The system used for both message signing and encryption uses Public-key cryptography. In short, there are two types of certificates being used.
Public certificate (or public key) is certificate that is intended to being shared. Its function in secure email is to allow to encrypt message for some other user, and to verify digital signature of message received from someone else.
When saved in file, it exists in file with .cer, .crt, .der or .pem extension, which is X.509 format, either encoded in binary form or as base64 text.
In process of message signing, the public certificate is usually included in signed message, so that you don’t need to have sender’s public certificate in order to verify digital signature.
This is user’s private certificate (containing private key and public key), and shall not be distributed to anyone. It may be saved in PKCS ♯12 file type (with .p12 or .pfx file extension). The public key saved in the file is typically protected by a password which you (owner) have entered during creation or export of the certificate.
Actually PKCS#12 file typically contains hierarchy of certificates, from user’s certificate, chaining up to a certificate of trusted Certificate authority, which allows to verify identity of owner of the actual certificate.
Private certificate is used for signing own messages being sent, as well as to decrypt messages being received, which someone else encrypted for you using your private certificate.
ProfiMail allows to import private certificate into own certificate store in the Certificate manager.
Where to get private certificate for this to work?
Private certificates have to be signed by trusted certification authority in order for the system to be really secure. So you have to use some of the known certificate authority company to issue private certificate for you.
There are paid options, as well as free options to get such certificate.
For your own personal use, you can get certificate for free from one of companies as mentioned here. Typical limitation is that the certificate is valid only for one year, or even shorter time. Also such certificate is limited to securing mail (good for our purpose), but won’t be suitable for anything else, such us securing website.
You may get paid private certificate basically from same companies that offer free certificate, plus from many more. Or you may get certificate from your company if it relies on secure mail communication.
Problem of certificate expiration
Digital certificates are designed to be valid only for certain period of time. For that reason, expired certificates can’t be used to sign or encrypt new messages. However, they are still able to decrypt messages encrypted with the certificate.
For that reason, you may be forced to replace your expired certificate with a new one. This will cause that your contacts who are used to send you encrypted messages will need to get your updated public certificates in order to encrypt mail for you.
In ProfiMail, it means that you have to import new certificate, and assign it to account. You may still leave old certificate in ProfiMail in order to possibly decrypt messages encrypted for old certificate, ProfiMail will try to decrypt all certificates matching account’s email address, not only currently active one.
Here comes benefit of paid services for issuing certificates, which may be able to renew validity of your certificate while allowing it to work with older mail.
How ProfiMail stores certificates
Main concert is about your private certificates. These are saved in ProfiMail’s database in protected device memory. When ProfiMail is uninstalled, this database is removed too, along with certificates. Moreover, certificates remain saved password-protected, while the password is also saved, but in encrypted form, so that only ProfiMail can load the password, and use your certificate.
For security reasons, certificates can’t be exported from ProfiMail to a file.