If you read an earlier post detailing the steps to create self-signed S/MIME certificates using OpenSSL, I left off at the point where the certificate is created and packaged in the PKCS12 format. In order for the certificate to be of any use, you’ll need to install it in an e-mail client. This post details the steps for installing digital certificates on an iOS device and enabling S/MIME in the iOS Mail app.
Step 1 – Load the .p12 File on the iOS Device
Upload a copy of the .p12 file to your iCloud Drive or e-mail a copy of the file to an e-mail address accessible on your iOS device. E-mail isn’t the most secure way of loading it on the device, but it is suggested only for simplicity in this guide. Once the .p12 file is accessible on the device, tap the file to begin the installation process.
If prompted to “Choose a Device”, select the appropriate device to install the profile and confirm.
Step 2 – Install the Profile
Open the Settings app and tap Profile Downloaded.
The device will prompt to install the profile. Tap Install in the upper right corner.
If the device is password protected, a prompt to enter the device passcode is displayed.
Since the digital certificate is self-signed and not signed by a well-known trusted certificate authority, a warning message that the profile is not signed is displayed. Continue by tapping Install in the upper right corner.
Another prompt to install the profile is displayed. Tap the Install button at the bottom of the screen.
A prompt is displayed to enter the PKCS12 export/import password created when the .p12 file was assembled. Enter the password and tap Next in the upper right corner of the screen.
The profile and certificate are now installed. The configuration profile appears in Settings, General, VPN & Device Management. Tap Done and exit the Settings app.
Step 3 – Enabling S/MIME in iOS Mail
Now that you have the digital certificate loaded and a profile created, you may begin using it in the iOS or iPadOS Mail app. For these steps, I am using an e-mail address associated with iCloud. These steps may vary slightly (in steps 4 and 5) if you are using a different account type such as Gmail.
- Open the Settings app
- Tap Mail
- Tap Accounts
- Tap on an existing account name in the Accounts section (for this example I am using an iCloud e-mail address)
- Tap iCloud
- Tap iCloud Mail
- Tap Advanced
- In the S/MIME section, tap Sign
- Enable Sign
- Ensure the appropriate certificate is selected
- Return to the Advanced screen
- In the S/MIME section, tap Encrypt by Default
- Enable Encrypt by Default
- Ensure the appropriate certificate is selected.
- Return to the Advanced screen
- Confirm changes and exit the Settings app
S/MIME is now enabled and ready to use your personal digital certificate the next time e-mail is sent from this account.
Step 4 – Sending Encrypted E-Mail
Recall that S/MIME uses public-key encryption, so you won’t be able to send an encrypted e-mail to another address until you have the recipient’s public key. If you receive a digitally signed e-mail from a sender who used a self-signed certificate, the Mail app will flag the certificate as not trusted or invalid. You can test this by using two different e-mail addresses where each address has its own self-signed certificate.
- Send a digitally signed (not encrypted) e-mail to another e-mail address where the certificate profile has not been installed on the device.
- When the e-mail is received, the sender’s e-mail address will be red with a red circle containing a question mark inside next to the address.
- Tap the question mark or the address (twice) to view sender’s details. iOS indicates that the sender’s digital signature is an untrusted signature and that it is unable to verify the authenticity of the S/MIME certificate provided by the sender.
- Tap View Certificate. Details of the certificate are displayed.
- Tap Install.
- Tap Done to exit the certificate details screen.
- Tap Done to exit the contact details screen.
- iOS now recognizes the public key and allows encrypted e-mail communications. Reply to the signed e-mail and the contact is now in blue font with a blue lock icon next to the name/address.
If, after installing the profile, you receive a message stating no valid certificates found when attempting to enable S/MIME, then the extension “extendedKeyUsage = e-mailProtection” was most likely missing when the certificate was signed.