for sending and receiving s/mime signed and encrypted mails, a public certificate authority is not necessary. here is how you manage to be your own s/mime key and certificate master. this guide covers the setup process for both mac and iphone.
- generate s/mime certificate using keychain access
- send signed/encrypted mail from your mac
- send signed/encrypted mail from your iphone
- on recipient's side (iphone)
- on recipient's side (mac)
generate s/mime certificate using keychain access
after opening Keychain Access.app navigate to Keychain Access » Certificate Assistant » Create a Certificate … to start.
choose a reasonable name--in most cases this would be your given name or nickname. important: tick the checkbox let me override defaults.
A self-signed certificate does not provide the security guarantee of a certificate issued by a Certificate Authority. Before your self-signed certificate is accepted, the recipient will be asked to confirm that they wish to trust and accept it.
when clicking continue you will be asked if you are sure to continue. just click continue.
the following three screens will ask for some information. in my use cases i provide these information:
- serial number: 1 (you should increase this every time, a new certificate will replace this new one)
- validity period: 1460 (which is four years)
- email address: (your own email address, you wish to use for signing/encrypting)
- key size: 2048 bits (no need to change this)
- algorithm: rsa (no need to change this)
in this section you can (and probably should) tick every checkbox except encipher only and decipher only.
click continue to get to extended key usage extension and make sure, that email protection ist ticked.
forward through the remaining steps until you successfully created your certificate.
send signed/encrypted mail from your mac
if you already have your email account set up in Mail.app, please make sure to completely quit and re-open the app before creating a new message. if everything went well, you will see some differences when composing a new mail.
two new icons have been added on the right in the subject row. the tick mark icon states if your mail is signed (blue), or unsigned (gray). the lock symbol is blue, if your message will be encrypted, elsewise it will stay gray. note: before you can send an encrypted mail, you must install the public key of the recipient (this aligns with the self-signed popup message from step one).
receiving an encrypted mail
when you receive your first encrypted message, mail.app will automatically look for your private key to decrypt it. all you have to do is: nothing.
you can double check that it's an encrypted mail, when viewing the mail in plain text ([cmd] + [alt] + [u]).
send signed/encrypted mail from your iphone
using keychain access.app, you need to export both, the certificate and the private key.
save it in .p12 format to your desktop. you will need two passwords:
the first password will be used to encrypt this file and protect the items. you will need this password when installing the .p12 file on your iphone. (once it's installed, you can safely delete this file from your computer; and you can forget the password, too)
the second password is your local user's password to allow keychain access to export the items
you can send this file via mail to your iphone, but i will highly recommend using a method to just locally transfer this file, like airdrop.
you'll see an incoming airdrop file transfer on your iphone. accept it, tap two times install and enter your password (the password you chose to encrypt the .p12 file).
set up s/mime in ios's settings
grab your iphone, open settings.app, and navigate to: mail, contacts, calendars / (your account) / account / advanced and activate s/mime. then check sign and encrypt by default sections, and that your certificate is ticked.
the next time, you open up mail to create a new message, you'll notice the lock symbol, providing information about signing/encrypting your mail. if it's locked, your message will be encrypted.
on recipient's side (iphone)
the screenshot shows a possible view the recipient has, when receiving your mail on his/her iphone.
to install the certificate (public key) just tap the name (from: joe sixpack), then view certificate » install. the process of installing the profile is straight forward, once it's done you see the sender's name in blue (not red anymore) with a tick mark icon.
if the recipient already uses s/mime with automatic encryption on the iphone, a simple tap on reply will result in an encrypted response (note the blue text at the top).
on recipient's side (mac)
when receiving your first signed mail from someone, mail.app on mac will show a note, that it's unable to verify message's signature. again, very straight forward, click on show details » show certificate and tick the one checkbox labeled „messages from …“: