Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: S/MIME encryption and Mail.app Apps
I have used S/MIME for mail encryption on PCs with Outlook and on Macs with Mozilla, and I wanted to use the new S/MIME features of Panther's Mail.app. I started by reading TechInfo article 25555, Mac OS X 10.3: Mail - How to Use a Secure Email Signing Certificate (Digital ID), but still ran into a couple of problems -- getting certificates onto my Mac and into the Keychain, and once there, using them. Here are my solutions, which may help some other Mac users save time and avoid frustration.

S/MIME requires that both sender and recipient of encrypted messages have certificates. Typically these come from a certification authority (CA) like Verisign (there are other CAs - I haven't used them). The problem is that Safari cannot be used to download certificates from the Verisign site. Mozilla, however, works fine. Mozilla downloads the certificates into its own certificate management tool, which can be found on the Preferences -> Privacy and Security -> Certificates menu under the Manage Certificates button.

Make the certs available to Apple's applications by exporting them as files, either PKCS#7 (.p7s extension, usually for the certificates of others) or PKCS#12 (.p12 extension, often for your own certificates), then importing them into the Keychain by either double-clicking the certificate files, or by dropping them onto Keychain Access.

Once you have the certificates installed and you've addressed a new message to a recipient for whom you have a cert, you should see two additional buttons on the right side of the New Mail window, just above the composition pane. The encryption button looks like a padlock, and the signature button looks like a gear. Click the appropriate button to encrypt or sign your message.

If no buttons appear, yet you have valid certs for your recipients, you may be tripping over a difference between Apple's implementation and those of Outlook and Mozilla (which I have used in the past). Apple does not fold the case of the recipient's email address before searching for their cert, where both Outlook and Mozilla do so. In other words, DogCow@Apple.com does not equal dogcow@apple.com, as far as the Panther S/MIME code is concerned. For this reason, make sure that the addresses in your address book match exactly those on the certificates (viewable with Keychain Access,) including case.

Since I straightened out these two problems, I've been able to send and received both signed and encrypted messages without much trouble.
    •    
  • Currently 1.86 / 5
  You rated: 3 / 5 (7 votes cast)
 
[36,156 views]  

10.3: S/MIME encryption and Mail.app | 28 comments | Create New Account
Click here to return to the '10.3: S/MIME encryption and Mail.app' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: S/MIME encryption and Mail.app
Authored by: sapporo on Jan 15, '04 02:35:08PM
Also check out "Using encryption and digital signatures in Mail" by Joar Wingfors at http://www.joar.com/certificates/

[ Reply to This | # ]
Great!
Authored by: djarsky on Jan 15, '04 10:42:11PM

This was a wonderful tutorial. I would highly recommend it!



[ Reply to This | # ]
Get a certificate
Authored by: vogunaescht on Jan 15, '04 03:17:10PM

Or get a certificate here, if you don't trust Verisign:

http://phpki.sourceforge.net/phpki/ca/



[ Reply to This | # ]
Get a certificate
Authored by: cyberassassin on Jan 16, '04 05:03:44PM

WARNING!!! This is not an actual Certificate Authority, but a package one can install and use to become one (for instance, become you own corporate digital ID Provider) The stuff you see is just an example... See the explanation here....

http://phpki.sourceforge.net/

---
Who is the Master of Foxhounds,
and who says the hunt has begun?
-- Pink Floyd



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: krokodil on Jan 15, '04 11:47:26PM

Great hint, thanks!

I wonder how to make it not to sign by default. Now, once I've imported my certificates, by default it signs all messages. I have to click on icon while composing, not to sign.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: P.R.Deltoid on Jan 16, '04 06:43:34PM

Unfortunately, in the current version of mail there is no default setting for mail encryption or signature. The settings for each new message are keyed off of the settings selected on the last (most recent) message sent.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: P.R.Deltoid on Jan 16, '04 02:51:15PM

My good friend Chris Barylick wrote an article for the February issue of MacAddict on this very topic. I helped him research and test out the S/MIME encryption feature; once you have your certificate installed, using encryption in Mail is virtually transparent.




[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: tinker on Jan 17, '04 01:00:11PM

Have been doing this for a while, and have only hit one snag: I use rsync occasionally to ensure that my laptop mail folders exactly mirror my desktop mail folders. It didn't occur to me until well after I'd started using encryption that my laptop, lacking the desktop's encryption key, can't read encrypted messages. D'oh! Frankly, I haven't sent or received enough of same to bother to fix this problem -- I assume (?) that I can somehow transfer my desktop key to my laptop and use it there too? But this is pretty far down on my list of priorities. Just a warning.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: clements on Feb 05, '04 05:03:57PM

This turns out to be a very valid concern on your part, as I'm finding this to be a nearly insurmountable hurdle. Here's what I've tried, in order to move my public and private keys from one machine to another:

1) Dragging the keys to the desktop. Nixed.
2) Using 'File>Export'. Grayed out, seems permanently inoperable.
3) Moving those keys to a new keychain, so that I can copy this between computers: seemed promising, but trying to drag the public key to another keychain gave me 'Unable to add item to keychain... -2147415751'. Ugh.

I'm about _this_ close to writing a small C program to query the keychain for the keys using the Keychain API... certainly a huge huge waste of time.
Any suggestions appreciated.

FWIW, About box for keychain access gives version: 3.1.1 (v181.1)



[ Reply to This | # ]
Keychain export: workaround
Authored by: clements on Feb 06, '04 12:31:28PM

Looks like the best workaround for the problem I reported yesterday is to:
1) create a new keychain,
2) move all keys _other_ than the thawte ones into this new keychain
3) copy the existing keychain to the new machine
4) use the "File>Add Keychain" operation to add the new keychain.

Note that step two can be REALLY tedious, as you'll have to type your password once per key (depends on your settings, of course).

My personal suspicion as to why the public key can't be moved is that it and the private key were both created with the same name. Pure speculation on my part, of course.



[ Reply to This | # ]
Keychain export: workaround
Authored by: thornrag on Apr 06, '04 02:34:45PM

Actually, making sure that someone can't move your certificate to another computer and start signing messages with your cert is the whole point of the system... if it's not a pain in the ass, it's not good security.

If you manage to enable two machines to read the same set of encrypted e-mails using the same set of keys, consider yourself "L337" ... and hope that someone doesn't take a shot at copying your certs to THEIR computer and start digging through your mail.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: mundie1010 on Jan 19, '04 12:50:05PM

OK, so I got a Thawte certificate and installed it in my keychain. I wrote a message to myself and signed it. When I received it, it was marked as signed. I replied to it, the padlock was there, so I clicked on it to encrypt the message. However, when I received the encrypted message, mail.app said "Unable to decrypt message". When I clicked on "Show Details" it said "There was a problem decrypting this message. Please check that you have a valid certificate installed in your keychain." I have double-checked the case of the email address in the certificate and in mail.app.

Any idea what the problem might be? Is there some problem with sending encrypted messages to yourself?



[ Reply to This | # ]
Answer to my Own Question
Authored by: mundie1010 on Jan 19, '04 03:39:43PM

Before getting a Thawte certificate, I had gotten a trial Verisign certificate for the same e-mail address. As soon as I deleted the Verisign certificate, everything worked fine. Doh!



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: jfewtr on Jan 23, '04 09:28:01AM

I cannot get my certificate to "stick".

To get things working, first I have to open a signed & encrypted mail from myself that I have previously saved in my mailbox. The message is decrypted fine, but I get the warning that the signature cannot be trusted. So I click OK to accept the certificate. From then on, I can read mails without the signature warning and I can compose signed/encrypted mail (which I cannot do before accepting the cert). Good.

The problem is that it only works for that session. If I quit Mail and then relaunch it, I go back to the warnings again.

I assumed that this must be because Mail does not recognise my CA. So, based on the advice in other threads regarding SSL certs, I have moved my CA's root cert into the X509Anchors keychain. However this has made no difference. I still have exactly the same problem.

Maybe I have misunderstood, but I thought if I put a root cert into X509Anchors, the system would trust it. Is that not correct? Is there some other "master list" of recognised trusted CA's?



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: jrdavidson on Jan 26, '04 06:46:19PM

No - X509Anchors is the right place - I had to do it as root, though, to be able to write into that keychain. I put the root CA cert, and my public key there, just for completeness sake.

Also - make sure your Full Name in your mail.app Account preferences matches exactly the Common Name in your public key cert.

Proof of the pudding is starting mail.app from scratch, clicking on New (message) and seeing the signing button show up. The encrypt button will only show after you enter a destination address for which you already have accepted a signed email - thus importing that person's public key into your personal keychain.

hope this helps.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: Eric Murphy on Feb 01, '04 04:00:05PM

Hmm...I downloaded a digital certificate (from PHPki) and installed it in Keychain Access. It shows up there, looks pretty normal and usable. But Mail seems completely unaware of its existence. The "encrypt" and "sign" buttons don't appear in composition windows. I cannot even sign messages, let alone encrypt them. Is there anything else I need to do to let Mail know my digital signature exists?



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: clements on Feb 05, '04 04:57:04PM

The public certificate is not what you need to encrypt the mail; what Mail needs is a private key. I have one that Thawte generated, and it shows up in Keychain Access with kind 'Private Key, RSA, 2048-bit'. The certificate merely certifies that your public key is what you say it is, and that your e-mail address is what you say it is, etc.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: Schwie on Jan 01, '07 09:39:18PM
Eric,

Check out my response posted here, as I'm pretty sure you're experiencing a similar problem:

<http://www.macosxhints.com/comment.php?mode=display&format=threaded&order=ASC&pid=36243>;

[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: jfewtr on Feb 05, '04 02:10:58PM

Thanks. I tried changing my full name in mail.app to match the name and case in the Common Name in the cert, but I still have the same problem. As far as I can tell, I've done everything suggested in this thread and it still doesn't work. Maybe there's something wrong with my CA's root cert, but it's odd that it all works perfectly in Mozilla. Oh well.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: Schwie on Jan 01, '07 09:32:59PM

I had this same problem and I managed to figure it out.

I had my certificates working in Mail for over a year when today I got cute and tried to update my certificate to include my GMail account. When I deleted my old Thawte personal email certificate from Keychain Access, I screwed up and deleted the personal certificate ALONG with the X509Anchors entries for Thawte. This was crucial, because when I created the new/updated certificate at Thawte and went to import it back into Keychain Access, it imported fine, but Thawte didn't replace my X509Anchors entries. Hence, when I fired up Mail, the padlock S/MIME icons weren't appearing for signing individual messages. After pulling my hair out for too much time, I finally got smart and hopped on another Mac I have and I exported the Thawte certificates from Keychain Access and imported them back on to the machine that I impaired.

After doing this, my new/updated certificate now works flawlessly (and I switched to CACert now, so we'll see how this goes).



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: MaxMarino on Feb 06, '04 03:52:12PM

http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html

Follow 'ad litteram' the above how-to: cannot be easier than that!



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: macthemes on Feb 09, '04 12:01:40AM

Does anyone know how to move a cert and keys from a Windows machine to my Mac? I tried exporting them and importing them on the mac side and got my cert and my private key, but no public key. Mail doesn't seem to want to sign anything without the public key. Is there anyway to generate the public key from the cert? I know it's in there, I just don't know what format Keychain Access wants it in.

Keychain access needs a lot of work, and way more documentation ;-)



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: legacyb4 on Feb 12, '04 12:22:40AM

I did the following on my PC (Windows 2000), in order of menus:

- Internet Explorer
- Internet Options/Content/Certificates
- Select Thawte Freemail certificate
- Export
- Export the private key
- Select PKCS #12 (.pfx)
- Enabled strong protection (not really needed, I think)
- Type password (if strong protected)
- Save somewhere and mail to yourself on your Mac
- Double-click downloaded file and it should add itself to the Keychain

Voila, done.



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: macthemes on Feb 13, '04 11:13:59AM
I did the same, but with no luck. I'm currently hypothesizing that Mail requires your cert to have the altSubjectName extension (which Thawte certs have) for Mail to work properly. My corporate cert doesn't have that extension, hence I'm having problems. There's quite a good writeup on this here on Macintouch

[ Reply to This | # ]
Finding someone's certificate
Authored by: vroem on Feb 16, '04 04:31:49PM

Somebody says:

"I can accept PGP/GPG encrypted e-mail, and my public key should be available at your keyserver."

keyserver = certificate authority?
I checked verisign but his email doesn't seem to be registered.
Where do I find more certificate authorities and how do I access them? (Adressbook?)



[ Reply to This | # ]
Finding someone's certificate
Authored by: P.R.Deltoid on Feb 20, '04 05:38:38AM

Keyserver and Certificate Authority are not the same thing; a Keyserver is merely a distribution system. A C.A. on the other hand issues the certificates and is responsible for ensuring their authenticity.

At present, there is no way to distribute the X.509 certificates supported by Mail in Panther other than by sending signed messages to individual users. Reading a signed message in Panther Mail automatically copies the public key for the sender from the message's signature into your keychain.

---
To PC Users: "What gets into you all...? Is it some devil that crawls inside [your machine]?" -P.R. Deltoid

[ Reply to This | # ]

10.3: S/MIME encryption and Mail.app
Authored by: lstelie on Feb 17, '04 12:28:04PM

Hello,

Now things are easier as latest Safari version imports directly the certificat in the Keychain;

I tried with a Thatwte certificate, no problem, so far so good

I have several account, a S/MIME certificate is linked to an email address. I requested another certificate from another provider, same ,process, the sertificat is inbcluded in the keychain by there is no icon for this account.

Is Mail able to handle several different certificates for several different email accounts ?



[ Reply to This | # ]
10.3: S/MIME encryption and Mail.app
Authored by: alexgab on Nov 21, '06 07:27:51AM

I have Panther (10.3.9) And have made the whole process with Tawthe, but I used Safari. When I finished, it downloaded something so fast that I couldn't see what it was, then Keychain opened and both, my public and private key were there. Also there was an .EXE file in my desktop. Now, Mail app has only one button: "sign".There is no "encrypt" button. I don't understand what do you mean by:

"Make the certs available to Apple's applications by exporting them as files, either PKCS#7 (.p7s extension, usually for the certificates of others) or PKCS#12 (.p12 extension, often for your own certificates), then importing them into the Keychain by either double-clicking the certificate files, or by dropping them onto Keychain Access."

I don't have any .p12 or PKCS#7 files, my certs are in the keychains already. I cannot export or "save as" the files from keychains to anywhere. Any idea??



[ Reply to This | # ]