Using Self-Signed S/MIME Certificates in iOS Mail App

If you read an earlier post detailing the steps to create self-signed S/MIME certificates using OpenSSL, I left off at the point where the certificate is created and packaged in the PKCS12 format. In order for the certificate to be of any use, you’ll need to install it in an e-mail client. This post details the steps for installing digital certificates on an iOS device and enabling S/MIME in the iOS Mail app.

Step 1 – Load the .p12 File on the iOS Device

Upload a copy of the .p12 file to your iCloud Drive or e-mail a copy of the file to an e-mail address accessible on your iOS device. E-mail isn’t the most secure way of loading it on the device, but it is suggested only for simplicity in this guide. Once the .p12 file is accessible on the device, tap the file to begin the installation process.

iCloud Drive – p12 File
iCloud Drive – p12 File

If prompted to “Choose a Device”, select the appropriate device to install the profile and confirm.

Choose Device
Choose Device

Step 2 – Install the Profile

Open the Settings app and tap Profile Downloaded.

Settings – Profile Downloaded
Settings – Profile Downloaded

The device will prompt to install the profile. Tap Install in the upper right corner.

Install Profile
Install Profile

If the device is password protected, a prompt to enter the device passcode is displayed.

Enter Passcode
Enter Passcode

Since the digital certificate is self-signed and not signed by a well-known trusted certificate authority, a warning message that the profile is not signed is displayed. Continue by tapping Install in the upper right corner.

Warning – Profile Not Signed
Warning – Profile Not Signed

Another prompt to install the profile is displayed. Tap the Install button at the bottom of the screen.

Warning – Profile Not Signed (Install)
Warning – Profile Not Signed (Install)

A prompt is displayed to enter the PKCS12 export/import password created when the .p12 file was assembled. Enter the password and tap Next in the upper right corner of the screen.

Certificate Password
Certificate Password

The profile and certificate are now installed. The configuration profile appears in Settings, General, VPN & Device Management. Tap Done and exit the Settings app.

Profile Installed
Profile Installed

Step 3 – Enabling S/MIME in iOS Mail

Now that you have the digital certificate loaded and a profile created, you may begin using it in the iOS or iPadOS Mail app. For these steps, I am using an e-mail address associated with iCloud. These steps may vary slightly (in steps 4 and 5) if you are using a different account type such as Gmail.

  1. Open the Settings app
  2. Tap Mail
  3. Tap Accounts
  4. Tap on an existing account name in the Accounts section (for this example I am using an iCloud e-mail address)
  5. Tap iCloud
  6. Tap iCloud Mail
  7. Tap Advanced
  8. In the S/MIME section, tap Sign
  9. Enable Sign
  10. Ensure the appropriate certificate is selected
  11. Return to the Advanced screen
  12. In the S/MIME section, tap Encrypt by Default
  13. Enable Encrypt by Default
  14. Ensure the appropriate certificate is selected.
  15. Return to the Advanced screen
  16. Confirm changes and exit the Settings app

S/MIME is now enabled and ready to use your personal digital certificate the next time e-mail is sent from this account.

Step 4 – Sending Encrypted E-Mail

Recall that S/MIME uses public-key encryption, so you won’t be able to send an encrypted e-mail to another address until you have the recipient’s public key. If you receive a digitally signed e-mail from a sender who used a self-signed certificate, the Mail app will flag the certificate as not trusted or invalid. You can test this by using two different e-mail addresses where each address has its own self-signed certificate.

  1. Send a digitally signed (not encrypted) e-mail to another e-mail address where the certificate profile has not been installed on the device.
  2. When the e-mail is received, the sender’s e-mail address will be red with a red circle containing a question mark inside next to the address.
iOS Mail – Untrusted Signature Indicator
iOS Mail – Untrusted Signature Indicator
  1. Tap the question mark or the address (twice) to view sender’s details. iOS indicates that the sender’s digital signature is an untrusted signature and that it is unable to verify the authenticity of the S/MIME certificate provided by the sender.
iOS Mail – Untrusted Signature Message
iOS Mail – Untrusted Signature Message
  1. Tap View Certificate. Details of the certificate are displayed.
  1. Tap Install.
iOS Mail – Trusted Certificate
iOS Mail – Trusted Certificate
  1. Tap Done to exit the certificate details screen.
  2. Tap Done to exit the contact details screen.
  3. iOS now recognizes the public key and allows encrypted e-mail communications. Reply to the signed e-mail and the contact is now in blue font with a blue lock icon next to the name/address.
iOS Mail – Encrypted Message Indicator
iOS Mail – Encrypted Message Indicator

Common Issues

If, after installing the profile, you receive a message stating no valid certificates found when attempting to enable S/MIME, then the extension “extendedKeyUsage = e-mailProtection” was most likely missing when the certificate was signed.

Further Reading

Leave a Comment