Installing an S/MIME Certificate and Sending Secure Email in iOS 12

This how-to will walk you through installing and using an S/MIME certificate to send signed and encrypted email in Apple’s Mail app on your iPhone or iPad. These procedures were tested on an iPhone 7 running iOS 12.

Contents:

Certificate Download and Installation

Note: While it is generally a better security practice to generate a private key on the device where it will be installed (as shown in this how-to), you can also use email or Apple’s AirDrop feature to send a PFX file containing your certificate and private key to the device. In this case you can either follow steps 1-3 below on your laptop or desktop computer to initially retrieve the file, or export a PFX file from an existing certificate and private key on your computer (for Apple, computers, please see this how-to on exporting PFX files from Keychain Access). Using AirDrop to send the file or tapping an attached PFX in an email message will bring you to step 5, below.

1. In Mail on your iOS device, tap the link provided in your Certificate Activation Link email.

Certificate Activation Link

 

2. Tap the Generate Certificate button in the web page that opens.

Note: If you want to specify the algorithm, you can choose between RSA and ECDSA with the Algorithm drop-down menu. You can also click the Show Advanced Option button, which will reveal a drop-down menu for choosing the key size. Finally, checking I have my own CSR will let you use your own certificate signing request and private key rather than generating a new CSR and key.

Generate Certificate

 

3. Scroll down and create a new password at least 6 characters long in the Password field, and then tap the Download button. Remember this password! You will need it when installing your certificate.

Create password and download

 

4. Tap Allow on the dialog box that appears, giving permission to download the configuration profile (a file containing your new certificate and private key).

Allow

 

5. Tap Close on the dialog box indicating that the profile has been downloaded.

Profile Downloaded

 

6. Open the Settings app.

Settings

 

7. Tap Profile Downloaded.

Profile Downloaded

 

8. Tap InstallNote: Even though the PFX file contains a certificate issued by SSL.com, a certificate authority trusted in recent iOS devices, you will receive several notices that the certificate is Not Signed in this and the next few steps.

Install

 

9. Enter your iOS passcode. This is the passcode you would use to sign into your iOS device, not the password you entered when downloading your certificate.

Note: Installing an S/MIME certificate on iOS requires that you have set a passcode for the device. For information on setting up a passcode, please refer to Apple’s documentation.

 

Enter Passcode

 

10. Tap Install on the warning screen that appears.

Install

 

11. Tap the Install button that appears at the bottom of the screen.

Install

 

12. Enter the password you created in step 3, then tap Next.

Enter Password

 

13. The certificate has been installed. Tap Done.

Done

 

14. Now that the certificate has been installed, we need to configure Mail to use it. Go to Settings > Passwords & Accounts.

Passwords & Accounts

 

15. Tap the account you are setting up to use with S/MIME. In this case we are going to be using a Gmail address that we have previously set up in Mail and purchased the S/MIME certificate to protect.

Select account

 

16. Tap the line with the email address.

Gmail account

 

17. Tap Advanced.

Advanced

 

18. Scroll down to S/MIME.

S/MIME

 

19. To sign all outgoing messages, select Sign, then turn the switch to green and return via the <Advanced link.

Sign

 

20. To encrypt outgoing messages by default, select Encrypt by Default, then turn the switch to green and return via the <Advanced link.

Encrypt by Default

 

21. Tap <Account, then Done.
Account

 Done

Sending Signed and Encrypted Email

1. Your S/MIME certificate is now installed and configured to work with your email account. If you enabled email signing, all outgoing mail will be signed with your S/MIME certificate. If you enter an email address for which you have installed the recipient’s certificate with their public encryption key, you can toggle message encryption with the lock button at the right side of the address line (if the lock is closed, the message will be encrypted).

Lock button

 

2. In this example we have previously installed the recipient’s certificate (see the next section, below) and are sending encrypted mail. Viewing the sent mail in Thunderbird for macOS shows that the message has indeed been signed and encrypted.

Signed and encrypted email
Signed and encrypted mail sent from iOS Mail
Signed and encrypted email
Signed and encrypted email received in Thunderbird

 

3. If you have not installed your recipient’s public key, your message cannot be encrypted, but will still be signed.

Unencrypted message
Signed, unencrypted email sent with iOS Mail
Signed, unencrypted mail
Signed, unencrypted mail received in Thunderbird
Note: All outgoing mail will be sent using the default S/MIME signing settings for your account in iOS. You cannot choose not to sign email unless you disable this feature in the account settings. As shown above, message encryption can be toggled on and off.

Installing a Recipient’s Certificate and Public Key

1. In order to send encrypted S/MIME email to a specific email address, your recipient’s certificate with their public key must be installed on your device. The process begins when you receive a signed email from that person. A email message signed with a certificate issued by a trusted certificate authority (CA), such as SSL.com, will have a small blue seal with a check mark to the right of the sender’s address. Tap the sender’s email address.

 

2. A screen should appear stating that “The sender signed this message with a trusted certificate.” Tap View Certificate.

View Certificate

 

3. Tap InstallNote: Even though Mail previously indicated that the certificate was trusted, there still will be a Not Trusted message above the certificate’s expiration date in this step.

Install

 

4. After tapping Install, the message will change to Trusted ✓. Tap Done to finish installing the certificate. After installing the certificate, Mail will automatically allow you to send encrypted email to this address.

Done

Thank you for choosing SSL.com! If you have any questions, please feel free to email us at Support@SSL.com, call 1-877-SSL-Secure, or just click the chat link at the bottom right of this screen.