Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Use .Mac iChat certificates in Mail Apps
Tiger only hintIf you enable iChat encryption, .Mac will generate a Certificate and key with your .Mac name and store it in your keychain. This is used to encrypt iChat text and video, and it works well.

But did you know ... you can also use your .Mac certificate to sign and encrypt email? To do this, open Keychain Access (in Applications/Utilities), and check that your .Mac certificate is there. Then open the Preferences panel in Keychain Access and check the Search .Mac for Certificates box.

You can then start Apple's Mail app, and choose your .Mac email account as the sending account in a new message. When you do, you will see icons (as seen to the right) above the message window to toggle on/off encrypting (the lock icon) and digital signing (the checkmark) of email. Remember, though, to encrypt email to another person, you must have their certificate in your keychain.

[robg adds: I tested this with another .Mac user, and it worked as described.]
    •    
  • Currently 1.17 / 5
  You rated: 1 / 5 (6 votes cast)
 
[34,364 views]  

10.4: Use .Mac iChat certificates in Mail | 23 comments | Create New Account
Click here to return to the '10.4: Use .Mac iChat certificates in Mail' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Use .Mac iChat certificates in Mail
Authored by: adrianm on Nov 29, '05 09:07:37AM

Cool. My other certificate recently expired and this one will replace it nicely. :-)



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: djahughes on Nov 29, '05 02:32:27PM

So how does one get another. Mac users certificate in one's keychain?

---
David Hughes



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: edcroteau on Nov 30, '05 08:44:57AM

I'm told that if you receive a digitally signed message from someone that you receive their certificate.

Ed



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: WillTBrown on Feb 06, '06 08:26:09PM

This is correct.
If you have your own x509 or other type of certificate, you can send a signed message to a friend.
He also sends you a signed message from his email account.
OSX Mail keeps track of the S/MIME certificates sent to you by others, and the next time you compose a message to your friend, you now have the option of not just siging your email, but also encrypting it.

This way, nobody in transit can read the text of your email.

Digital signing is useful in and of itself. It allows you to send email 'with authority'. That is, the receiver knows it comes from you, without having to already exchanged keys with you (as with PGP).

The added bonus of encrypted communications can be used to protect personal, or business data transmitted via email.

I recommend it.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: larse on Nov 29, '05 09:29:55AM
If you are serious about email authentication/encryption, you would do well to get a certificate that is signed by one of the top-level CAs.

You can get one from Thawte for free: Thawte Web of Trust

[ Reply to This | # ]

10.4: Use .Mac iChat certificates in Mail
Authored by: alanr on Nov 29, '05 12:11:33PM

Hmm. Tried to go to the thawte site, but it requires one to log in, even to join.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: pme on Nov 29, '05 02:55:58PM

That's quite expected for such service, isn't it :-)

(You also need to trusted people in person to earn points to get a certificate with your name on it. Otherwise the certificate is named after your email address.)

I've used their service since Mail.app started supporting it, and it's solid.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: puggsly on Nov 29, '05 04:44:10PM

Ok, so I know who verisign is and I would trust them I guess but what would make them more "trusted" than Apple Computer or Microsoft or any other major company? Maybe I don't get the whole certificate thing but basically we are trusting that Apple is a real company who issues unique digital signatures to people and that if I ask them to verify who's key was used to secure an email that they will not lie.

How is one more "serious" than another? I just don't get it.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: scott.gardner on Nov 30, '05 08:16:03PM

It's worth noting, I sent a message to Thawte on 3 separate occasions. They never responded:

Hello,

I signed up for a digital certificate a few weeks ago with you. I received and set everything up on my end, and subsequently tested a scenario to ensure the security of my email communication, as follows:

1. I sent an email from my digital-certificate signed email account (...@mac.com) to an alternate non-signed email account (...@yahoo.com), with the message body "asdf."
2. In my yahoo account, I redirected this email to a 3rd alternate non-signed email account (...@gmail.com), adding this text to the message body: jkl;
3. In my gmail account I received the redirected email with the altered message body, yet still showing signed by ...@mac.com

It appears to me that this digital signature is not accurate, because the message was altered by the recipient and then re-directed to another email. See test email chain below. I've emailed you several times regarding this issue and have not received a response.

Please advise.

Thanks,
...

Begin forwarded message:

Resent-From: ...mac.com>
From: ...@mac.com>
Date: September 2, 2005 11:36:42 AM CDT
Resent-To: ...@gmail.com
To: ...@yahoo.com
Subject: test 11:36


asdf

jkl;



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: jeffzacharias on Dec 01, '05 08:07:23PM

I tried Thawte and I don't like them. I didn't like their signup or how their whole trust system works. I trust Apple much more than a company from South Africa with and awkward system.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: WillTBrown on Feb 06, '06 08:05:32PM

I do not have a problem with thawte, and I have been a Web of Trust notary with them for a couple years now.

The point of giving over unique, personally identifable informaiton to a Certificate Authority is that you can get your certificates trusted by a top-level third party. Having gone through the authentication process with thawte, I feel very confident with any email certifcate issued by thawte with a person's name on it.

I have also gone through the WOT assurance process with CACert.org, a group that gives out free email and SSL certificates.

Yes, you are giving out valuable information to a third party. But you do this all the time to Banks, doctors' offices, and your employer. I fear an underpaid clerk at the HR department at work selling my identity more than I do a company like thawte, which is in the business of keeping secrets, after all.

Just my two cents.



[ Reply to This | # ]
10.4: Where do I find the public key for my .Mac account
Authored by: Craigriver on Jun 02, '06 09:20:27AM

This is all very useful. Please tell me how to identify the public key for my .Mac account. I want to publish it on public key servers. Thank you.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: loffe on Nov 29, '05 02:26:30PM

More about certificates in Mail here !
http://joar.com/certificates/



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: markformac on Nov 29, '05 11:03:55PM

I can not get this to work. I have the .Mac certificate and also have enabled the Preference settings as described but the security options do not appear in the Mail composition window. Any suggestions?

markformac@yahoo.com
http://www.appsformymac.com

---
Mark Brooks



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: jeffzacharias on Dec 01, '05 08:10:49PM

You have to make sure that in your keychain you have:
1) Your certificate with your .Mac name
2) Your key with your .Mac name
3) The Apple .Mac Certificate Authority certificate.

Then you must be using your .Mac account in mail with the same .Mac name as your certificate. And you must be sending email with the return address of your .Mac email and from your .Mac account.



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: bupkis on Dec 20, '05 02:53:57AM

I've done all that and it still doesn't work. I don't get the encryption and signing icons on new mail that I compose in Mail to be sent using my .Mac account.

Anything else I should be checking?



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: hschickel on Dec 06, '05 04:54:14PM

The signature feature with pre 12/5/05 certs seemed a little flaky. One could make changes in-transit and the mail was still "signed". Encryption seemed to work properly (I did not test extensively). NOTE - the certs did not include the required email address. This may have caused the issues.

The post 12/5/05 certificates have the email feature specifically turned off. I'm curious to see if apple corrects the problems and turns it back on. Anyone with a 12/6/05 or later cert have working email?

Hugh



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: thecentaur on Jan 02, '06 06:11:34AM

I can't get it to work either. iChat encryption is on. I have a new "Apple .Mac Certificate Authority" certificate in the Keychain Access

I have a certificate with my email name of type certificate. Note that it does not include the "@mac.com" portion in Key Chain manager name field - that is how iChat added it when I clicked the button. Likewise the "Common Name" in the certificate does not include the "@mac.com" portion. Don't know if it should or not, but it was created that way by iChat.

10.4.3. Mail is sending from my .Mac name and receiving for the same.

Any suggestions? ;-)



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: thecentaur on Jan 02, '06 06:26:16AM

I did download the thawte version and the options show up perfectly, so it must be something strange with the iChat version.

Having been a Mac user since 1984 and a ][ user before that, it is little things like that where Apple needs to have everything "just work." That is one of the best features of the Mac, everything should "just work."

If I ever figure out the problem with the other cert, I'll post it...



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: sathomasga on Sep 14, '06 09:02:41AM

This wasn't working for me because the "Search .Mac for Certificates" preferences wasn't sticking. I did a Keychain First Aid and found that my ~/Library/Preferences/com.apple.security.plist file had an owner of root instead of my user name. Since Keychain First Aid couldn't fix it and chown refused, I ended up copying the file to a new one, deleting the old one, and copying the copy back. Now things work fine. (FWIW, I also tried repair permissions from the Disk Utility and that did not fix the problem.)



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: nickshanks on Dec 02, '05 01:56:45PM

I posted my own thoughts on this to my blog: http://web.nickshanks.com/blog/

If anyone can help in telling me what Mac email clients Besides Mail support this I'd appreciate it (though please leave comments on the blog, as I don't check this thread for replies).



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: hschickel on Dec 06, '05 04:59:36PM

The signature feature with pre 12/5/05 certs seemed a little flaky. One could make changes in-transit and the mail was still "signed". Encryption seemed to work properly (I did not test extensively). NOTE - the certs did not include the required email address. This may have caused the issues.

The post 12/5/05 certificates have the email feature specifically turned off. I'm curious to see if apple corrects the problems and turns it back on. Anyone with a 12/6/05 or later cert have working email?

Hugh



[ Reply to This | # ]
10.4: Use .Mac iChat certificates in Mail
Authored by: duchovka on Mar 28, '07 08:15:20AM

I think the problem is that the Mac OS X short account name is not the same as the iChat name (befor the @). I recently switched accounts and named it to my first name instead of the second, and now it doesn't work anymore. Can someone confirm this connection?



[ Reply to This | # ]