A few years ago I wrote about using Thawte’s personal e-mail signing certificates for setting up secure S/MIME encryption with Apple Mail. Well, Thawte, so I understand, is phasing out that service. So, I’ve been wondering how to do self-signing on the Mac to set up S/MIME encrypted e-mails. This evening, I found out.
Credit where it is due: James Walker’s post on how to set up self-signed certificates for e-mail with OS 10.4. His post gave me a few steps to follow that I’m just updating here to match what is needed for Mac OS 10.6.
Create your certificate
Open up Keychain Access. This is an application in your Applications/Utilities directory. (It is faster to just hit command+spacebar to open Spotlight, then enter keych, and hit the enter key when Keychain Access appears highlighted.)
Click on the Keychain Access menu, hover over the Certificate Assistant option, and then select Create a Certificate….
Here are a few details to note about the Create Your Certificate options.
- You might want to add an e-mail descriptor to the name field. E.g., Davin Granroth (gmail).
- Go with Self-Signed Root and S/MIME (Email).
- By default, the certificate will be valid for a year. If you want to extend that a bit, you need to check the Let me override defaults checkbox. You’ll get to make changes after you click the Continue button.
- If you need a certificate for your non-primary e-mail account, you’ll need to check the Let me override defaults box for that too.
If you checked the override box, you’ll eventually see a series of Extension windows. Just go with the default values. Apple figures out what you need based on the first screen where you chose the certificate type.
Continue and you’ll see a window with your new certificate information in it. Congratulations!
Now if you could only trust that certificate.
Trusting your certificate
If you haven’t already, click the Done button to close that Certificate Assistant window. Now, back in Keychain Access, click on the My Certificates category on the right of the main Keychain Access window.
You’ll see your new certificate listed with a little white X in a red circle on the icon. That indicates the certificate is not trusted. Double-click on the certificate, and a new window will open with details of the certificate.
Near the top of that window you’ll notice the word Trust with a little triangle to the left of it. Click the triangle to twist open the Trust options.
In the When using this certificate select list, select Always Trust. Then close that window. You’ll be prompted for your administrator password. Enter it, and you should be all set. Your new certificate should now be trusted.
Sending signed or encrypted e-mails
At this point, if you restart Apple Mail, you’ll notice a new option available when you compose a message.
For more on exchanging signed or encrypted e-mails, see James Walker’s article. Scroll down to the section on Exchanging Signed or Encrypted E-mail.
Why would you want to send encrypted e-mails?
Hah! “Why wouldn’t you want to,” is the better question. Actually, if you send or receive sensitive information like usernames and passwords, legal information, or confidential business information, you might really want to consider this.
The trick is getting the person you exchange these messages with to also set up S/MIME on their end of the e-mail.