/ howto

be your own s/mime key master

for sending and receiving s/mime signed and encrypted mails, a public certificate authority is not necessary. here is how you manage to be your own s/mime key and certificate master. this guide covers the setup process for both mac and iphone.


content:

  1. generate s/mime certificate using keychain access
  2. send signed/encrypted mail from your mac
  3. send signed/encrypted mail from your iphone
  4. on recipient's side (iphone)
  5. on recipient's side (mac)

generate s/mime certificate using keychain access

screenshot: keychain access, create a certificate

after opening Keychain Access.app navigate to Keychain Access » Certificate Assistant » Create a Certificate … to start.

screenshot: certificate assistant, name

choose a reasonable name--in most cases this would be your given name or nickname. important: tick the checkbox let me override defaults.

A self-signed certificate does not provide the security guarantee of a certificate issued by a Certificate Authority. Before your self-signed certificate is accepted, the recipient will be asked to confirm that they wish to trust and accept it.

when clicking continue you will be asked if you are sure to continue. just click continue.

the following three screens will ask for some information. in my use cases i provide these information:

  • serial number: 1 (you should increase this every time, a new certificate will replace this new one)
  • validity period: 1460 (which is four years)
  • email address: (your own email address, you wish to use for signing/encrypting)
  • key size: 2048 bits (no need to change this)
  • algorithm: rsa (no need to change this)

screenshot: certificate assistant, key usage extension

in this section you can (and probably should) tick every checkbox except encipher only and decipher only.

screenshot: certificate assistant, extended key usage extension

click continue to get to extended key usage extension and make sure, that email protection ist ticked.

screenshot: certificate assistant, conclusion

forward through the remaining steps until you successfully created your certificate.


send signed/encrypted mail from your mac

if you already have your email account set up in Mail.app, please make sure to completely quit and re-open the app before creating a new message. if everything went well, you will see some differences when composing a new mail.

screenshot: mail, compose new mail

two new icons have been added on the right in the subject row. the tick mark icon states if your mail is signed (blue), or unsigned (gray). the lock symbol is blue, if your message will be encrypted, elsewise it will stay gray. note: before you can send an encrypted mail, you must install the public key of the recipient (this aligns with the self-signed popup message from step one).

receiving an encrypted mail

screenshot: mail app, received encrypted mail

when you receive your first encrypted message, mail.app will automatically look for your private key to decrypt it. all you have to do is: nothing.

screenshot: encrypted mail in plain text

you can double check that it's an encrypted mail, when viewing the mail in plain text ([cmd] + [alt] + [u]).


send signed/encrypted mail from your iphone

using keychain access.app, you need to export both, the certificate and the private key.

screenshot: keychain access, export certificate and private key

save it in .p12 format to your desktop. you will need two passwords:

  • the first password will be used to encrypt this file and protect the items. you will need this password when installing the .p12 file on your iphone. (once it's installed, you can safely delete this file from your computer; and you can forget the password, too)

  • the second password is your local user's password to allow keychain access to export the items

screenshot: airdrop file to iphone

you can send this file via mail to your iphone, but i will highly recommend using a method to just locally transfer this file, like airdrop.

screenshot: iphone, installing certificate

you'll see an incoming airdrop file transfer on your iphone. accept it, tap two times install and enter your password (the password you chose to encrypt the .p12 file).

set up s/mime in ios's settings

screenshot: iphone, settings app, mail, s/mime settings

grab your iphone, open settings.app, and navigate to: mail, contacts, calendars / (your account) / account / advanced and activate s/mime. then check sign and encrypt by default sections, and that your certificate is ticked.

screenshot: iphone, compose signed mail

the next time, you open up mail to create a new message, you'll notice the lock symbol, providing information about signing/encrypting your mail. if it's locked, your message will be encrypted.


on recipient's side (iphone)

screenshot: iphone mail, certificate not installed

the screenshot shows a possible view the recipient has, when receiving your mail on his/her iphone.

screenshot: iphone mail, certificate installed

to install the certificate (public key) just tap the name (from: joe sixpack), then view certificate » install. the process of installing the profile is straight forward, once it's done you see the sender's name in blue (not red anymore) with a tick mark icon.

screenshot: iphone mail, encrypted response

if the recipient already uses s/mime with automatic encryption on the iphone, a simple tap on reply will result in an encrypted response (note the blue text at the top).


on recipient's side (mac)

screenshot: mail, unable to verify message signature

when receiving your first signed mail from someone, mail.app on mac will show a note, that it's unable to verify message's signature. again, very straight forward, click on show details » show certificate and tick the one checkbox labeled „messages from …“:

screenshot: mail app, install certificate using show details window


main picture by marcin szmigiel, CC0 1.0 license