Signing and Encrypting E-mail on Mac OS X 10.6 Using Self-Signed Certificates

A few years ago I wrote about using Thawte’s personal e-mail signing certificates for setting up secure S/MIME encryption with Apple Mail. Well, Thawte, so I understand, is phasing out that service. So, I’ve been wondering how to do self-signing on the Mac to set up S/MIME encrypted e-mails. This evening, I found out.

Credit where it is due: James Walker’s post on how to set up self-signed certificates for e-mail with OS 10.4. His post gave me a few steps to follow that I’m  just updating here to match what is needed for Mac OS 10.6.

Create your certificate

Open up Keychain Access. This is an application in your Applications/Utilities directory. (It is faster to just hit command+spacebar to open Spotlight, then enter keych, and hit the enter key when Keychain Access appears highlighted.)

Click on the Keychain Access menu, hover over the Certificate Assistant option, and then select Create a Certificate….

Create Your Certificate in Apple's Certificate Assistant window

Here are a few details to note about the Create  Your Certificate options.

  • You might want to add an e-mail descriptor to the name field. E.g., Davin Granroth (gmail).
  • Go with Self-Signed Root and S/MIME (Email).
  • By default, the certificate will be valid for a year. If you want to extend that a bit, you need to check the Let me override defaults checkbox. You’ll get to make changes after you click the Continue button.
  • If you need a certificate for your non-primary e-mail account, you’ll need to check the Let me override defaults box for that too.

If you checked the override box, you’ll eventually see a series of Extension windows. Just go with the default values. Apple figures out what you need based on the first screen where you chose the certificate type.

Continue and you’ll see a window with your new certificate information in it. Congratulations!

Certificate Assistant window showing the newly minted cert. It also says: This root certificate is not trusted.

Now if you could only trust that certificate.

Trusting your certificate

If you haven’t already, click the Done button to close that Certificate Assistant window. Now, back in Keychain Access, click on the My Certificates category on the right of the main Keychain Access window.

You’ll see your new certificate listed with a little white X in a red circle on the icon. That indicates the certificate is not trusted. Double-click on the certificate, and a new window will open with details of the certificate.

Certificate window with Always Trust selected.

Near the top of that window you’ll notice the word Trust with a little triangle to the left of it. Click the triangle to twist open the Trust options.

In the When using this certificate select list, select Always Trust. Then close that window. You’ll be prompted for your administrator password. Enter it, and you should be all set. Your new certificate should now be trusted.

Sending signed or encrypted e-mails

At this point, if you restart Apple Mail, you’ll notice a new option available when you compose a message.

Compose message with sign and s/mime options
The check icon indicates that your signed certificate will be included in the message. Once you've exchanged signed certs with your recipient, you'll be able to exchange S/MIME encrypted messages.

For more on exchanging signed or encrypted e-mails, see James Walker’s article. Scroll down to the section on Exchanging Signed or Encrypted E-mail.

Why would you want to send encrypted e-mails?

Hah! “Why wouldn’t you want to,” is the better question. Actually, if you send or receive sensitive information like usernames and passwords, legal information, or confidential business information, you might really want to consider this.

The trick is getting the person you exchange these messages with to also set up S/MIME on their end of the e-mail.

DSS.MIL is not to be trusted

Unsigned cert warning at website
Unsigned cert warning at website

It’s funny that the Defense Security Service (Provides security services to the Department of Defense and defense contractors. Mostly counter-espionage and physical security tasks.) homepage triggers an SSL certificate error. Is that some sort of first lesson: TRUST NO ONE! Heh.

Overview of PGP, S/MIME and the evolving versions of secure e-mail

I just read an article by Jim Galvin, published March of 2000 in Information Security Magazine, (IN)SECURITY FROM END TO END.

The article provides an overview of the origination of secure e-mail and how the technologies have changed over the years. It also provides context for digital signatures, e-mail certificates, and PGP versus S/MIME.

Here’s an excerpt from the article:

PGP vs. S/MIME, S/MIME vs. PGP. On the one hand, it really doesn’t matter which of the two technologies you choose. From a user’s perspective, both provide the same set of security services, and neither really has any significant advantage over the other. On the other hand, the fact that there are two choices naturally raises the question of interoperability.

Securing e-mail

Every once in a while, I get e-mails from server admins with host connection information. This tends to get under my skin, though I admit to sending similar information from time to time. The thing is, e-mail is so darned good at delivering this kind of information. The problem, of course, is that e-mail is typically not secure. So, sending information like user names, passwords or other information like social security numbers or banking information via e-mail can be a pretty serious risk.

So, today when I received yet more user names and passwords via e-mail, and then needed to pass that information on to a person I work with, I figured it was as good a time as any to look into securing e-mail.

I’ve known about PGP, but have had issues getting it working in former versions of Apple’s Mail application. So, upon Googling for apple mail encryption or some-such phrase, I found a few helpful resources.

The first link above is a walk-through on getting S/MIME set up with Apple Mail. S/MIME seems to be an alternative to PGP. The short story is that I went ahead and got a certificate from Thawte, installed it into a special keychain on the Mac, sent a signed message to my co-worker while he was doing the same. Now we have each other’s public keys stored in our respective programs and we each have our own private keys, so we can send signed and encrypted e-mail to each other.

So, from here on out, I have a safer way of sending sensitive information to some select people.

And, I need to give credit to Apple’s Mail application. While getting the certificates and keychain access all worked out wasn’t the most straightforward task (it wasn’t hard though), now that it is set up, signing and encrypting messages is very easy.

Securing the Mac 10.4 laptop

I talked with a guy from the MSU Computer Store this morning about getting Norton AntiVirus or Internet Security for the Mac laptop I’ve been using. His recommendation is to just get AntiVirus 10 for the Mac and change a few settings on the laptop.

Here are his recommendations:

  • Turn off Bluetooth, Discoverable, so that random Bluetooth enabled devices won’t see the laptop.
  • Turn on the systems’s Firewall in System Preferences
  • Install Norton AntiVirus and keep it updated

Just a note, I’ve been using Macs for years, and the last virus I had on a Mac was in 1995 and it was a Word Macro virus. Highly irritating, but it did very little damage.

That said, I’m sure the day will come when a virus will rip through the Mac world and play havoc with all of the unprotected Macs out there.