Verification of electronic signature on invoices

An ominous experience
Do you know that feeling when an invoice arrives in the mail and the boss is just not reachable? And it's nothing compared to when the boss himself writes to you late on a Friday afternoon that the enclosed invoice must be paid that evening. Then one might easily get nervous and ends up paying without consultation (I won't look incapable, I am an independent decision maker!). And so it can easily happen that you pay for something that the company actually did not order at all, or you pay someone else entirely. It's probably already clear now - you've been the victim of a fraudulent email or a fake invoice.

In such cases, it is common to be cautious. However, not everyone checks the sender's address  - after all, it did say "John Smith" and that, boss, is you. The fact that the entire address was "John Smith" <> the poor man didn't notice. I'm an accountant, not an I.T. guy!

Tools for protecting ourselves
To avoid such cases, there is a very useful thing - an electronic signature. It confirms the identity of the sender and verifies changes to the content of the email.. We will not go into the complex principles of its operation and setup. But we will show how to recognize the right email using examples of invoices delivered in different ways to the address of our Jan Žižkovský.
Important emails sent by our company are electronically signed. Most widely used e-mail clients will display a symbol next to the message indicating the signature.

- as you can see, Outlook doesn't trust the signature because it doesn't know the Certificate Authority yet



Apple mail 

You can easily tell if everything is OK by the icons:
… or whether you should pay closer attention:

Trust, but verify
Just because an email doesn't have the right icon next to our address and you see a question mark or exclamation point instead of a check mark doesn't mean the message is fraudulent. Your e-mail client (or operating system) may simply not yet "know" our certificate. Now we'll show you how to check if the certificate is actually issued for our email address. But first we will need a little theory.
Certificate and Certification Authority
A certificate can be thought of as a card that verifies your identity. To be trustworthy, a certificate must be issued by a trusted authority. You can certainly see the similarity to an ordinary ID card. Let’s say all you need to get your new ID is a birth certificate, proof of citizenship and two photos and a municipal (or other) office as a trustworthy enough place to file and process your request.
It is similar with a certificate. Instead of the office, we submit the application to a trusted Certificate Authority (CA). It independently verifies the submitted data (public encryption key + identification data) and digitally signs with its own private key.  This confirms that the data is in order and can be trusted.
If the mail recipient's e-mail client has stored the so-called root certificate of the CA used to issue the sender's certificate, its identity is taken as trusted. This is why CAs distribute their root certificates within operating systems (Windows...) or applications (Firefox, Thunderbird...). However, there are many CAs and so it is not possible to store everything in one’s computer, but nothing is lost - you can always import the CA certificates manually

Importing the certificate
Using the example of an e-mail delivered to Thunderbird below, we will show you what you should pay attention to. Thunderbird does not use Windows storage, you will need to import the certificate.

With the e-mail open, click on the message security icon (1.) and then click on the View Signature Certificate button (2.).

For now, Thunderbird doesn't trust the signature because it doesn't know the Actalis certification authority. 

It is advisable to verify the certificate first before saving it. Let's assume we have already done this.

Save the certificate to disk - Authority Information section - the file is named cacertificate_actalis_autclientg3.cer
You can download the certificate directly by click on the link 
Import the file to Thunderbird as a new authority
1. menu Options > Privacy & Security - Manage certificates button

2. In the Certificate Manager window, go to the Authorities > Import button

3. select the file cacertificate_actalis_autclientg3.cer you saved on the disk earlier

4. set the trust level when importing the file
- at least trust the authority to identify mail users

Reopen the signed message and verify that the signature is now shown as authenticated.
- using the View Signature Certificate button, you can display the whole certificate 

You can also add a certification authority to the system (Windows storage)
Run the cacertificate_actalis_autclientg3.cer file that you saved to disk in the previous steps. This will open the CA certificate.

Install on the system by clicking Install certificate > Current user > Automatically select storage > Done

Verifying the certificate 
We already showed you how to import a certificate of a new Certification Authority. Listing the CA as trusted, your e-mail client or system will also trust all the certificates issued by it. This is called trust transfer.
Despite this, it is useful to be able to verify that the certificate is indeed what it seems to be.

In Thunderbird, you can view the certificate of a signed email by clicking the View Signature Certificate button

 In Thunderbird, you can view the certificate of a signed email by clicking the View Signature Certificate button

We will check the subject, issuer, validity and email address for which the certificate is issued - INTERNET.CZ. | Actalis S.p.A. | validity

If they match, everything is fine.

If we are really paranoid, you should also compare the fingerprints.

Compare the fingerprint with the fingerprint published on our website.