On Sun, 25 Nov 2018, Alice Wonder wrote: >I want more than just DKIM sigs on my e-mail now. That digital signature (failing to verify) should be sufficient proof that the content was altered -- it is as strong as S/MIME signing only will provide, i.e., if someone with power over your life can be convinced that you authored an altered/doctored message then whether the DKIM headers or the S/MIME signature was discarded seems pretty immaterial. > Anyway looking for S/MIME I can use to sign and/or encrypt but mostly sign. > The "free for personal" S/MIME from Comodo didn't work. Browser said it did but > there was nothing to export for me to then import. I suspect it is because I > used private browser window, I really don't like the idea of a private key > stored in browser anyway. And it never asked for a password to encrypt the > private key, nor let me specify key strength (only let me choose between medium > and high - I assume high is 4096 but I don't know, it didn't say) Likely being "private" was the issue though I'd expect that if a key won't be stored because the window was private it should refuse to generate a CSR which is what happens though you can't see it. Perhaps you should revoke and reissue, i.e., try again but not private, or it might be on a different tab that you failed to notice. Once you have a signed certificate installed you can export it to a PKCS#12 bundle for which Firefox will require a password. Feel free to delete it from the browser's store once you export it -- I doubt I would; the certificate usage specifier should prevent it being used when visiting a site that allows or requires you to provide a client-side certificate. > But I can't find anyone who sells certs for S/MIME to send the CSR too. Indeed, nothing inexpensive. Supply and demand economics, you want what isn't in much demand so pay a premium. I can't even find it in the OpenSRS reseller panel and they resell everything they can. mozillaZine has a knowledgebase article about it along with possible sources (including signers that are no longer issuing them), see <http://kb.mozillazine.org/Getting_an_SMIME_certificate>. /mark