If you read an earlier post detailing the steps to create self-signed S/MIME certificates using OpenSSL, I left off at the point where the certificate is created and packaged in the PKCS12 format. In order for the certificate to be of any use, you’ll need to install it in an e-mail client. This post details the steps for installing digital certificates on an iOS device and enabling S/MIME in the iOS Mail app.
Step 1 – Load the .p12 File on the iOS Device
E-mail a copy of the .p12 file to an e-mail address accessible on your iOS device. This isn’t the most secure way of loading it on the phone, but we’ll do it this way for simplicity in this post. Once you receive the e-mail with the attachment, tap the file attachment to begin the installation process. If prompted to “Choose a Device”, select the appropriate device to install the profile and confirm.
Step 2 – Install the Profile
Open the Settings app and tap Profile Downloaded. The device will prompt you to install the profile. Tap Install in the upper right corner. If your device is password protected, you will be prompted to enter your device passcode.
Since the digital certificate is self-signed and not signed by a well-known trusted certificate authority, you will receive a warning message that the profile is not signed. Continue by tapping Install in the upper right corner.
You will again be prompted to install the profile. Tap the Install button at the bottom of the screen.
You will then be prompted to enter the PKCS12 export/import password created when the .p12 file was assembled. Enter the password and tap Next in the upper right corner of the screen.
The profile and certificate are now installed. Click Done in the upper right corner of the screen.
Step 3 – Enabling S/MIME in iOS Mail
Now that you have the digital certificate loaded and a profile created, you may begin using it in iOS Mail.
- Open the Settings app
- Tap Mail
- Tap on an existing account name under the Accounts section
- Tap Account
- Tap Advanced
- In the S/MIME section, tap Sign
- Enable Sign
- Ensure the appropriate certificate is selected
- Return to the Advanced screen
- In the S/MIME section, tap Encrypt by Default
- Enable Encrypt by Default
- Ensure the appropriate certificate is selected
- Return to the Advanced screen
- Confirm changes and exit the Settings app
S/MIME is now enabled and ready to use your personal digital certificate the next time e-mail is sent from this account.
Step 4 – Sending Encrypted E-Mail
Recall that S/MIME uses Public Key Encryption so you won’t be able to send an encrypted e-mail to another address until you have that address’s public key installed.
- Send a signed (not encrypted) e-mail to another e-mail address (or back to your own email address).
- When the email is received, the sender’s e-mail address will have a check mark next to it in iOS Mail.
- Tap the check mark or the address to view details for the contact.
- The address is marked as Signed.
- Tap View Certificate.
- Details of the certificate are displayed.
- Tap Install.
- Tap Done to exit the certificate details screen.
- Tap Done to exit the contact details screen.
- Reply to the signed e-mail and iOS now recognizes the public key and allows encrypted e-mail communications (blue lock icon).
Common Issues
If, after installing the profile, you receive a message stating no valid certificates found when attempting to enable S/MIME, then the extension “extendedKeyUsage = emailProtection” was most likely missing when the certificate was signed.