Setting up S/MIME mail encryption on Mac OS and iOS

On November 18, 2014, in Mac OS, by Rob Levandowski

Encryption software can do two things for your email: It can sign your messages, to prove that it was you who sent it and that the message wasn’t altered in transit; and it can encrypt your messages, so no one but the recipient can read the contents.

There are two standard methods for encrypting e-mail: PGP and S/MIME. Most security types like PGP (or its open-source clone GPG), because it’s been around for a long time. The problem is that PGP requires a certain amount of technical savvy to use safely, and it can be awkward to use. That’s especially true on Apple products. While a GPG plugin is available for Mac OS, in my experience it doesn’t work very well. It seems to crash a lot, it breaks with every new Mac OS version, and it’s no longer free.

The alternative is S/MIME, which is an official Internet standard. S/MIME has long been the bastard stepchild of e-mail encryption, largely because it’s more complex to set up and keep up. However, Apple’s Mail programs on Mac OS and iOS both support it, as does Microsoft Outlook on Windows. There are plenty of S/MIME compatible mail programs.

Setting up S/MIME for your Apple products isn’t that hard. Even if you normally prefer PGP/GPG, it’s a good idea to set up S/MIME as well.  Here’s a step-by-step walkthrough.

In this example, I’m presuming you have a Mac and one or more iOS devices (iPhone, iPad, iPod). It’s possible to set up S/MIME directly on an iOS device, but I’ll leave that to someone else to figure out. Here, I’ll show you how to set up S/MIME on your Mac running 10.9 “Mavericks” or 10.10 “Yosemite”, and then transfer that S/MIME certificate to your iOS 7 or 8 device.

Getting an S/MIME certificate

To use S/MIME, you must obtain a SSL Certificate for your e-mail address. To be useful, you need a SSL certificate that is signed by one of the major Certificate Authorities (CAs). The “big” commercial CAs are already trusted by most operating systems. (It’s possible to generate a “self-signed” SSL certificate on your own, but that will generate “untrusted certificate” errors for your correspondents unless you make them do extra work.)

There are several CAs that will give you a “Class 1” SSL certificate for your email address. That’s the minimum you need.  You can get “better” certificates that provide a stronger proof of your identity. If you don’t already know you need a better SSL certificate (and how to get one), you’re almost certainly fine with a Class 1 certificate.

StartCom offers a basic Class 1 SSL certificate at no charge. It’s good for a year. You can get a new one at no charge when it expires. For personal e-mail, it’s sufficient.

To get a StartCom SSL certificate:

  1. Go to in Safari. (It’s important that you use Safari.)
  2. Click the “Control Panel” button at the top right of the page.
  3. Click “Sign-up”.
  4. Enter your name and address. Enter the e-mail address for which you want a certificate. Make sure you spell it correctly. Click Continue.
  5. A pop-up message will appear asking you to verify that you’ll comply with the StartCom policies. Do so.
  6. Your browser may seem to take a while to load. Don’t hit reload or quit the browser. During this time, your browser and the CA are negotiating your new key.
  7. A new screen will appear asking you to enter a verification code. Check the e-mail account you entered; it should be there. Copy and paste it into the field. You need to do this within 15 minutes, or you’ll have to start over.
  8. You’ll be asked to verify what grade of key you’d like to generate. I recommend you select “2048 (High Grade)”.
  9. After clicking “Install” on the next screen, Safari will download the new key and start the Keychain Access program. You may see its icon bouncing in your Dock. Click the Keychain Access icon in the Dock.
  10. You should see your new key listed under the “login” keychain, in the “My Certificates” category.

Getting more SSL certificates

If you have more than one e-mail address, you can get additional SSL certificates now. Go to the StartSSL Control Panel and click on Validation Manager. This will let you validate the new e-mail address. Once you complete the validation process, you can click Certificate Manager to create a new certificate for the additional address. When Certificate Manager asks you to choose between SHA-1 and SHA-2 (Advanced), select SHA-2.

Installing your S/MIME certificate in Apple Mail

  1. If you already have Mail running, quit it and restart it. That will load the new key (presuming the account is already set up in Mail).

Using S/MIME in OS X Mail

Any message you send from an account that has a valid S/MIME certificate will automatically be signed. In the new-message window, you’ll see a checkmark icon near the subject line. It will be dark (10.9) or blue (10.10) to indicate the message will be signed.

When you receive a message that is signed with an S/MIME SSL certificate, you’ll see a similar blue checkmark next to the sender’s name in the message. Mail will automatically remember that SSL certificate.

To encrypt a message, you must first have the S/MIME SSL certificate for each recipient. Click the padlock icon near the subject line so that it’s a closed padlock. This enables encryption. If you cannot click it or it is greyed out, you’re missing the SSL certificate for one or more of the recipients. The easiest way to get someone’s SSL certificate is to ask them to send you a signed message.

To see if you have a valid SSL certificate for a recipient, check the Contacts application. A checkmark-in-a-seal icon will appear next to each email address that has a valid SSL certificate on file.

Installing your S/MIME certificates on iOS

Once you’ve got your S/MIME certificate installed on your Mac, you can transfer it to an iOS device.

Part One: Export the certificate from your Mac

  1. Open the Keychain Access application. If it’s not already open, you can find it in the Utilities folder of your Applications folder.
  2. Select the “login” keychain from the Keychains list on the upper left side of the Keychain Access window.
  3. Select “My Certificates” in the Category list on the lower left side of the window.
  4. On the right side of the window, a list of certificates will appear. Find the one that’s associated with your e-mail account. If there’s more than one, check the expiration-date column and select the one with the most recent date. However, do not select one that has a red X on its icon; such certificates are invalid.
  5. Choose “Export Items…” from the File menu.
  6. Select the “Personal Information Exchange (.p12)” file format. Give the file a suitable name, and save it someplace safe. I suggest that you do not save it to cloud storage (iCloud, Dropbox, etc.)
  7. You’ll be prompted to create a strong passphrase for the file. This will be used to secure your certificate while you move it. It’s important that you choose a very strong passphrase. I recommend using a random password that’s at least 20 characters long, or a phrase made up of six or more random words.
  8. Now that the .p12 file is created, e-mail it to yourself.

Part Two: Import the certificate on your iOS device

  1. Open the Mail app and find the message that contains the .p12 file. Tap the file icon to load it.
  2. An “Install Profile” popup will appear for the Identity Certificate. Tap “Install”.
  3. A warning that this is an unsigned profile may appear. If that happens, tap “Install Now” to acknowledge it.
  4. You will be prompted for your Passcode. Enter the passcode you use to unlock your iPad or iPhone when it’s at the lock screen. (You do have a passcode set, right?)
  5. You’ll then be asked for the password for the certificate. Enter the passphrase you came up with when you created the .p12 file on your Mac.
  6. You may see a note that the certificate is “Not Trusted“. That’s okay.
  7. Push the Home button. Find the Settings app and start it.
  8. In Settings, find “Mail, Contacts, Calendars” and select it.
  9. In the list of accounts, find the account for this e-mail address and tap it.
  10. Tap the “Account” line.
  11. Scroll down until you see “Advanced”. Tap it.
  12. Scroll down until you see the “S/MIME” section.
    1. Make sure “S/MIME” is turned on.
    2. Tap “Sign”. Make sure that the certificate for this account is selected, and that Sign is turned on. (If you tap on the (i) icon, you should see that the certificate is “Trusted“.)
    3. Tap “< Advanced” or “< Back” to go back to the Advanced screen.
    4. Tap “Encrypt by Default”. Again, select the correct certificate, and make sure Encrypt by Default is turned on.
    5. Back out until you’re at the Account screen, and then tap Done to accept the changes.
  13. Repeat the above steps for each additional iOS device you use.
  14. When you’re done with all your iOS devices, delete the email containing the .p12 file so no one can get a copy by hacking your e-mail account!
  15. Repeat the above steps for each additional e-mail account you need to set up.

Using S/MIME in iOS Mail

iOS Mail will automatically sign any messages you send from an account that has a valid S/MIME key installed.

Unlike OS X Mail, iOS Mail does not automatically remember the S/MIME certificate from a signed message. If you receive a signed message, you need to manually add the key to use it for encryption later:

  1. Tap the recipient’s name in the “From” header. (It will have the checkmark-of-quality indicating a valid S/MIME certificate.)
  2. When the recipient-address pop-up appears, tap “View Certificate”.
  3. Make sure that “Trusted” appears next to the Install button. That indicates that the certificate is valid.
  4. To install the certificate, tap “Install”.
  5. Tap “Done.”
  6. Tap outside the address pop-up to close it.

When you send a message, iOS will automatically encrypt it if you have the recipient’s S/MIME certificate. When you compose mail, you’ll see “Encrypted” at the top of the window. That will appear so long as you have S/MIME certificates for all the recipients. If you enter an address for someone for whom you have no certificate, the header will change to “Not Encrypted“. You’ll see blue padlock icons next to each recipient whose certificate you possess, allowing you to see who the insecure person is.


Leave a Reply