10.3: S/MIME encryption and Mail.app

Jan 15, '04 09:44:00AM

Contributed by: mmellis

I have used S/MIME for mail encryption on PCs with Outlook and on Macs with Mozilla, and I wanted to use the new S/MIME features of Panther's Mail.app. I started by reading TechInfo article 25555, Mac OS X 10.3: Mail - How to Use a Secure Email Signing Certificate (Digital ID), but still ran into a couple of problems -- getting certificates onto my Mac and into the Keychain, and once there, using them. Here are my solutions, which may help some other Mac users save time and avoid frustration.

S/MIME requires that both sender and recipient of encrypted messages have certificates. Typically these come from a certification authority (CA) like Verisign (there are other CAs - I haven't used them). The problem is that Safari cannot be used to download certificates from the Verisign site. Mozilla, however, works fine. Mozilla downloads the certificates into its own certificate management tool, which can be found on the Preferences -> Privacy and Security -> Certificates menu under the Manage Certificates button.

Make the certs available to Apple's applications by exporting them as files, either PKCS#7 (.p7s extension, usually for the certificates of others) or PKCS#12 (.p12 extension, often for your own certificates), then importing them into the Keychain by either double-clicking the certificate files, or by dropping them onto Keychain Access.

Once you have the certificates installed and you've addressed a new message to a recipient for whom you have a cert, you should see two additional buttons on the right side of the New Mail window, just above the composition pane. The encryption button looks like a padlock, and the signature button looks like a gear. Click the appropriate button to encrypt or sign your message.

If no buttons appear, yet you have valid certs for your recipients, you may be tripping over a difference between Apple's implementation and those of Outlook and Mozilla (which I have used in the past). Apple does not fold the case of the recipient's email address before searching for their cert, where both Outlook and Mozilla do so. In other words, DogCow@Apple.com does not equal dogcow@apple.com, as far as the Panther S/MIME code is concerned. For this reason, make sure that the addresses in your address book match exactly those on the certificates (viewable with Keychain Access,) including case.

Since I straightened out these two problems, I've been able to send and received both signed and encrypted messages without much trouble.

Comments (28)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20031224114524612