Skip navigation

Using S/MIME on iOS 5

54017 Views 67 Replies Latest reply: Jan 31, 2014 12:57 PM by MacJunkie76 RSS
  • markmaus Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 26, 2011 4:53 AM (in response to butterscrack)

    Not if you mean the exact OID 1.2.840.113549.1.9.15 for S/Mime capabilities. Even the working one doesn't contain this OID. They both only  contain the OID 1.3.6.1.5.5.7.3.4 which stands for purpose "Email protection"

  • butterscrack Calculating status...
    Currently Being Moderated
    Nov 1, 2011 9:18 PM (in response to James Ferguson)

    Ok, here is how i solved my problem.

     

    We have our own CA right where we can alter and do stuff however we please and it turns out to make the certifiacate work for IOS you need to add in the line in openssl.cfg:

     

    [ v3_req ]

    basicConstraints               = CA:FALSE

    subjectKeyIdentifier           = hash

    keyUsage                       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

     

    After this i could choose the certificate issued to me with no problems, it was available to pick for signing and encryption and all is good.

     

    hopefully someone will get help from this.

  • nathaniel.be Calculating status...
    Currently Being Moderated
    Nov 2, 2011 8:12 AM (in response to James Ferguson)

    I followed the instructions to export the .p12 file from 'My Certificates' and it worked, or at least I thought it did.  My certificate shows up under the available certs (as trusted) in the S/MIME settings and finally allows me to select it.  However, the whole process seems to fall apart when I send a message. 

     

    When I sent a message to an iCloud account, it doesn't say signed or anything, it just attaches an smime.p7s file to the message.

     

    When I send a message to another email account that uses Exchange/Outlook, there isn't even an attachment, just a plain old text-only email.

     

    This is not the case when I send from my mac Mail on my iMac.  In that case, everything works perfectly weather the message is being received on Mail, Outlook or even Gmail.

     

    I have to think that this has something to do with the way iOS sends messages, maybe they only send via plain text or something.  Maybe iOS 5 isn't really ready to support certificates at all?

  • Gino Cerullo Level 4 Level 4 (1,370 points)
    Currently Being Moderated
    Nov 2, 2011 8:24 AM (in response to nathaniel.be)

    iOS 5 has proper support for certificates.

     

    On the iPhone did you turn on S/MIME support for the specific email account? You'll have to go into the advanced settings for the account. There you will also find additional settings to indicate whether you want the certificate to be used for signing and encryption.

     

    Sending sending yourself a signed message from your iMac but open it on the iPhone.

  • nathaniel.be Level 1 Level 1 (35 points)
    Currently Being Moderated
    Nov 2, 2011 8:36 AM (in response to Gino Cerullo)

    Gino...Yes, that is how I turned on S/MIME support for the email account in question.  I don't think it would even attach the smime.p7s file if I hadn't.  And I did double check, the advanced settings for the email account in question show S/MIME as ON and Sign & Encrypt both say 'Yes'...and the certificate is checked.

     

    Sending from my iMac works perfectly, even receiving on my iPhone or iPad.  It's only sending from the iOS device that doesn't work correctly.

  • nathaniel.be Level 1 Level 1 (35 points)
    Currently Being Moderated
    Nov 2, 2011 9:32 AM (in response to nathaniel.be)

    I'm gonna have to back off my original comments.  As it turns out, it is not a problem with IOS 5, but rather with the Premier Edition of Google Apps when using the Active Sync connector.  Switching to the IMAP version of Google Apps rather than the Exchange version fixed the problem....no more p7s files, and the outgoing messages signed properly.

     

    Hope this helps somebody that is dealing with the same frustration.

  • Jimmereeno Calculating status...
    Currently Being Moderated
    Nov 3, 2011 2:04 AM (in response to FABU)

    Guys, thanks a lot for helpful topic here. I just have one remained problem with my secure mail. I can read and write encrypted messages From/To MacOS clients with my IPad2 iOS 5, but can't read encrypted messages sent by colleagues using Windows. Any suggestions? Thank you!

  • Gino Cerullo Level 4 Level 4 (1,370 points)
    Currently Being Moderated
    Nov 3, 2011 5:54 AM (in response to Jimmereeno)

    Tell us more about the Windows environment. What email client are they using on Windows and what type of server are they relaying through? More info we have the better chance of someone coming up with a solution.

     

    Can you read the same message fine on your Mac that is unreadable on the iPad?

  • Jimmereeno Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 3, 2011 9:01 AM (in response to Gino Cerullo)

    All of them use MS Outlook as mail client. Server is MS Exchange server 2010. We have PC, Mac and Mobile clients that use the same e-mail infrastructure. Of course it works on my Mac and I can read all encrypted messages using my sertificate. Thank you.

  • Matt Hardy Level 1 Level 1 (135 points)
    Currently Being Moderated
    Nov 29, 2011 3:39 AM (in response to FABU)

    After receiving the cert in Mac, I can right click the cert in keychain, export to .p12 but you must remember to add a password. ( We now know that iphone can not just receive the Comodo cert from comodo site as it's wrong format...)

     

    Once in .p12 format, email to iphone, click on cert, go to install, enter cert password.

     

    Then it's installed.

     

    Then under s/mime, turn on signed + encrypt and you are, as Fabu writes, good to go...

  • AcePair Calculating status...
    Currently Being Moderated
    Apr 10, 2012 4:32 AM (in response to Jimmereeno)

    Hi,

     

    I now too have the problem that I can read the email mesages just fine on my Mac, but not on the iPhone. The mail messages come from the Windows Mail app. And I really don't see, why my iphone keeps telling me: "This message is encrypted. Install a profile with your encryption identity to decrypt that message.

     

    To test that my certs work, I send myself an encrypted message and yep, I can read it. So does anyone have an idea?

  • KwaXi Calculating status...
    Currently Being Moderated
    Apr 12, 2012 1:31 AM (in response to butterscrack)

    Hi,  this is a list of the X509v3 extensions in the CAcert.org root certificate. the CA:TRUE extension is there, but the certificate isn't detected as root certificate when importing (on iOS 5.1).         X509v3 extensions:             X509v3 Subject Key Identifier:                  16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1             X509v3 Authority Key Identifier:                  keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1                  DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org                 serial:00              X509v3 Basic Constraints: critical                 CA:TRUE             X509v3 CRL Distribution Points:                   Full Name:                   URI:https://www.cacert.org/revoke.crl              Netscape CA Revocation Url:                  https://www.cacert.org/revoke.crl             Netscape CA Policy Url:                  http://www.cacert.org/index.php?id=10             Netscape Comment:                  To get your own certificate for FREE head over to http://www.cacert.org   I've seen this extensions in root certificates of some other CAs which are missing from CAcert.org's root certificate:  X509v3 Key Usage:     Digital Signature, Certificate Sign, CRL Sign X509v3 Key Usage:     Digital Signature, Non Repudiation, Certificate Sign, CRL Sign  Perhaps this are the relevant extensions. Can anybody confirm this?

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jun 17, 2012 1:05 PM (in response to Gino Cerullo)

    This is the point. I got it now.

    You need to install the receiptients cert first..

     

    Easy haha

  • KwaXi Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jun 17, 2012 11:39 PM (in response to James Ferguson)

    It shouldn't be necessary to trust the senders certificate directly, this is why root certificates of CAs are used.

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jun 18, 2012 5:25 AM (in response to KwaXi)

    Yes but on the iPhone you MUST accept/trust/install it manally

    This is maybe old-skool but it's the only way!!  maybe ios6 and then it's automated?

     

    ??

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.