Until now, I have used GPG (OpenPGP) for encrypting and signing emails, which is based on the Web of Trust. I recently learned that S/MIME essentially works the same way as GPG, but without the Web of Trust, instead using a hierarchical structure. If you have an S/MIME certificate, it has been issued by a higher authority, which anyone can easily verify. This is a clear advantage for signing documents. Everyone can see that the signature truly comes from a specific person.
Since everything is digital due to COVID-19 and even scanned signatures are sometimes accepted at universities, using digital signatures would be much more efficient and secure. Therefore, I have now applied for an S/MIME certificate. This is usually free of charge at universities and the certificates are valid for three years. The Private Key Infrastructure (PKI) of the German Research Network (DFN) is generally used.
In this context, I wondered how to get the public keys of people to whom you want to send an email. Of course, you can ask the people to attach their key to an email. But what if you want to write to an unknown person? Is that even possible? Sure, because the public keys are located in the directory service of the DFN-PKI (https://www.pki.dfn.de/faqpki/faqpki-allgemein/#c15074 ). However, the procedure is a bit tricky because the service runs over LDAP and when configuring, e.g., via Thunderbird, the critical attribute (userCertificate) is not displayed. But it is quite easy with ldapsearch (openldap package) under GNU/Linux:
ldapsearch -x -H ldap://ldap.pca.dfn.de:389 -b "ou=DFN-PKI,o=DFN-Verein,c=de" \ "cn=Johannes Titz"
# extended LDIF
#
# LDAPv3
# base <ou=DFN-PKI,o=DFN-Verein,c=de> with scope subtree
# filter: cn=Johannes Titz
# requesting: ALL
#
# johannes.titz@psychologie.tu-chemnitz.de, Technische Universitaet Chemnitz, D
FN-PKI, DFN-Verein, DE
dn: mail=johannes.titz@psychologie.tu-chemnitz.de,o=Technische Universitaet Ch
emnitz,ou=DFN-PKI,o=DFN-Verein,c=DE
cn: Johannes Titz
mail: johannes.titz@psychologie.tu-chemnitz.de
sn: Titz
objectClass: inetOrgPerson
userCertificate;binary:: MIIG6TCCBdGgAwIBAgIMJmUNYwmufKINUNz0MA0GCSqGSIb3DQEBC
wUAMIGNMQswCQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIE
RldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJMSUwIwYDVQQ
DDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTIyMDMzMTExMjYxNFoXDTI1MDMzMDEx
MjYxNFowcjELMAkGA1UEBhMCREUxKTAnBgNVBAoMIFRlY2huaXNjaGUgVW5pdmVyc2l0YWV0IENoZ
W1uaXR6MQ0wCwYDVQQEDARUaXR6MREwDwYDVQQqDAhKb2hhbm5lczEWMBQGA1UEAwwNSm9oYW5uZX
MgVGl0ejCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKOWn/NMDu8EiposvlTcvC5/KwL
+8swl2Tzn3WqhYVY4RncAK/LQr6sZ47VHdRGCVV2auA7BDnsJPLsaBsW/cTG3wFlJBLJxAgBK/W0R
m3CZeCWixFoFIm8HDRNkTW+EKFRgYkaSWBt4a0uGLCqJOT+6PM6W3s7vOQuBhCGnsc+6g3+ofKVFC
Fth3L47La4QZ1Fknrcu202D4+NvBFBvJ9DAkpRNrPPlMWb/i+FkxfU93DK0YfHfGuuTDnscdpAVGz
aVZbm2gK36ePrBgZf5ZREeoXBReg/wUOAkvpKkPOu6bv0UaON50lXZzBgO+tfnPQbJj0WUFkipHoA
Of3J0m6Cqe+gPlGgsB/WFoVnfZl9EEcKuZ6N+gAIAxDNNLB76C/go1GfSmgbcL+LKaitD7JGQTrql
zsc825EjrXuA0KGrwvoQD7sXoZQO/HgfkhIZv+QF3kTATw2vDLQ1pS8pabVBsuESPhr9bxuRQOyUh
XS67/aI5rXllG/2GWroREnEy6Ji0eYo4GVaROfFPj1gjid66XzTeJjq7x7kjh57iF+MFrMJQ4vtMO
HRk0PzU2tFExKFtJj6L3IqRtvjUg2onXfAphCYMF0uAtoTSlasVGxI88a2B5uprCK40qB7ww/YoDG
q3AKRq7sVug21xx3+u/fZePMGxb40xYfCt4V7NPt1AgMBAAGjggJhMIICXTA+BgNVHSAENzA1MA8G
DSsGAQQBga0hgiwBAQQwEAYOKwYBBAGBrSGCLAEBBAowEAYOKwYBBAGBrSGCLAIBBAowCQYDVR0TB
AIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDg
QWBBSm2Itd+1jYRa8nXeJ/EsUyPz6t1zAfBgNVHSMEGDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDA
zBgNVHREELDAqgShqb2hhbm5lcy50aXR6QHBzeWNob2xvZ2llLnR1LWNoZW1uaXR6LmRlMIGNBgNV
HR8EgYUwgYIwP6A9oDuGOWh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wd
WIvY3JsL2NhY3JsLmNybDA/oD2gO4Y5aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYm
FsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMIHbBggrBgEFBQcBAQSBzjCByzAzBggrBgEFBQcwAYYnaHR
0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEkGCCsGAQUFBzAChj1odHRwOi8v
Y2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MEkGC
CsGAQUFBzAChj1odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2
VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQB1xpmzfY8JSPeBzFdwmY3AvMyxAt7wCy5
mOJeoyXKD7JZh9glbeStvDcsQ0BShKYeahPoIHqHMiEbXFSJ4gV5yAZQ1DugvO5UGo0bA93XuYJdD
Gl9SGdduxuAm3e82mGHtpvwgWCIwaS+fXB6cQcbTqbx0kGoHdbRwkiPqkzc1K+wBscUinW899d67t
t4youqA8FAbs+qPqlukSZfXRfAMk4PbOXcMWqdvoeaKQWSkBk/v4GwsTC8f+drd9K0+uOPtP6I+91
BRzp1gnAyltKfdlQmCkEP2wuxP8PTtai3iyfrxbkk+AdTbrq/w/sjJMdwxKqCDIeWiajjQoOC3jvT
0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-x is needed for authentication without a password
-H specifies the server, don’t forget the port at the end!
-b is the search base, which should be entered exactly as shown
Lastly, you enter the search term, where cn stands for Common Name, but you can also search for other attributes.
ou stands for Organizational Unit
o is Organization
c is Country
If you want to import the key into your mail program, you create a proper certificate file from the userCertificate:
ldapsearch -x -H ldap://ldap.pca.dfn.de:389 -b "ou=DFN-PKI,o=DFN-Verein,c=de" \ "cn=Johannes Titz" > pubkeyecho "-----BEGIN CERTIFICATE-----" > pubkey.pemtr -d '\n ' < pubkey | sed 's/.*binary:://; s/#search.*//' >> pubkey.pemecho -e "\n-----END CERTIFICATE-----" >> pubkey.pemcat pubkey.pem
-----BEGIN CERTIFICATE-----
MIIG6TCCBdGgAwIBAgIMJmUNYwmufKINUNz0MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTIyMDMzMTExMjYxNFoXDTI1MDMzMDExMjYxNFowcjELMAkGA1UEBhMCREUxKTAnBgNVBAoMIFRlY2huaXNjaGUgVW5pdmVyc2l0YWV0IENoZW1uaXR6MQ0wCwYDVQQEDARUaXR6MREwDwYDVQQqDAhKb2hhbm5lczEWMBQGA1UEAwwNSm9oYW5uZXMgVGl0ejCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKOWn/NMDu8EiposvlTcvC5/KwL+8swl2Tzn3WqhYVY4RncAK/LQr6sZ47VHdRGCVV2auA7BDnsJPLsaBsW/cTG3wFlJBLJxAgBK/W0Rm3CZeCWixFoFIm8HDRNkTW+EKFRgYkaSWBt4a0uGLCqJOT+6PM6W3s7vOQuBhCGnsc+6g3+ofKVFCFth3L47La4QZ1Fknrcu202D4+NvBFBvJ9DAkpRNrPPlMWb/i+FkxfU93DK0YfHfGuuTDnscdpAVGzaVZbm2gK36ePrBgZf5ZREeoXBReg/wUOAkvpKkPOu6bv0UaON50lXZzBgO+tfnPQbJj0WUFkipHoAOf3J0m6Cqe+gPlGgsB/WFoVnfZl9EEcKuZ6N+gAIAxDNNLB76C/go1GfSmgbcL+LKaitD7JGQTrqlzsc825EjrXuA0KGrwvoQD7sXoZQO/HgfkhIZv+QF3kTATw2vDLQ1pS8pabVBsuESPhr9bxuRQOyUhXS67/aI5rXllG/2GWroREnEy6Ji0eYo4GVaROfFPj1gjid66XzTeJjq7x7kjh57iF+MFrMJQ4vtMOHRk0PzU2tFExKFtJj6L3IqRtvjUg2onXfAphCYMF0uAtoTSlasVGxI88a2B5uprCK40qB7ww/YoDGq3AKRq7sVug21xx3+u/fZePMGxb40xYfCt4V7NPt1AgMBAAGjggJhMIICXTA+BgNVHSAENzA1MA8GDSsGAQQBga0hgiwBAQQwEAYOKwYBBAGBrSGCLAEBBAowEAYOKwYBBAGBrSGCLAIBBAowCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSm2Itd+1jYRa8nXeJ/EsUyPz6t1zAfBgNVHSMEGDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDAzBgNVHREELDAqgShqb2hhbm5lcy50aXR6QHBzeWNob2xvZ2llLnR1LWNoZW1uaXR6LmRlMIGNBgNVHR8EgYUwgYIwP6A9oDuGOWh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3JsL2NhY3JsLmNybDA/oD2gO4Y5aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMIHbBggrBgEFBQcBAQSBzjCByzAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQB1xpmzfY8JSPeBzFdwmY3AvMyxAt7wCy5mOJeoyXKD7JZh9glbeStvDcsQ0BShKYeahPoIHqHMiEbXFSJ4gV5yAZQ1DugvO5UGo0bA93XuYJdDGl9SGdduxuAm3e82mGHtpvwgWCIwaS+fXB6cQcbTqbx0kGoHdbRwkiPqkzc1K+wBscUinW899d67tt4youqA8FAbs+qPqlukSZfXRfAMk4PbOXcMWqdvoeaKQWSkBk/v4GwsTC8f+drd9K0+uOPtP6I+91BRzp1gnAyltKfdlQmCkEP2wuxP8PTtai3iyfrxbkk+AdTbrq/w/sjJMdwxKqCDIeWiajjQoOC3jvT0
-----END CERTIFICATE-----
The sed command deletes everything before and after the public key.
In Thunderbird, import through Account Settings, End-To-End-Encryption, Manage S/MIME Certificates, Import. Name, email address, etc., are already encoded in the certificate.