Fossa Guard Pro 1.0 Personal Certificate enrollment options

Once Fossa Guard Pro 1.0 installed User has to enroll his Identity - Personal Certificate to start secured emailing. The enrollment procedure artifacts are stored into the local Chrome extension storage within userspace (see https://fossaguard.blogspot.com/2020/03/technical-details-about-chrome-extension.html for details) and consists of:

• Private Key - you should keep privately and use to 
• decrypt messages sent to you 
• sign messages so that your recipients will be able to verify the signature using your Public Certificate 
• Trusted Certificates - a chain of officially Trusted certificates that issued the Public Certificate from direct Issuer up to the Root Trusted Certificate so that anyone can verify the origin of your Public Certificate.
• Public Certificate - the certificate your recipients should use to encrypt private messages sent to you, this certificate is also used when you're sending an encrypted message to yourself, thus it's present in Personal and in Recipient lists of certificates.

There are three main options to enroll the Personal Certificate once Fossa Guard is installed.

Import Private Key (p12, pfx)

The option valid when the User already has got a personal identity in the form of a file P12 or PFX format protected by a Passphrase (can be empty). Usually, it contains a Private Key accompanied by a corresponding Public Certificate. 

Once the user provides the correct passphrase to decrypt the imported file, Fossa Guard:

• Checks if contained Public Certificate is valid and is issued to the email of logged User, if Yes - the Private Key assigned as the default User's identity 
• Adds the corresponding certificate to Recipients list (so the user will be able to send encrypted emails to himself)

NOTE that there are few or no vendors providing free trusted S/MIME identities: http://kb.mozillazine.org/Getting_an_SMIME_certificate

Enroll Fossa Certificate

The user has an option to enroll a free Personal Certificate signed by Fossa Certificate Authority (CA). Fossa Guard extension and Fossa CA designed to make the enrollment simple and secure using Enrollment over Secure Transport (EST).
Once the user provides the name (the only mandatory parameter) he can start the procedure

The pair Private / Public Keys and Certificate Signing Request (CSR) are generated locally in the browser.

On the next step, the User should log in to Fossa Server (by clicking `Get Shared Secret from Fossa.me Server`) to get a shared secret which will be used to establish a TLS connection. Please note that you should log in to the Fossa Server using the same Gmail user to get the shared secret for the corresponding email address.

Using TLS connection Fossa Guard securely sends Certificate Request with Public Key inside and gets back Public Certificate signed by Fossa CA

On the final step, Fossa Guard asks the User to enter Passphrase to protect Private Key before storing it with Public Certificate in local Chrome extension storage.

That's all, Fossa Guard is ready for secure mailing via Gmail.

Enroll Self-signed Certificate

Self-signed Personal Certificate enrollment procedure has only the first and last steps from Fossa certificate enrollment.
On completion self-signed certificate is automatically added to the Personal, Trusted, and Recipient certificates list.

NOTE that self-signed certificates can't be verified checking Issuer certificates, so the user should find the trusted way to share it with his recipients.

Fossa Guard Pro 1.0 Settings overview

Fossa Guard settings page contains three corresponding lists:

• Personal Certificates - list represents Private Keys for the User. There are three main options to add them:
• Import Private Key (p12, pfx) - via P12 or PFX file protected by a Passphrase (can be empty)
• Enroll Fossa Certificate - via enrollment procedure when the certificate is securely signed on Fossa Server
• Enroll Self-signed Certificate - via fully local enrollment procedure
• Trusted certificates - list of Certificate Authorities (CA) Certificates officially trusted by main vendors, usually openly published on vendor sites. Fossa Guard has preloaded trusted certificate for the following identity vendors:
• Comodo
• DigiCert
• Fossa.me 
• Global Sign
• WISE Key
• Recipients certificates contain public certificates of your recipients including your own.

Users can import additional Trusted and Recipient certificates via a file in PEM or DER formats.

NOTE that Self-signed certificates are recognized and proposed to be added into both lists Trusted and Recipients

By click on Certificate name User can view certificate details