Create Self-Signed S/MIME Certificates

What if you need to send an e-mail containing sensitive information? Do you send anything and everything through e-mail without concern for prying eyes? Recent news stories about e-mail account hacks and interceptions by third-parties make me even more hesitant and unwilling to send anything of importance through standard plain-text e-mail. If you’ve ever been through the process of buying a home, the amount of sensitive information that is transferred between the various parties is astounding and, from my experience, it is primarily done through plain-text e-mail (gasp). So, what can you do?

While this post doesn’t address the larger systemic issues around information transfer, it does provide a basic method for public key encryption and signing of MIME data (e-mail) using the S/MIME (Secure/Multipurpose Internet Mail Extensions) standard. Most well-known e-mail clients support S/MIME and this post provides instructions for creating your own certificate authority (CA) to create self-signed S/MIME certificates.

A (Very) Brief Primer on Public Key Encryption

Prepare to be confused!

Since certificates are based on public key encryption, please keep in mind that you will need to have the public key of the intended e-mail recipient in order to encrypt the e-mail. Conversely, if someone wants to send you an encrypted e-mail, that person needs your public key. As an example, if I want to send an e-mail to Bob, I will need Bob’s public key to encrypt the e-mail. When Bob receives the encrypted e-mail, Bob’s e-mail client uses his personal private key to decrypt the e-mail. If Bob wants to send me an e-mail, he will need my public key to encrypt the e-mail. This post steps through the creation of your own personal public/private key pair. The public key is what an e-mail sender will need to encrypt an e-mail sent to you. Your private key is kept only by you since that is used to decrypt any e-mails encrypted using your public key. If your private key is obtained by anyone else, then that person would be able to decrypt and read your e-mails.

Is There an Easier Way?

Yes. You can obtain a basic certificate for free from a number of companies such as Comodo.

Where’s the fun in that? By creating your own certificate, you do not rely on an external party and you get to learn a little bit more along the way.

You’ve made it this far, so let’s get started.

Step 1 – Install OpenSSL

We will use OpenSSL to create a certificate authority which will then sign the certificate that we create. The latest OpenSSL toolkit is found at the OpenSSL site. If a binary distribution is needed, e.g. pre-compiled installation files for Microsoft Windows, those can be found on the OpenSSL binaries page.

Once you’ve found the appropriate distribution for your operating system, please proceed with the installation instructions provided with that distribution.

I am using a Windows distribution so portions of this post may be specific to that operating system. Please also note that I have installed OpenSSL in the c:\openssl\ directory.

Step 2 – Create an OpenSSL Configuration File

Now that OpenSSL is installed, a configuration file is needed. If openssl.exe is executed at this point without the configuration file in place, the message WARNING: can’t open config file: /usr/local/ssl/openssl.cnf may be received.

Create a new file named smime.cnf containing the following configuration. The contents of the file follow the x509 certificate extension configuration format. For more information about the format and content, please review x509 v3 configuration page. The [req] and [req_distinguished_name] sections are generally part of any standard OpenSSL configuration file. Some distributions include a default configuration file that includes some version of these sections. I included them specifically in this configuration file because I was receiving an error message stating unable to find ‘distinguished_name’ in config and this resolved the error. The [smime] section is the important section for this exercise because it sets the appropriate extensions for an S/MIME certificate.

Next, we will need to set the OPENSSL_CONF environment variable to reference the new configuration file. Setting this environment variable will eliminate the warning message mentioned earlier. This part is Windows specific. Recall that I have installed OpenSSL in the c:\openssl\ directory, named the configuration file smime.cnf, and saved it in the c:\openssl\ directory.

Open a command prompt window and be sure to Run as administrator if you are on Windows. Execute the following command:

When openssl.exe is executed, there is no warning message and the OpenSSL> prompt is displayed. Type exit and you’ll be returned to the c:\openssl\> prompt.

Step 3 – Generate an RSA Private Key for the Certificate Authority

In this post, we are creating a new certificate authority to sign personal certificates. Execute the following command to generate the RSA private key for the new certificate authority:

The options specify to use the des3 encryption cipher and output the results to a file named ca.key with a size of 4096 bits.

The following message will be displayed. Follow the prompts to create a pass phrase for this key. Remember this pass phrase for subsequent steps.

Step 4 – Create Self-Signed Certificate for the Certificate Authority

Execute the following command to generate the new self-signed certificate for the certificate authority:

The -x509 option outputs a self-signed certificate instead of a certificate request. The -days 3650 option specifies that the generated certificate is certified for 10 years (ignoring leap years). The -key option specifies the private key to use. We will use the private key (ca.key) that was created in Step 3 and output the self-signed certificate to a file named ca.crt.

Follow the displayed prompts. You will need to use the pass phrase from Step 3. I have left most fields blank by simply entering a . character. I have provided example entries below between the brackets following the prompts. Please change the values to meet your own particular needs.

The certificate authority has been created. Now, we will begin creating the personal certificate for a particular e-mail address.

Step 5 – Generate an RSA Private Key for the Personal E-Mail Certificate

Similar to Step 3, we will need to create a new private key. This private key is for your personal certificate instead of the certificate authority.

Execute the following command:

When prompted, enter a pass phrase that is different from the one used in the certificate authority private key.

Step 6 – Create the Certificate Signing Request

Now that we have a personal private key, we will need to create a certificate signing request. This command looks similar to Step 4 where we created a self-signed certificate for the certificate authority. In this step, however, the options are slightly different because we are creating a certificate signing request instead of a self-signed certificate. We are creating a certificate signing request because we will use the certificate authority to sign the certificate.

Execute the following command:

When prompted, enter the pass phrase used to create the private key in Step 5. Again, I have left most fields blank by simply entering a . character. I have provided example entries below between the brackets following the prompts. The example uses a fake person named Test User with an e-mail address of test_user@dalesandro.net. As always, please change the values to meet your own particular needs.

Please note that the Common Name used in this step should be different from the one used in Step 4.

Step 7 – Sign the Certificate Using the Certificate Authority

At this point, we are finally creating the personal self-signed certificate. We will use the configuration file we created in Step 2 to set the necessary extensions and we will use the certificate authority to sign the new personal certificate.

Execute the following command:

When prompted, enter the pass phrase for the certificate authority private key from Step 3.

Step 8 – Package the Certificate into the PKCS12 Format

After all of that work, I imagine you’ll want to use your new self-signed digital certificate to send e-mail. Many e-mail clients will need the certificate packaged in a standard format. This step bundles the necessary files into the PKCS12 format.

Execute the following command:

When prompted, enter the pass phrase associated with your personal private key created in Step 5. You will also create another pass phrase which will be used to import the P12 file into an e-mail client.

Closing Thoughts

You now have your very own self-signed S/MIME certificate which can be used to send signed e-mails. This also allows others to send you encrypted e-mails by using your public key. Once your recipients provide you with their public keys, then you’ll be able to send encrypted e-mails to them as well.

UPDATED: Please see the the guide for installing S/MIME certificates on iOS devices. It will guide you through the steps to add your self-signed certificates to the iOS Mail app for S/MIME.

7 thoughts on “Create Self-Signed S/MIME Certificates”

  1. Thank you for the guide. I was able to create all certs, keys as per this guide. I can also send “encrypted” emails from my iPhone email client. However, I cannot send a “signed” message? iOS shows “signing identity not found” error. I believe we need to add “keyCertSign” in KeyUsage; but that is not working out either, i tried adding and generating everything again. Any help please ? Thank you!

  2. “This also allows others to send you encrypted e-mails by using your public key.”

    Where/How do we generate a public key if you are trying to manually encrypt messages on the command line or through a custom application?

  3. Hi John, I followed your steps successfully, but unfortunately I’m not able to get Outlook or Thunderbird to cooperate with me.

    I’m doing this to include S/MIME encryption/decryption support in my open source Java library Simple Java Mail (https://github.com/bbottema/simple-java-mail). Could I please bother you to provide me with a set of certificate files so I can test S/MIME signing and/or encryption in this library? I wasted many hours already fooling around with this.

  4. Hi John, I followed your steps successfully, but unfortunately I’m not able to get Mail on macOS(10.14.4) or Mail on iOS(12.2) to cooperate with me.

    I’ve create ca and test user(test@gmail.com for example), install test user’s p12 on my iphone, and Login test user on iOS Mail.

    Turn on the settings for sign and encrypt in account/mail/advanced.

    Finally, go to mail and send mail to my self. Nothing happend (no lock as describe in many other tutorials), login to webpage and the mail is plain.

  5. John, Thanks for the tips. It took me a few goes to understand how to adjust. At first when I tried to go iPhone to iPhone I could not decrypt the sent email (unless the message was signed too). I found the fix to get iOS to play along was in step 6 to only put in the email address, just leave everything else blank. I also adjusted the smime.cnf file to take out nonRepudiation, but that may have had nothing to do with getting it working.

    Many thanks for the great web page

Leave a Comment