Certificate Download and Installation
In Mail on your iOS device, tap the link provided in your Certificate Activation Link email.
Tap the Generate Certificate button in the web page that opens.
Note: You can choose between RSA and ECDSA with the Algorithm drop-down menu, but ECDSA cannot be used as an email encryption key, so it’s best to leave this set to RSA. You can also click the Show Advanced Options button, which will reveal a drop-down menu for choosing the key size. Finally, checking I have my own CSR will let you use your own certificate signing request and private key rather than generating a new CSR and key.
Scroll down and create a new password at least 6 characters long in the Password field, and then tap the Download button. Remember this password! You will need it when installing your certificate.
Tap Allow on the dialog box that appears, giving permission to download the configuration profile (a file containing your new certificate and private key).
Tap Close on the dialog box indicating that the profile has been downloaded.
Open the Settings app.
Tap Profile Downloaded.
Tap Install. Note: Even though the PFX file contains a certificate issued by SSL.com, a certificate authority trusted in recent iOS devices, you will receive several notices that the certificate is Not Signed in this and the next few steps.
Enter your iOS passcode. This is the passcode you would use to sign into your iOS device, not the password you entered when downloading your certificate.
Note: Installing an S/MIME certificate on iOS requires that you have set a passcode for the device. For information on setting up a passcode, please refer to Apple’s documentation.Tap Install on the warning screen that appears.
Tap the Install button that appears at the bottom of the screen.
Enter the password you created in step 3, then tap Next.
The certificate has been installed. Tap Done.
Now that the certificate has been installed, we need to configure Mail to use it. Go to Settings > Passwords & Accounts.
Tap the account you are setting up to use with S/MIME. In this case we are going to be using a Gmail address that we have previously set up in Mail and purchased the S/MIME certificate to protect.
Tap the line with the email address.
Tap Advanced.
Scroll down to S/MIME.
To sign all outgoing messages, select Sign, then turn the switch to green and return via the <Advanced link.
To encrypt outgoing messages by default, select Encrypt by Default, then turn the switch to green and return via the <Advanced link.
- Tap <Account, then Done.
Sending Signed and Encrypted Email
Your S/MIME certificate is now installed and configured to work with your email account. If you enabled email signing, all outgoing mail will be signed with your S/MIME certificate. If you enter an email address for which you have installed the recipient’s certificate with their public encryption key, you can toggle message encryption with the lock button at the right side of the address line (if the lock is closed, the message will be encrypted).
In this example we have previously installed the recipient’s certificate (see the next section, below) and are sending encrypted mail. Viewing the sent mail in Thunderbird for macOS shows that the message has indeed been signed and encrypted.
Signed and encrypted mail sent from iOS Mail 
Signed and encrypted email received in Thunderbird If you have not installed your recipient’s public key, your message cannot be encrypted, but will still be signed.
Signed, unencrypted email sent with iOS Mail 
Signed, unencrypted mail received in Thunderbird Note: All outgoing mail will be sent using the default S/MIME signing settings for your account in iOS. You cannot choose not to sign email unless you disable this feature in the account settings. As shown above, message encryption can be toggled on and off.
Installing a Recipient’s Certificate and Public Key
In order to send encrypted S/MIME email to a specific email address, your recipient’s certificate with their public key must be installed on your device. The process begins when you receive a signed email from that person. A email message signed with a certificate issued by a trusted certificate authority (CA), such as SSL.com, will have a small blue seal with a check mark to the right of the sender’s address. Tap the sender’s email address.
A screen should appear stating that “The sender signed this message with a trusted certificate.” Tap View Certificate.
Tap Install. Note: Even though Mail previously indicated that the certificate was trusted, there still will be a Not Trusted message above the certificate’s expiration date in this step.
After tapping Install, the message will change to Trusted . Tap Done to finish installing the certificate. After installing the certificate, Mail will automatically allow you to send encrypted email to this address.
