About ten years ago I was very into PGP-ing my mail. This was when I was in my Windows stage using The Bat! mail client. This stage luckily passed about 6 years ago, you can read about it here, in case you’re interested. After switching to Mac I went searching for an alternative and found a PGPmail plugin for Apple Mail, but I also found a better, Mail-native, way to sign and optionally encrypt e-mail using nothing more that Apple Mail and an S/MIME certificate. This is not very difficult and certainly not new, but for all intents and purposes, I will list the steps to take to generate, install and distribute your certificate. Furthermore, since the iOS 6, S/MIME is supported on your iPhone and iPad (and possibly iPod Touch, I cannot tell, I don’t own one), and I’ll tell you how to install the certificates on those devices as well.
First step is to request the certificate
- Using Safari (this is important, don’t use FireFox or Chrome, or you’ll wind up having to reset everything to try again in Safari, so please, start with Safari the first try :) ), Go to https://secure.instantssl.com/products/frontpage?area=SecureEmailCertificate
- Fill in the fields (First Name, Last Name, E-Mail address (of course this should be the address you are going to protect), Country, a revocation password (in case your certificate is compromised) and finally accept the terms and click Next
- In a few minutes you will be sent an email with further instructions (It will actually take a few minutes, so don’t hold your breath waiting for it).
- Click on the banner that says ‘Click & Install Comodo Email Certificate’
Next step is install the certificate
Now although the banner says “Install”, it does not actually install anything, you will have to do that yourself.
- Double click the recently downloaded file (CollectCCC.p7s) and install it to the “Login” keychain. (If you run into problems, try the alternative way; open Keychain Access and drag the p7s file to the Login item in the sidebar.)
- The certificate is now installed. Quit Mail if it is running, start it again and create a new email.
- You should now see the “Sign” and “Encrypt” icons on the right side of the toolbars.
Please note; you can only send signed with the account you created and imported the certificates for. Otherwise the button is greyed out. Also note; you can only send encrypted email to a person you have the public key for. Getting it is easy; have that person send you a signed message and OSX will do the rest. From that you can send encrypted mail to that person.
Now to get your key to your other Macs
In order to use the certificate on multiple computers, you cannot simply repeat the process; you will have to transport the certificate and key to the other computers. Unfortunately, when you send it by e-mail, you might find that your other mac refuses the certificates as it by then already imported your public key. Now don’t worry, don’t even try, follow these steps to successfully and without failure transport your certificate and key to other macs.
- Open Keychain Access.
- go to the Login keychain
- Select ‘Certificates’
- Unfold the item that says [[your email address]]
- Now select both the certificate and the key, then right-click and choose export
- Now place it on the desktop and protect it with a password.
- E-mail this p12 file to yourself.
On the receiving Mac, repeat the “install” process above from step 6. Installing a p12 file is practically the same as the p7s file.
On your iOS devices;
- Send the .p12 file to yourself (to an email address you can open on your iOS device)
- Open the mail and tap the mail attachment
- the Settings App will ask you what to do; click install and accept all following screens.
- Now go to the Settings App > Mail, Contacts, Calendars
- Choose the account, tap Account again, then click Advanced
- Way on the bottom, activate S/MIME.
- If you want to sign, activate sign, if you want to encrypt, activate that as well. When you activate an item, you will be asked to select a certificate.
Now another important note;
On your Mac, you can toggle Sign/Encrypt when creating a message. This setting will persist. But on your iOS device; you will have to toggle signing/encryption in the settings panel. Hate that, but that’s just the way it is.
Good luck and happy mailing.
6 thoughts on “Digitally sign and optionally encrypt your e-mail – also on your iPhone/iPad!”
I’m trying this under Mavericks 10.9. First, I notice that the instantssl.com website does not work under Chrome, so this must be done in Safari. Second, when I install it in the Keychain, I see it under “Certificates” and I do NOT see it under “My Certificates”. So Apple Mail does dot recognize it and does not display the “Sign” and “Encrypt” icons. In the Keychain app, there is no disclosure triangle which might allow me to display the key and export the certificate as a p12.
It is very true that this needs to be done in Safari. Rereading the post, I see that remark is no longer there, will be put there again shortly. Thanks.
Your second remark, I don’t understand; I never had a problem listing it under ‘My Certificates’; you did import the certificates into the ‘Login’ keychain, did you not?
Also, the ‘Disclosure triangle’?? the triangle allows you to see any private key related to the public key, exporting has nothing to do with it.
You cannot send encrypted or signed because you’re missing the private key. You’ll have to remove the key, revoke the certificate and start from scratch. I suspect the failed attempt though Chrome has messed this up.
Same here, It doesn’t work in Mavericks. It’s not shown under my certificates, only under certificates. It doesn’t have the triangle to show the keys.
Just did it myself in Mavericks, Safari 7, there is no problem whatsoever. I can only assume you’re doing something wrong;
before and after, just now;
Also issues here with Mavericks. Importing on Lion is not a problem. So importing and then exporting from Lion as a p12 file solved the issue for me. But it’s weird that it’s not so straightforward (anymore) under Mavericks.
and also weird that not all Mavericks users have problems…