Home>FAQ>Email Encryption and Signature Services FAQs

Email Encryption and Signature Services FAQs

  • 1. MeSign APP will automatically configure an encrypting certificate and a signing certificate after the mailbox settings are completed correctly. How does MeSign ensure the security of the certificate private key?


    First, for the encrypting certificate.

    In order to guarantee that users can have the best user-experience with MeSign APP when they log into their email account to decrypt all emails on any devices automatically, MeSign decided to adopts the cloud key management system solution for encryption key management after researching and taking references from the global leading cloud key management system service providers. The private key of the encrypting certificate is auto-generated in the cloud system and then distribute it to user on demand.

    Firstly, the private key of the encrypting certificate is generated from a FIPS 140-2 Level 3 certified HSM, which exceeds the requirements from the WebTrust Standard, in which only FIPS 140-2 level 2 is required. And the private key is divided into two parts, encrypted and stored in two different key management servers. Secondly, the user must log into the email account and pass the validation of email control, then the user can obtain the key pairs bound with this email address and storing securely on the user’s devices.

    MeSign Key Management System (MKMS) has adopted several security measures to ensure the security of the private key of the encrypting certificate. These measures have passed through the white-box security audit by a third-party code security testing company and passed the WebTrust audit as well to make sure the user’s private key protection is guarantee.

    MeSign provides 4 different levels of security measures to protect the users’ private key of the encrypting certificate, meeting the demands from different users on the different levels of security requirements on their private key.

    1. (1) The default protection
      This level is dependent on the email account password validation (a successful log into the mailbox), then MeSign APP can retrieve the private key with encrypting certificate from MeSign cloud system and install it in the MeSign APP, user don’t need to setup a separate key protection password. That is to say, if user’s email account password is secure, then the private key of the encrypting certificate is secure. The main purpose of this basic protecting measures is to provide the most convenient way for users to manage their certificates. Users can start to encrypt the email when they finished setting up their mailbox in the MeSign APP like what they usually do in the other email clients. There is no need to care about how the certificate is applied and installed, and no need to remember an additional password for private key.
    2. (2) The enhanced protection

      In order to enhance the security of the private key, we strongly recommend every MeSign APP user log into MeSign account in MeSign website to set the private key protection password (set a password that is different from the email account password). Then MeSign APP not only needs to validate the email account when retrieving private key and encryption certificate, but also needs to verify the key protection password set by the user, which doubles the protection of private key security and the encrypted email security.

      The advantage is that even if the email account password is stolen or hacked, the thief cannot get the encrypting certificate because the thief does not know the key protection password, thus ensuring that the encrypted email will not be decrypt illegally. The disadvantage is that the user not only needs to remember the email account password, but also needs to remember an extra password - the private key protection password. Please remember this password!

      Please note: If your email address is already used to bind other service system accounts, it is highly recommended that to use this enhanced protection, set and remember the key protection password.

    3. (3) The advanced protection
      At present, the private key of the email certificate in MeSign APP is a soft certificate. We plan to support using USB Key (USB Token), Bluetooth Key, or SIM Card Key to store the private key for users who have higher security requirements in the future.
    4. (4) Enterprise key management system on-premise

    The above three levels of protection measures are based on using MeSign Key Management System to generate and store the private key. If user has the highly secure and controllable requirements for the encrypting certificate private key (such as government agencies, financial institutions, and large enterprises), then user can buy the MeSign Enterprise Key Management System (Enterprise KM), which is a plug-and-play system deployed on-premise. All staff’s computers or mobile devices only can get the encrypting certificate private key by connecting to their in-house EKM, thereby realizing the self-management of the encrypting keys and satisfying the relevant security control requirements. Please refer to the relevant solution.

    Second, for the Signing Certificate.
    Due to the signing certificate contains the identity information and its digital signature has the legal effect equivalent to the handwritten signature, MeSign does not generate and save users’ Signing Certificate private key in cloud server. The private key is generated and securely stored in user's device and will not upload to the cloud. Each time the user uses the MeSign APP on a new device, the system will issue a new signing certificate to the user on the new device. The signing certificates on two devices are two different certificates. Of course, the identity information in the certificates are same.

    In addition to the locally generated private key, the signing certificate also uses the same three different levels of security protection for the private key of the encrypting certificate to meet the security requirements of different users. Once the user has set a certificate protection password, both the signing certificate and the encrypting certificate use the same password, which does not need to be set separately.

    In summary, in order to properly handle the contradiction between private key security and ease of use, MeSign adopts cloud key management system service model, and separates the encrypting certificate and the signing certificate into two independent certificates. In order to facilitate the user to decrypt the encrypted email on different devices, all encrypting certificates auto-configured by MeSign APP by default on all devices are same, which is generated and stored in the cloud server when the user used the MeSign APP for the first time. If your organization has an on-premise enterprise key management system, the employees default encrypting certificate private keys will be retrieved from EKMS and securely stored on the on-premise EKMS only. MeSign do not backup this encrypting certificate private key to the cloud server.

    The encrypting key and encrypting certificate period are 3 years, once the encryption certificate expires, a new encryption key and encryption certificate will be automatically generated, and the old encryption certificate will also be saved and distributed for use to decrypt previously encrypted email with this certificate, but it is not visible in the certificate management menu of MeSign App. This perfectly solves the user's headache of managing expired email certificates.

    The auto-configured signing certificate of the Free Edition is valid for one year. After expiration, a new keypair is generated on the local device and a new signature certificate is automatically configured. The old signing certificate will no longer be used and will no longer be displayed in the certificate management menu in MeSign App. For the signing certificate of the paid Pro Edition service, the user can choose the validity period of 1-3 years. After the expiration, the user needs to renew and regenerate and automatically configure a new signing certificate containing trusted identity information. If the user does not renew the paid service, it will be automatically downgraded to Free Edition and auto-configuration the Free Edition signing certificate.

  • 2. How to export the Encrypting Certificate and Signing Certificate that auto-configured by MeSign APP?


    First, to export MeSign certificates to other email clients is not easy, we recommend you use MeSign APP as your default email client. If you need some special feature that MeSign APP don't have, just let us know, we will try our best to meet your need in the future release. For MeSign APP Windows version, the encrypting certificates and signing certificates are not exportable.

    MeSign Windows version will automatically install the MeSign Root Certificate to the "Trusted Root Certification Authorities", and the user certificate is also automatically installed in the Windows user certificate store, which make Outlook users can automatically use the Outlook to encrypt and decrypt emails without any settings. Outlook users just need to choose "signing" and/or "encrypting" when sending email by Outlook.

    MeSign APP Android and iOS version do not support exporting certificates. Again, we think exporting certificate to other email client is not easy and not necessary and recommend you use MeSign APP directly.

    If user purchased the Publicly Trusted Vp Email Certificate, this certificate is also not exportable.

  • 3. My mailbox can send and receive emails normally after setting up correctly, but the default encrypting certificate and signing certificate have not been automatically configured, what should I do?


    After setting up your email account successfully, MeSign APP will automatically apply the certificates from the default CA and auto-configure an encrypting certificate and a signing certificate for you. You can check whether these two default certificates have been installed successfully or not in the ‘Certificate Management’ of the setting menu.

    If the MeSign APP is running on your device, you can get the certificate automatically within one minute. If you haven’t gotten the certificate after a while, please click ‘Feedback’ to inform us. It would be better if you can provide the following information to us: your device model, the screenshot of the certificate management page, etc., so that we can troubleshoot this issue for you.

  • 4. I have email certificates issued by other CAs, can I import and use these certificates in MeSign APP? How to import them?


    Yes, of course. You only need to send these certificates as email attachments in PFX format to your mailbox and click it in MeSign APP to install the certificates when receiving this email. After installing the certificates successfully, you can start to use these certificates to decrypt the emails you encrypted before and set any of these certificates as the default encrypting certificate or default signing certificate.

  • 5. Can I delete the Encrypting Certificate and the Signing Certificate that auto-configured in MeSign APP?


    No. The MeSign APP will auto-configure an Encrypting Certificate and a Signing Certificate by default after you setup your email account successfully. These certificates are ‘Account Certificate’ used for providing the basic communication validation and encryption service, and are the default encrypting certificate and signing certificate before you import or set other certificates as default certificate. If you have imported other certificate or you have applied for the other levels of identity validation, you can set these certificates as default certificate, but the ‘Account Certificate’ auto-configured by MeSign APP cannot be deleted.

  • 6. I am worried about the security of the soft certificate on my mobile device, because the email was encrypted by this soft certificate. Do you support using USB Key hard certificate?


    Yes, it is in the plan. In order to protect your high confidential information, we are developing the support of USB Key, Bluetooth Key and SIM Key. You can import the certificate into your hardware key, and only when your mobile device connects to the hardware key, the encrypted email will be decrypted. Once the USB key disconnect to the mobile, then the MeSign APP cannot decrypt the emails.

  • 7. How to renew my default Encrypting Certificate and Signing Certificate once it is expired?


    The default encrypting certificate period is 39 months and the default signing certificate is 13 months. MeSign APP will reissue, configure and enable the new certificates to be used automatically. The expired encrypting certificate will remain in your device for decrypting the emails you encrypted previously. The expired signing certificate will be removed.

  • 8. How do I apply for revoking my account certificate (the default encrypting certificate and signing certificate)?


    You can use MeSign APP to scan the QR code to login your MeSign account on MeSign website to apply for revoking the account certificate. If you have already set a certificate protection password, then you need to enter this password for this application. Please note, once the certificate is revoked successfully, then the email encrypted by this certificate cannot be decrypt anymore unless you can pass the validation to get a new encrypting certificate.

    At the same time, please note, if you use MeSign for illegal purpose, MeSign reserves the right to revoke your encrypting certificate and signing certificate. Once your certificate has been revoked due to illegal usage, then this email address cannot apply for certificate anymore, and cannot use the issued certificate to decrypt the emails you encrypted previously. Please refer to the relevant Privacy & Terms.

  • 9. How can I protect my encrypted emails if my mobile phone is lost?


    If your mobile phone is lost, we strongly recommend you log into your MeSign account on MeSign website to find the devices list and to disable the lost device to use MeSign APP. At the same time, revoking your encrypting certificate and signing certificate immediately, so that even if anyone can open your mobile phone, but they cannot read your encrypted emails as the certificate has been revoked. If you have set a certificate protection password, we strongly recommend you change this password. If you haven’t set the certificate protection password, we strongly recommend you set the password different to your email password.