User experience, web, technology

Signing and Encrypting E-mail on Mac OS X 10.6 Using Self-Signed Certificates

A few years ago I wrote about using Thawte’s personal e-mail signing certificates for setting up secure S/MIME encryption with Apple Mail. Well, Thawte, so I understand, is phasing out that service. So, I’ve been wondering how to do self-signing on the Mac to set up S/MIME encrypted e-mails. This evening, I found out.

Credit where it is due: James Walker’s post on how to set up self-signed certificates for e-mail with OS 10.4. His post gave me a few steps to follow that I’m  just updating here to match what is needed for Mac OS 10.6.

Create your certificate

Open up Keychain Access. This is an application in your Applications/Utilities directory. (It is faster to just hit command+spacebar to open Spotlight, then enter keych, and hit the enter key when Keychain Access appears highlighted.)

Click on the Keychain Access menu, hover over the Certificate Assistant option, and then select Create a Certificate….

Create Your Certificate in Apple's Certificate Assistant window

Here are a few details to note about the Create  Your Certificate options.

  • You might want to add an e-mail descriptor to the name field. E.g., Davin Granroth (gmail).
  • Go with Self-Signed Root and S/MIME (Email).
  • By default, the certificate will be valid for a year. If you want to extend that a bit, you need to check the Let me override defaults checkbox. You’ll get to make changes after you click the Continue button.
  • If you need a certificate for your non-primary e-mail account, you’ll need to check the Let me override defaults box for that too.

If you checked the override box, you’ll eventually see a series of Extension windows. Just go with the default values. Apple figures out what you need based on the first screen where you chose the certificate type.

Continue and you’ll see a window with your new certificate information in it. Congratulations!

Certificate Assistant window showing the newly minted cert. It also says: This root certificate is not trusted.

Now if you could only trust that certificate.

Trusting your certificate

If you haven’t already, click the Done button to close that Certificate Assistant window. Now, back in Keychain Access, click on the My Certificates category on the right of the main Keychain Access window.

You’ll see your new certificate listed with a little white X in a red circle on the icon. That indicates the certificate is not trusted. Double-click on the certificate, and a new window will open with details of the certificate.

Certificate window with Always Trust selected.

Near the top of that window you’ll notice the word Trust with a little triangle to the left of it. Click the triangle to twist open the Trust options.

In the When using this certificate select list, select Always Trust. Then close that window. You’ll be prompted for your administrator password. Enter it, and you should be all set. Your new certificate should now be trusted.

Sending signed or encrypted e-mails

At this point, if you restart Apple Mail, you’ll notice a new option available when you compose a message.

Compose message with sign and s/mime options
The check icon indicates that your signed certificate will be included in the message. Once you've exchanged signed certs with your recipient, you'll be able to exchange S/MIME encrypted messages.

For more on exchanging signed or encrypted e-mails, see James Walker’s article. Scroll down to the section on Exchanging Signed or Encrypted E-mail.

Why would you want to send encrypted e-mails?

Hah! “Why wouldn’t you want to,” is the better question. Actually, if you send or receive sensitive information like usernames and passwords, legal information, or confidential business information, you might really want to consider this.

The trick is getting the person you exchange these messages with to also set up S/MIME on their end of the e-mail.

User experience, web, technology

Overview of PGP, S/MIME and the evolving versions of secure e-mail

I just read an article by Jim Galvin, published March of 2000 in Information Security Magazine, (IN)SECURITY FROM END TO END.

The article provides an overview of the origination of secure e-mail and how the technologies have changed over the years. It also provides context for digital signatures, e-mail certificates, and PGP versus S/MIME.

Here’s an excerpt from the article:

PGP vs. S/MIME, S/MIME vs. PGP. On the one hand, it really doesn’t matter which of the two technologies you choose. From a user’s perspective, both provide the same set of security services, and neither really has any significant advantage over the other. On the other hand, the fact that there are two choices naturally raises the question of interoperability.

User experience, web, technology

Securing e-mail

Every once in a while, I get e-mails from server admins with host connection information. This tends to get under my skin, though I admit to sending similar information from time to time. The thing is, e-mail is so darned good at delivering this kind of information. The problem, of course, is that e-mail is typically not secure. So, sending information like user names, passwords or other information like social security numbers or banking information via e-mail can be a pretty serious risk.

So, today when I received yet more user names and passwords via e-mail, and then needed to pass that information on to a person I work with, I figured it was as good a time as any to look into securing e-mail.

I’ve known about PGP, but have had issues getting it working in former versions of Apple’s Mail application. So, upon Googling for apple mail encryption or some-such phrase, I found a few helpful resources.

The first link above is a walk-through on getting S/MIME set up with Apple Mail. S/MIME seems to be an alternative to PGP. The short story is that I went ahead and got a certificate from Thawte, installed it into a special keychain on the Mac, sent a signed message to my co-worker while he was doing the same. Now we have each other’s public keys stored in our respective programs and we each have our own private keys, so we can send signed and encrypted e-mail to each other.

So, from here on out, I have a safer way of sending sensitive information to some select people.

And, I need to give credit to Apple’s Mail application. While getting the certificates and keychain access all worked out wasn’t the most straightforward task (it wasn’t hard though), now that it is set up, signing and encrypting messages is very easy.

User experience, web, technology

Email or e-mail?

Searched Google for “email” and returned 802,000,000 results.

Searched Google for “e-mail” and returned 1,300,000,000 results. But, also got Google’s “Did you mean: email?” prompt, which suggests that Google, at least, has “email” as a preferred term with “e-mail” as a variant term.

I almost always write “email,” but when I think about it, putting in the hyphen makes sense to me. But then, our language is changing, and probably the version without the hyphen is already accepted as proper English.


Down to FIVE messages in my inbox

Over the last half hour, I went from 328 to 5 messages in my email inbox.

User experience, web, technology

Sort or search your email?

So, my inbox has 294 messages in it right now. When it gets to around 500 or so I usually go on a crusade to bring it to under 100. This involves throwing messages into folders and deleting lots and lots of no longer important ones that I won’t need.

So, this concept of not using folders to organize email is intriguing to me. I do this already within the folders, like if I’m only looking for messages from an individual, or sometimes I’ll do a subject or body search within folders if I have a sense of what I’m looking for. Why wouldn’t I just do that all the time, in one huge inbox?

Here’s a big old discussion about searching through email archives.