Small Orbit is not a commercial certificate authority. Unlike Verisign,, or DigiCert, for example, its root certificate does not automatically come installed and "trusted" on your computer. But that does't mean Small Orbit is any less secure! The certificates are generated with the same encryption technology (RSA 2048) as the big guys. You just need to make sure the friends you wish to exchange signed and encrypted email with have manually installed and "trusted" the Small Orbit root certificate.


Your name and email address collected during the certificate generation process are never shared with anyone beyond Small Oribt, and private keys generated on the Small Orbit server are purged immediately on logout.

That said, if you'd like to create a CSR and private key locally, you can do that. Small Oribt can still generate a signed certificate for you.

1. On a Mac, run the following command in Terminal:

openssl req -new -newkey rsa:2048 -nodes -keyout ~/Downloads/smallorbit.pem -out ~/Downloads/smallorbit.csr
You can skip all of the prompts except for "Common Name," which should be your first and last name, and "Email Address." You can also skip the challenge password. Two files, "smallorbit.pem," and "smallorbit.csr" will be created and placed in your Downloads folder.

2. Email the CSR file to Small Orbit.

3. Download the Small Orbit CA root certificate and save it to your Downloads folder.   Download it.

4. Import your private key and the root certificate into Keychain Access by running the following command in Terminal. You will be prompted to enter your Mac's admin password a couple of times in order to "trust" the root certificate.

security import ~/Downloads/smallorbit.pem -k ~/Library/Keychains/login.keychain && security add-trusted-cert -d -r trustRoot -p smime -p basic -k ~/Library/Keychains/login.keychain ~/Downloads/smallorbit-ca.cer

5. You will receive an email with instructions on how to retrieve and install your signed certificate (usually within 24 hours).

S/MIME and Encryption.

S/MIME stands for Secure/Multipurpose Internet Mail Extensions and is a technology used to digitally sign and encrypt emails. When you receive a signed and encrypted email you can be assured that the sender really is who they say they are, and that no one other than the sender has seen it. However, an email that was originally encrypted can be forwarded in unencrypted form after it has been received, so, if you're the sender, make sure you trust your recipient(s)!

Usage Limitations.

Certificates and private keys must be configured to work with each mail client that you plan to use the encryption-capable address with. For example, Small Orbit sets you up to exchange signed and encrypted emails using a particular email address from within the Apple Mail client. If you also use that same email address on your mobile device or on another computer, and want to sign and encrypt from there (or read your previously encrypted messages), you will need to import your certificate, private key, and Small Orbit root certificate onto that device.

Also, if you send a signed email to someone who does not have the Small Orbit root certificate installed, they may get a notification that the email is not secure. To avoid confusing (or alarming!) your recipient(s), remember to only sign (and encrypt) emails that are going to known Small Orbit users.

2022 | home |