"Current notices about Posteo: News, developments, background information and media appearances."



New from Posteo: Create S/MIME certificates and start using right away

Created at 30.April 2024, 15:00 | Category: Info

Dear Posteo Customers,

We’re adding to our offerings for end-to-end encryption and email signing: effective immediately you can use our service to easily obtain inexpensive S/MIME certificates for your Posteo email addresses with a single click.

S/MIME is a standard for end-to-end encryption that is used around the world and is already integrated into many email clients. An S/MIME certificate issued by a recognized certificate authority is displayed as trustworthy in email clients – and verifies the authenticity of an email address and the contents of an email. That means: more security in email communication.

For private users, obtaining certificates has for years been relatively complicated and cost-intensive, even though S/MIME certificates can play an important role in ensuring secure communication across email platforms. We want to encourage the use of S/MIME, and so effective immediately we are offering inexpensive certificates for your Posteo address(es) that you can create with just one click and start using right away. The S/MIME certificates come from a recognized certificate authority (Certum); emails signed with the certificates are displayed as trustworthy in email clients. The certificates are valid for one year and cost €3.65. You will be notified before the expiration date and given the option to renew. Certificates can also be obtained for aliases. You’ll find the new option in Settings under “My S/MIME certificates”.

S/MIME signatures are verified in Posteo webmail
S/MIME signatures are verified in Posteo webmail

To sign your emails with S/MIME, only you need a certificate; for encryption all recipients must also be using S/MIME. S/MIME works with almost all email clients (such as Thunderbird, Apple Mail, and Outlook) and effective immediately you can start using certificates obtained through Posteo with these clients.

We are currently at work on a browser plug-in for Posteo webmail and the Posteo web app. With this plug-in you’ll be able to sign your emails directly in Posteo webmail and the web app. You’ll also be able to encrypt and decrypt emails – without us, the email provider, storing your private key on our servers. This is the only way to ensure real and trustworthy end-to-end encryption.

S/MIME signatures are already verified and displayed in Posteo webmail and the Posteo web app. Some large companies, like DHL, and some government agencies as well have begun signing their emails with S/MIME, so that you can recognize the authenticity of an email at a glance.

For those interested in the technical details: here’s what happens when you generate a certificate “with a single click.”

Certificates are not server-generated at Posteo: if you create an S/MIME certificate in Settings, a key pair is automatically generated locally in the browser on your device. Your browser then generates a certificate signing request, and only this request (not the private key) is transferred via Posteo to the certificate authority (Certum), where it is signed and sent back, again via Posteo, to your browser. The browser then saves the certificate together with your private key in a file on your computer’s hard drive. The certificate can be installed in email clients. To do so you will need the installation password provided when you created the S/MIME certificate – please store it in a safe place. Throughout this process the private key continues to be stored locally on your device at all times. Or to put it another way: private keys, which are used to sign and decrypt emails, are never at any point in time available to either Posteo or the certificate authority (Certum) and are not saved by Posteo. To reiterate: This is important, because real end-to-end encryption means the email providers never have the end users’ private keys.

Best regards,
Your Posteo Team