Cryptoucan™ usage: Generating keys on macOS

Written by Lída Hrnčířová on August 22, 2019.

In today’s blog post you’ll find how to generate your own set of cryptographic keys and revocation certificate on macOS with Thunderbird email client. If you’re still not sure why would you need cryptographic keys and what is revocation certificate for, we covered those topics here too. And, as always, we made another instructional video that will guide you through the process.

To be able to sign, encrypt or decrypt e-mails, you have to generate your keys[1] first. You’re going to get three types of keys: signature key, authentication key and decryption key. All of them are pairs of private and public keys. Public key, as you can guess by its name, is for others to use to send you encrypted e-mails and to verify your signature. Private key is known only to you and you’ll be using it to sign your e-mails and to decrypt messages sent to you.

Keep reading to find out how to generate your keys or watch the instructional video here.

Generating keys

To get to the key generation window, follow these steps in Thunderbird email client:

  • After opening Thunderbird proceed with clicking menu button represented by three lines at the top right corner of the window
  • Choose Enigmail sub-menu
  • Proceed with Key Management option that will pop up when you hover over the Enigmail sub-menu – Key Management window will pop up
  • Choose File option at the top menu bar
  • Proceed with Manage SmartCard option – OpenPGP SmartCard Details window will appear
  • Go to the option SmartCard at the top menu bar
  • Choose Generate Key

Now we got to the key generation dialog window!

Picture 1: Key generation window

You just have to set few things now:

  • Choose the user identity for newly generated keys in case you have multiple email accounts
  • Uncheck Save backup of key outside the card option as the Cryptoucan won’t let you do it as a security feature.
  • Set the key expiration period (You can check Key does not expire if that’s what you want.)
  • Click Generate key
  • Confirm it by clicking the same button in the following window

During the process, you’ll be asked to enter your PIN codes (both user PIN 1 and administrative PIN 3) several times. Enter them using Cryptoucan’s keypad, don’t forget to confirm them by pressing the hexagon symbol in the bottom right corner of the keypad.

Picture 2: entering PIN

If you’re not going to get the certificate in the next step (Which would be a mistake, as you may find out in the following paragraph.), disconnect Cryptoucan™ and connect it again to ensure that your private material inside the device is safe.

Revocation Certificate

You’ll be asked whether you want to get the certificate right after you generate your keys. Well, what is it for, why should you get it and how can you get it?
Revocation certificate is a special type of a public key signature[2]. There are three common situations which will make you appreciate having revocation certificate:

    1. Your private key is no longer private – anyone who knows your private key and has access to the emails can read them.
    2. You’ve blocked your Cryptoucan™ irreversibly by entering incorrect admin PIN 3 too many times.
    3. You’ve generated new keys.

Once one of those situations happens, you can upload this certificate to key servers[3], basically saying: “I’m the owner of this key and I’m saying that the key is no longer to be valid” this way.
We strongly recommend you getting the certificate as it only takes a minute to get and it can save you a lot of trouble.

Picture 3: Revocation certificate generating window

After the key generation process is done, you’ll be asked whether you want to get the revocation certificate or not:

  • Click Generate Certificate
  • Choose the destination where you’re going to save it in the save dialog window that pops up
  • Click Save
  • Enter your PIN on Cryptoucan’s keypad one last time as the certificate itself needs to be signed

At the end of this process, reconnect the USB cable to make sure your information is safely locked inside the device.

You can watch the step by step guide in this video!

Video 1: Cryptoucan™ usage: Generating keys

And that’s all for today’s blog post! Next week we will discover how to personalize Cryptoucan™ on macOS. Thank you very much for reading!


1. More info: Key management – introduction
2. More info: RFC 4880, Section 5.2.1
3. More info: Key server