini and key file

Afte getting public certificate from trusted CA, you can use Genini.bat file to generate above files from your pfx file. If only one receipient is needed, type in genini passwordofpfxcert to generate above 3 files, then modify those files for input,output,log etc part, leave password and hash parts.

note: example of  encrypt.ini (required by genini.bat), if you encounter error like 'cannot find the profile', check if you are using c:\ instead of c:/

5. FAQ
a. does smimetool use cacerts file under c:\program files\java\j2re1.4.2_12\lib\security?
no, you can test it by renaming it then try to run signandencrypt.bat

b. smimetool signandencrypt.bat gives error message which is something like 'not valid pkcs#12 file, no CA certificate for this user

Check the pfx file size, it should be around 5k. And import the pfx into IE certificates to check if the CA and intermediate certificate are missing.

Also, another good method to check is to export pfx file to standard PEM format which is base64 encoded file to check if all primary root CA and intermediate CA public certificates and user's certificate and private key are inside.
use the following command to convert to standard PEM format for pfx file.
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes 

You can also do it from, but the private key will remain on their server, so it's unsecure way.

Then you can view the file certificate.cer or certificate.pem to make sure it contains CA public keys and CA intermediate certificate  and user private and public keys. 

The sequence in .pem file is user RSA private key->user public certificate(take note of the CN and email part for the second certificate part)->CA root certificate->CA intermediate root certificate.

after that, you can save the second part of user public key to a separated file, then use the following command to view it.

openssl x509 -noout -text -in publickey

c. How to check pfx/p12 and cer are in pair?

Import pfx/p12 to IE certificate 'personal', check user's certificate RSA public key part, to compare with the cer file certificate thumbprint value.

You can import this pfx/p12 file into IE, choose the option to make it exportable later in case you lose the original file, you can also verify password, you can import all certificates including CA and user's ones into 'personal' section, then view the CA and user's certificates content, you can also export CA and intermediate certificates after that.

d. Why need to sign first then encrypt message?

You can sign the messsage first then encrypted the signed message or encrypted message first then sign the encrypted message, it's different. for the first case, you have to decrypt it then you can only validate the signature, because the signature is encrypted as well as content of message. Only after message is decrypted, you don't know whether it's signed or not. For the second case, anyone will be able to validate the signature.

Both ways has their pros and cons, however, the first method(sign then encrypt) is strongly preferred.

e. How to export/backup digital ID in case of lose

It is always recommended to create a proper backup file of your Digital ID. Should your suffer from loss or corruption of the Digital ID,  a computer crash, or a new computer, you can import the backup file to re-store the ID in most cases.

Note: Microsoft still use pfx as file suffix while firefox uses .p12 as suffix, it's basically exchangeable.

Microsoft Internet Explorer 5.x and Higher
  1. Click Tools > Internet Options > Content > Certificates
  2. From the list, under Personal tab, select the corresponding certificate to export
  3. Click Export
  4. A wizard appears, click Next
  5. Select Yes, Export the private key > Next
    Note: if the option to export the private key is grayed out, please see SO5831
  6. Select Include all certificates in the certificates path if possible
  7. Click Next
  8. Enter a password
  9. Click Next
  10. Enter a file name and a location to save the exported file (i.e. mydigitalid.pfx.)
  11. Click Finish

Mozilla Firefox 2.0 and 3.0
1.  From the menu bar, click on Tools > Options
2.  Click on Advanced> Encryption
3.  Click View Certificates
4.  Highlight your certificate by clicking on it
5.  Click  Backup
6.  Select the location you wish to save the certificate to
7.  Enter your master password for the Software Security Device
8.  Enter a password to protect your certificate and private key
9.  Click OK
10. A message confirms that the backup procedure was successful
11. Click OK

f. how to verify the certificate when Verisign installed digital ID for you automatically

Microsoft Internet Explorer

  1. From the menu bar, click Tools > Internet Options > Content tab > Certificates

  2. Under the Personal tab, a certificate issued to your name should appear
Mozilla Firefox:
  1. Open a Mozilla Firefox window.
  2. From the menu bar, click Tools > Options > Advanced > View Certificates
  3. Under Your Certificates tab, a certificate issued to your name should appear
g. how to export out the public key part so that you can sent to other people for encryption

IE: After installed the digital ID by Verisign or importing from another pfx/p12 file, you can export out the certificate, choose 'do not export private key', then save as the first .der format.

Firefox: After installed the digital ID by Verisign, you can just view the certificate, go to detail column, then click on your name to export, then choose der format, there are a lot of other format too.

h. Associate a Digital ID With Your E-mail Account

Microsoft Outlook Express:
  1. Select Accounts from the Tools menu, then the Mail tab.
  2. Select your Mail account, click the Properties button, select the Security tab.
  3. Check the box "Use a digital ID when sending secure messages from", then click the Digital ID button.
  4. Select the certificate you want to use to digitally sign your e-mail.
Outlook 98 and 2000:
  1. In the Tools menu select Options, then the Security tab
  2. Click "Add digital signature to outgoing messages", click the "Change Settings" button
  3. On the next screen click the "Choose..." button. Select the Digital ID you want to use for signing e-mail in Outlook.

    6. References:
    a. convert certificates for all kind of formats:

    b. 60 days trial digital ID at
    just giving your email address and name, it will receive it. then for Firefox, you can use 'backup' button to export to pkcs12 format(.pfx). After importing to IE, export as .der(public key) without exporting private key.

    c. digital id support and FAQ page at