Can I create my own S/MIME certificate for email encryption?

email mac-osx encryption osx-snow-leopard certificate-authority
38,963

Solution 1

Yeah, it sucks that Apple Mail does not support GPG. :-( I wish it did because I prefer GPG encrypted e-mail too.

I also agree that information surrounding S/MIME and generating your own e-mail certificates is hard to come by. I found Paul Bramscher's webpage has a good description of how to create your own Certificate Authority certificate.

I don't pretend to fully understand the certificate process, but this is what I've been able to piece together. You should consult the openssl manpage for more detailed information about each of the commands shown below.

Create Certificate Authority

The first step is to create your own Certificate Authority (CA). The commands are …

# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

and follow the prompts.

You will need to issue your CA's certificate (ie the content of ca.crt) to each and every recipient of your encrypted e-mail. The recipients will have to install and trust your CA certificate so that your encrypted e-mail will be trusted. The installation will vary for each mail client used.

In your case, you will need to add your CA's certificate to your Apple Keychain. There are lots of posts on the web about how to import and trust a CA certificate in the Apple Keychain.

Create Personal E-Mail Certificate Request

You now need to create a certificate request. Create one for each e-mail address you wish to send e-mail from. Execute the following commands …

# openssl genrsa -des3 -out humble_coder.key 4096
# openssl req -new -key humble_coder.key -out humble_coder.csr

and follow the prompts.

Certificate Authority Signs Your Certificate Request

Your personal certificate needs to be signed by your CA. In this case, you!

# openssl x509 -req -days 365 -in humble_coder.csr -CA ca.crt -CAkey ca.key \
  -set_serial 1 -out humble_coder.crt -setalias "Humble Coder's E-Mail Certificate" \
  -addtrust emailProtection \
  -addreject clientAuth -addreject serverAuth -trustout

The output is your signed certificate.

Prepare Your Certificate for Importing into Your Mail Application

You need to convert your certificate from .crt (PEM format, I think) to .p12 (PCKS12 format).

# openssl pkcs12 -export -in humble_coder.crt -inkey humble_coder.key \
  -out humble_coder.p12

You can now import your *.p12* formatted certificate into your mail client. In your case, import the *.p12* file into the Apple Keychain. Once the certificate is installed correctly, Apple Mail will start using your certificate.

There is an Easier Way

Of course, once you've created your own CA there's an easier way of managing certificates created by your own Certificate Authority. openssl comes with a script named …

# /usr/lib/ssl/misc/CA.pl

which simplifies the process of being your own Certificate Authority. There's even a man page for CA.pl!

Solution 2

Free and signed by a CA: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Solution 3

As others have said, the answer is obviously yes. You can generate it via openssl, or you can use one of the providers that gives a free x509 email cert.

That being said, the most important question is: what do the people you exchange email with use? I'm active in the Free software community, so most of the people I exchange email with use GPG. The only ones I know of that use S/MIME do so on their work email as a matter of corporate policy.

If the people you're emailing don't use S/MIME, you won't be able to encrypt to them, and they won't be able to verify signed emails.

Share:
38,963

Related videos on Youtube

humble_coder
Author by

humble_coder

Software dev...

Updated on September 17, 2022

Comments

  • humble_coder
    humble_coder almost 2 years

    I'm having a bit of an issue here. Bear with me as this may be a case of "not asking the right question".

    Background: Using Apple Mail. Want to encrypt/decrypt email but GPGMail (and apparently PGP) isn't supported with Snow Leopard.

    Basically I need to create an S/MIME certificate for use in email encryption. I don't want, nor do I care for a Certificate Authority. I simply want a quick-and-dirty certificate. Is this even possible (using OPENSSL, etc) or does the whole process hinge on a higher authority forcing me to either set up a full-scale CA or deal with a company (e.g. Verisign, Thawte) for a cert? My criteria are instant gratification, and free.

    Best.

    • President James K. Polk
      President James K. Polk over 14 years
      Note that your certificate is used for two purposes in S/MIME. To sign your emails, and to decrypt email sent to you by someone else. To encrypt email to someone else, you'll need their certificate. Typically, email clients are setup out of the box to trust some predetermined set of CAs. If certificates are not signed by one of these, you'll get at least a nasty message and possibly even a non-functioning system.
    • nycynik
      nycynik over 5 years
      I know this is an older comment - but GPGMail is not free for OSX anymore.
  • KevM
    KevM over 12 years
    In the section Certificate Authority Signs Your Certificate Request. The "-CAKey" argument needs to be "-CAkey" with a lower case 'k' - at least for my version Open SSL 1.0.0a 1 Jun 2010
  • vy32
    vy32 over 11 years
    I changed -CAKey to -CAkey. This is a really excellent answer, but the side-comment about GPG is unwarrented. S/MIME has many advantages over GPG. Besides wider support, it includes the certificate with each signed message, providing a built-in certificate distribution mechanism.
  • Tobias Kienzler
    Tobias Kienzler over 11 years
    Don't forget to set some restrictions to the certificate, see security.stackexchange.com/a/30069/3272
  • mhvelplund
    mhvelplund over 6 years
    Commodo uses the <keygen> tag to let your browser make a CSR without sharing the privatekey. That doesn't work in most modern browsers (e.g. Chrome 49+).
  • Franklin Yu
    Franklin Yu almost 6 years
    Quote from the page: “Please use Mozilla® Firefox® or Microsoft® Internet Explorer® 8+ to collect your certificate. Email Certificates cannot be collected using Google® Chrome® or Microsoft Edge.”. This matches the compatibility table from MDN.
  • nycynik
    nycynik over 5 years
    works using safari.
  • user3788685
    user3788685 over 2 years
    This appears to be a paid service only - the link above offers NO FREE certs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Postfix aliases and duplicate e-mails, how to fix?
E-mail groups in OS X Snow Leopard
Difference between APOP and POP
How to check if encrypted S/MIME message is also signed, without decrypting it
How to obtain a S/MIME certificate for e-mail encryption?
Why can I read encrypted emails (Outlook) from some users but not others?
Microsoft Office Outlook Web Access - "The content cannot be displayed because the S/MIME control is not available"
Update certificate in Outlook contacts
Office365 Web application - S/MIME emails from Chrome
Cannot send encrypted message to others using Outlook 2010