update (may 28th, 2016): this article is slightly outdated. please read these instructions instead


s/mime (with sha2 encryption) is currently the best way to send signed and end-to-end encrypted mails. it is well supported in all major (and minor) mail clients on various platforms and operating systems. you can read more about s/mime in wikipedia.

the process is not trivial, but straight forward:

update 2015-12-27: startssl updated their site with a new layout. all instructions on this page still work, but the screenshots showing their previous layout.


create an account at startssl

screenshot of startssl.com

head over to startssl, click ”sign up for free“ in the top left corner and enter your personal enrollment details. once you are done filling out that form, make sure you entered all information correctly and hit continue. you'll get an email from startcom certmaster (certmaster@startcom.org), just follow the instructions inside.

mail from startcom certmaster

the regular process is, that your account will be reviewed before it is fully activated. this takes from minutes to max. 6 hours. in most cases the quoted wait time is way bigger, than you actually have to wait. grab your next cup of coffee and i'm pretty sure, an email is waiting for you, when coming back to your desk.

Your request for an account at StartSSL™ (www.startssl.com) has been approved …

this is the last step in account setup. copy the verification code from this email, follow the link and paste the code into the text field. a certificate to log in to startssl is now being installed (don't worry if keychain access is opening up, that's expected). then, you should see this page:

startssl account homepage

awesome. now we are ready to get our s/mime certificate.


get certificate from startssl

open the validation wizard, choose ”email address validation“ and enter your email address. again, copy and paste the verification code to validate. now choose the certificates wizard and ”s/mime and authentication certificate“ as certificate target.

a key pair will be generated inside your browser (and not on the server (external link, german)). just leave option ”2048 (high grade)“ selected and continue. this will take a few moments.

on the next page select your email address and hash algorithm sha2 (read more on sha2 in wikipedia). after clicking continue, your key pair (private and public key) will be saved inside your browser. if you are using safari on os x, it will be automatically saved to your login keychain. in the same moment, a file download is being started:

screenshot: certificate inside download folder

double click the certificate to import it to your keychain:

screenshot: certificate inside keychain

now, you are ready to send your first mail, using s/mime.

screenshot: new mail, using s/mime on os x


export certificate, import on iphone

export on mac

open keychain access.app (found inside utilities folder), choose my certificates from the sidebar and find your certificate. right click / context click on your certificate and then export to a folder of your choice (.p12 file):

screenshot keychain access, export certificate

you will have to enter a password to protect the item you want to export. this will be used only one more time (when importing the certificate on iphone). then you have to allow keychain access to export the items by entering your mac user's password.

screenshot: password protect item
screenshot: allow keychain access the export

import on iphone

drag and drop the certificates.p12 file via airdrop to your iphone (or use apple configurator, do not send it via email to your phone):

screenshot: airdrop certificate

on your iphone import the certificate (here you'll need your password from above again):

iphone screenshot, import certificate

as you can see, the profile is not signed. changing this is very easy: go to startssl on your mac, from the tool box choose startcom ca certificate and download the class 1 intermediate client ca. then drag and drop it to your iphone using airdrop again.

screenshot: startcom ca certificates

once you imported the ca certificate, your own profile is shown as verified:

iphone: profile verified


enable s/mime in ios's settings app

grab your iphone, open settings.app, and navigate to: mail, contacts, calendars and delete your mail account. after adding your mail account again, please navigate to mail, contacts, calendars / (your account) / account / advanced and activate s/mime. then check sign and encrypt by default sections, and that your email certificate is ticked. the next time you write a new mail, you'll notice the lock symbol, stating that you are ready to send s/mime enabled mails.

iphone: email settings, smime


if you received a signed mail from one of your contacts, you can import their certificate (public key). tap on their email address, then view certificate and install. from now on, you can send encrypted mails to that person. (this belongs to your mac as well, just import the other person's profile to encrypt your next mail.)

iphone: signed mail


update 2015-12-07: added workaround for ios, not encrypting messages (thanks to marc, @_catstate)

main picture by life of pix, CC0 1.0 license