Home>FAQ>Email Encryption and Signature Services FAQs

Email Encryption and Signature Services FAQs

  • 1. MeSign APP will automatically configure an encrypting certificate and a signing certificate after the mailbox settings are completed correctly. How does MeSign ensure the security of the certificate private key?


    First, for the encrypting certificate.

    In order to guarantee that users can have the best user-experience with MeSign APP when they log into their email account to decrypt all emails on any devices automatically, MeSign decided to adopts the cloud key management system solution for encryption key management after researching and taking references from the global leading cloud key management system service providers. The private key of the encrypting certificate is auto-generated in the cloud system and then distribute it to user on demand.

    Firstly, the private key of the encrypting certificate is generated from a FIPS 140-2 Level 3 certified HSM, which exceeds the requirements from the WebTrust Standard, in which only FIPS 140-2 level 2 is required. And the private key is divided into two parts, encrypted and stored in two different key management servers. Secondly, the user must log into the email account and pass the validation of email control, then the user can obtain the key pairs bound with this email address and storing securely on the user’s devices.

    MeSign Key Management System (MKMS) has adopted several security measures to ensure the security of the private key of the encrypting certificate. These measures have passed through the white-box security audit by a third-party code security testing company and passed the WebTrust audit as well to make sure the user’s private key protection is guarantee.

    MeSign provides 4 different levels of security measures to protect the users’ private key of the encrypting certificate, meeting the demands from different users on the different levels of security requirements on their private key.

    1. (1) The default protection
      This level is dependent on the email account password validation (a successful log into the mailbox), then MeSign APP can retrieve the private key with encrypting certificate from MeSign cloud system and install it in the MeSign APP, user don’t need to setup a separate key protection password. That is to say, if user’s email account password is secure, then the private key of the encrypting certificate is secure. The main purpose of this basic protecting measures is to provide the most convenient way for users to manage their certificates. Users can start to encrypt the email when they finished setting up their mailbox in the MeSign APP like what they usually do in the other email clients. There is no need to care about how the certificate is applied and installed, and no need to remember an additional password for private key.
    2. (2) The enhanced protection

      In order to enhance the security of the private key, we strongly recommend every MeSign APP user log into MeSign account in MeSign website to set the private key protection password (set a password that is different from the email account password). Then MeSign APP not only needs to validate the email account when retrieving private key and encryption certificate, but also needs to verify the key protection password set by the user, which doubles the protection of private key security and the encrypted email security.

      The advantage is that even if the email account password is stolen or hacked, the thief cannot get the encrypting certificate because the thief does not know the key protection password, thus ensuring that the encrypted email will not be decrypt illegally. The disadvantage is that the user not only needs to remember the email account password, but also needs to remember an extra password - the private key protection password. Please remember this password!

      Please note: If your email address is already used to bind other service system accounts, it is highly recommended that to use this enhanced protection, set and remember the key protection password.

    3. (3) The advanced protection
      At present, the private key of the email certificate in MeSign APP is a soft certificate. We plan to support using USB Key (USB Token), Bluetooth Key, or SIM Card Key to store the private key for users who have higher security requirements in the future.
    4. (4) Enterprise key management system on-premise

    The above three levels of protection measures are based on using MeSign Key Management System to generate and store the private key. If user has the highly secure and controllable requirements for the encrypting certificate private key (such as government agencies, financial institutions, and large enterprises), then user can buy the MeSign Enterprise Key Management System (Enterprise KM), which is a plug-and-play system deployed on-premise. All staff’s computers or mobile devices only can get the encrypting certificate private key by connecting to their in-house EKM, thereby realizing the self-management of the encrypting keys and satisfying the relevant security control requirements. Please refer to the relevant solution.

    Second, for the Signing Certificate.
    Due to the signing certificate contains the identity information and its digital signature has the legal effect equivalent to the handwritten signature, MeSign does not generate and save users’ Signing Certificate private key in cloud server. The private key is generated and securely stored in user's device and will not upload to the cloud. Each time the user uses the MeSign APP on a new device, the system will issue a new signing certificate to the user on the new device. The signing certificates on two devices are two different certificates. Of course, the identity information in the certificates are same.

    In addition to the locally generated private key, the signing certificate also uses the same three different levels of security protection for the private key of the encrypting certificate to meet the security requirements of different users. Once the user has set a certificate protection password, both the signing certificate and the encrypting certificate use the same password, which does not need to be set separately.

    To summarize: In order to properly handle the contradiction between private key security and ease of use, MeSign adopts cloud key management system service model, and separates the encrypting certificate and the signing certificate into two independent certificates. In order to facilitate the user to decrypt the encrypted email on different devices, all encrypting certificates auto-configured by MeSign APP by default on all devices are same, which is generated and stored in the cloud server when the user used the MeSign APP for the first time. If your organization has an on-premise enterprise key management system, the employees default encrypting certificate private keys will be retrieved from EKM and securely stored on the on-premise EKM only. MeSign do not backup this encrypting certificate private key to the cloud server.

    And the signing certificate is generated at user’s device and stored only on their local devices, so different devices will have different signing certificates. Although the signing certificates from different devices are not same, the identity information on them are the same, and all can be used for email digital signature.

  • 2. How to export the Encrypting Certificate and Signing Certificate that auto-configured by MeSign APP?


    First, to export MeSign Certificates to other email clients is not easy, we recommend you use MeSign APP as your default email client. If you need some special feature that MeSign APP don't have, just let us know, we will try our best to meet your need in the future release.

    For MeSign APP Windows version, the encrypting certificate is exportable. MeSign Windows version will automatically install the MeSign Root Certificate to the "Trusted Root Certification Authorities", and the user certificate is also automatically installed in the Windows user certificate store, which make Outlook users can automatically use the Outlook to encrypt and decrypt emails without any settings. Outlook users just need to choose "signing" and/or "encrypting" when sending email by Outlook.

    For MeSign APP Android and iOS version, the encrypting certificate is exportable. But we think exporting certificate to other email client is not easy and not necessary and recommend you use MeSign APP directly.

    If user purchased the Publicly Trusted Vp Email Certificate, then this certificate can be exported from MeSign APP and MMC in Windows. In MeSign Android and iOS version, the certificate will be sent as an email attachment in PFX (P12) format to the user’s mailbox if user choose to export it. Please remember the certificate protection password you set when the certificate is exported.

  • 3. My mailbox can send and receive emails normally after setting up correctly, but the default encrypting certificate and signing certificate have not been automatically configured, what should I do?


    After setting up your email account successfully, MeSign APP will automatically apply the certificates from the default CA and auto-configure an encrypting certificate and a signing certificate for you. You can check whether these two default certificates have been installed successfully or not in the ‘Certificate Management’ of the setting menu.

    If the MeSign APP is running on your device, you can get the certificate automatically within one minute. If you haven’t gotten the certificate after a while, please click ‘Feedback’ to inform us. It would be better if you can provide the following information to us: your device model, the screenshot of the certificate management page, etc., so that we can troubleshoot this issue for you.

  • 4. I have email certificates issued by other CAs, can I import and use these certificates in MeSign APP? How to import them?


    Yes, of course. You only need to send these certificates as email attachments in PFX format to your mailbox and click it in MeSign APP to install the certificates when receiving this email. After installing the certificates successfully, you can start to use these certificates to decrypt the emails you encrypted before and set any of these certificates as the default encrypting certificate or default signing certificate.

  • 5. Can I delete the Encrypting Certificate and the Signing Certificate that auto-configured in MeSign APP?


    No. The MeSign APP will auto-configure an Encrypting Certificate and a V1 Signing Certificate by default after you setup your email account successfully. These certificates are ‘Account Certificate’ used for providing the basic communication validation and encryption service, and are the default encrypting certificate and signing certificate before you import or set other certificates as default certificate. If you have imported other certificate or you have applied for the other levels of identity validation, you can set these certificates as default certificate, but the ‘Account Certificate’ auto-configured by MeSign APP cannot be deleted.

  • 6. I am worried about the security of the soft certificate on my mobile device, because the email was encrypted by this soft certificate. Do you support using USB Key hard certificate?


    Yes, it is in the plan. In order to protect your high confidential information, we are developing the support of USB Key, Bluetooth Key and SIM Key. You can import the certificate into your hardware key, and only when your mobile device connects to the hardware key, the encrypted email will be decrypted. Once the USB key disconnect to the mobile, then the MeSign APP cannot decrypt the emails.

  • 7. How to renew my default Encrypting Certificate and Signing Certificate once it is expired?


    The default encrypting certificate period is 39 months and the default signing certificate is 13 months. MeSign APP will reissue, configure and enable the new certificates to be used automatically. The expired encrypting certificate will remain in your device for decrypting the emails you encrypted previously. The expired signing certificate will be removed.

  • 8. How do I apply for revoking my account certificate (the default encrypting certificate and signing certificate)?


    You can use MeSign APP to scan the QR code to login your MeSign account on MeSign website to apply for revoking the account certificate. If you have already set a certificate protection password, then you need to enter this password for this application. Please note, once the certificate is revoked successfully, then the email encrypted by this certificate cannot be decrypt anymore unless you can pass the validation to get a new encrypting certificate.

    At the same time, please note, if you use MeSign for illegal purpose, MeSign reserves the right to revoke your encrypting certificate and signing certificate. Once your certificate has been revoked due to illegal usage, then this email address cannot apply for certificate anymore, and cannot use the issued certificate to decrypt the emails you encrypted previously. Please refer to the relevant Privacy & Terms.

  • 9. How can I protect my encrypted emails if my mobile phone is lost?


    If your mobile phone is lost, we strongly recommend you log into your MeSign account on MeSign website to find the devices list and to disable the lost device to use MeSign APP. At the same time, revoking your encrypting certificate and signing certificate immediately, so that even if anyone can open your mobile phone, but they cannot read your encrypted emails as the certificate has been revoked. If you have set a certificate protection password, we strongly recommend you change this password. If you haven’t set the certificate protection password, we strongly recommend you set the password different to your email password.