Installing an S/MIME Certificate and Sending Secure Email in Outlook on macOS

These instructions detail how to install an S/MIME certificate in macOS and use it to send secure email messages with Microsoft Outlook.

Download and install your S/MIME certificate

1. Download a PKCS#12 file with your certificate from your SSL.com account by clicking the link supplied in your Certificate Activation Link email and following the on-screen instructions in your web browser. You will be prompted to enter a password before downloading the file.

   Note: when downloading your certificate it is possible to choose between the RSA and ECDSA algorithms via the Algorithm drop-down menu. However, ECDSA keys cannot be used for email encryption, so it’s best to leave this set to RSA.
2. In the Finder, double-click the PKCS#12 file to open the Keychain Access application (The filename extension is .p12). Alternately, you can drag the file to Keychain Access, located at /Applications/Utilities/Keychain Access.app, or open Keychain Access, select File >> Import Items… from the drop-down menus, then navigate to the file.
3. When prompted, enter the password you used when retrieving the PKCS#12 file from SSL.com.
   
4. The certificate is now installed on your computer and is available for use by Apple Mail and other applications.
   

Configure Outlook

1. Open Outlook and select Tools > Accounts from the menu.
   
2. Select the account your certificate covers, then click the Advanced button.
   
3. Click the Security tab.
   
4. Choose the certificate you want to use for signing from the Certificate drop-down menu under Digital Signing. Note that if you are using an S/MIME certificate installed on a YubiKey, you can choose that key for signing. If so, make sure that the YubiKey is plugged into the computer when sending signed email.
   
5. Choose your default email signing preferences. It is recommended to check all three boxes.
   
6. Next, choose a certificate for encryption from the Certificate menu under Encryption. For most users, you can use the same certificate you selected for signing. If you are signing with an S/MIME certificate on a YubiKey, you will need to install a separate S/MIME certificate for encryption. Please read this how-to for more information.
   
7. Use the checkbox labeled Encrypt outgoing messages to set your default encryption preferences. Since you can only send an encrypted message to a person if you have their public key, it makes more sense to leave this unchecked.
   
8. Click the OK button to save your preferences.
   
9. Close the Accounts window.
   

Send secure mail

1. Create a new message in Outlook. Note that if you set your preferences to sign email by default, you will see a message saying that “This message will be digitally signed.”
   
   
2. If you want to change the digital signature and encryption settings for the message, select the Options tab, then use the Encrypt and Sign buttons to toggle these features on and off. 
   
3. If you try to send an encrypted message to an email address that you do not yet have a public key for, Outlook will present a warning dialog allowing you to send the message unencrypted. To exchange public keys with another person, simply exchange signed, unencrypted email messages.
   
4. The first time you sign a message in Outlook with a private key installed in Keychain Access, macOS will prompt you for permission. Enter your macOS login password, then click the Always Allow button so that the OS will remember your decision. Note that if you are using a Business Identity certificate installed on a YubiKey you will be prompted for your PIN.