skip to content

Signing and encrypting e-mails 

Employees of the University of Cologne can use S/MIME (Secure Multipurpose Internet Mail Extensions) certificates for e-mail signing and encryption, document signing . Use requires a personal certificate, which can be applied for online. Students are excluded from the use, unless they are SHK, WHB or WHK.


Instructions for applying can be found on our website.


Importing (and using) the S/MIME certificates differs in different email clients. Below you will find instructions for Mozilla Thunderbird, Microsoft Outlook, Apple Mail and Mail on iOS. For Android, there is currently no free email app or one that is integrated into the operating system that can handle S/MIME and is easy to configure (if you are still interested in using S/MIME in Android, please contact the RRZK helpdesk).

The instructions assume that you have already set up the e-mail box of your personal account in the respective e-mail client (see the instructions for setting up an e-mail client).

The use of certificates is not possible under Webmail.

Mozilla Thunderbird

  • In Mozilla Thunderbird, click on 'Open menu' [Picture 1] in the top right-hand corner of the menu bar and then on 'Options'.
  • Click on 'Privacy & Security' (in the menu bar), go to 'Security' and 'Certificates'. Now click on 'Manage Certificates...'. [Picture 2].
  • Now click on 'Import...' under 'Your Certificates' in the 'Certificate Manager' section. [Picture 3].
  • Now select the file path to your previously exported certificate and enter the PIN assigned to it.
  • If the import was successful, your certificate will be displayed under 'My Certificates'.
  • After the import process has been completed, right-click on your e-mail inbox [Picture 4] and select 'Settings' to go to 'Account Settings'.
  • Now click on 'End-to-End Encryption' in your e-mail inbox [Picture 5].
  • You can now 'Select...' your certificate for signing and encrypting.
  • By clicking on the pull-down menus, your imported certificate will be displayed, which you only have to select here.
  • You can now also select by default whether each new e-mail should be signed and/or encrypted by default (see Picture 6). For signing, a check mark must be set at 'Add my digital signature by default', for encryption at 'Require encryption by default'. We recommend that you preset the signing automatically and switch off encryption by default ('Do not enable encryption by default'). This is because sending an encrypted e-mail is only possible if you have the public certificate of the receiving person (which is unlikely for all your contacts). If you want to send an encrypted e-mail, you can also set this directly when you compose an e-mail (this also applies to signing the e-mail) [Picture 7].
Microsoft Outlook

  • Click on 'File' [Picture 1] in the menu bar and then on 'Options' [Picture 2].

  • In the Outlook options, select 'Trust Center' [Picture 3] on the left and then 'Trust Center Settings...' on the right.

  • In the 'Trust Center', select 'Email Security' on the left and then 'Import/Export' under 'Digital IDs (Certificates)' [Picture 4].

  • In the following window, select the certificate you have previously exported in the browser in the 'Import File' field and enter the 'Password' you have assigned in the field below [Picture 5]. Confirm the following message.

  • Now select the button 'Settings...' under 'Email Security' in the category 'Encrypted email'. [Picture 6]. Enter a name for the security settings ('Security Settings Name'). Now select the previously imported certificate in the 'Certificates and Algorithms' section under 'Signature Certificate' by confirming the displayed message (the certificate is now also automatically entered in 'Encryption Certificate'). Finally, click "OK" at the bottom of the 'Security Settings' window.

  • In the 'Trust Center', you should now check 'Add digital signature to outgoing messages' under 'Encrypted email' in the 'Email Security' menu item [Picture 7]. This will sign all e-mails you have automatically created with your certificate. We do not recommend that you also place a check mark in 'Encrypt contents and attachments for outgoing messages' because you probably do not have a certificate from all contacts and sending an encrypted e-mail is only possible if you have the public certificate of the recipient. If you want to send an encrypted e-mail, you can also set this directly when writing an e-mail (this also applies to signing the e-mail) [Picture 8].

Apple Mail (macOS)

Click on the previously exported certificate file (if necessary also on another computer) and enter the corresponding password [Picture 1]. The certificate is now imported into the keychain management.

The certificate is now automatically integrated in Apple Mail. When composing a new e-mail there is now the possibility to either sign (1) or encrypt (2) the e-mail using two buttons [Picture 2].

Mail (iOS)

You must first transfer the certificate to your device (e.g. via e-mail or cloud), as it cannot be applied for with iOS.



  • Navigate to the 'Settings' on your iPad/iPhone. Select the first menu item 'Profile loaded' [Picture 1].
  • Click on the file and confirm the installation in the new window [Picture 2].
  • Now enter the password of your iPhone/iPad [Picture 3].
  • Click on "Install" [Picture 4] again in the following window and confirm this with "Install" [Picture 5].
  • Enter the password for the certificate that was assigned during the export [Picture 6].
  • Finish this process with 'Done' [Picture 7].

Mail (iOS) MailConfig

Configuration from "Mail"

  • Now navigate in the settings to 'Passwords & Accounts' (in earlier iOS versions you go directly to 'Mail') [Picture 1].

  • Call up your university account there.

  • Now click on 'Account' [Picture 2] and then on 'Advanced' [Picture 3].

  • Under 'Sign' (1) and 'Encrypt by Default' (2) you can now set preferences for all future e-mails [Picture 4]. We recommend that you only make 'Sign' the default setting. You should not activate encryption by default, because you probably do not have a certificate from all your contacts and sending an encrypted e-mail is only possible if you have the public certificate of the receiving person.

  • After clicking on 'Sign' you have to activate signing on the corresponding subpage [Picture 5].

  • Now click on the blue back arrow in the upper left corner and then on the arrow again on the top page. Then confirm on the account overview page with 'Done'.

If you have any questions or problems, please contact the RRZK-Helpdesk