Skip navigation

Using S/MIME on iOS 5

53873 Views 67 Replies Latest reply: Jan 31, 2014 12:57 PM by MacJunkie76 RSS
  • Kiwimacca Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 11, 2012 12:04 AM (in response to FABU)

    Just wanted to say that this worked great!  Thanks for the advice.

     

    To all the Apple Employees who may be reading this out there, there has to be a better way of setting up S/MIME on the iPhone.  I mean, its great that it is supported, but the implementation is really un-intuitive and complicated.  I thought we were meant to be making things simpler and cooler here??

     

    People shouldn't have to come to an Apple Support forum to figure out how to do this is all I'm saying.....

    MacBook Pro, OS X Mountain Lion
  • Scotch_Brawth Level 3 Level 3 (800 points)
    Currently Being Moderated
    Aug 14, 2012 5:08 PM (in response to Kiwimacca)

    I've successfully used iPhone Configuration Utility on Mountain Lion to install StartCom root and intermediate certificates along with my free StartSSL S/MIME certificate and private key.  It shows up as trusted, and I can turn on S/MIME along with Sign and Encrypt.  Under both of these it displays the correct certificate with the email address it was assigned with.  All so good so far.

     

    But: when I attempt to send an email from Mail, it shows "Encrypted" for the _wrong_ email address!  The email account is iCloud, and the certificate is for one of my aliases, but the encryption only shows up for the default iCloud address.  If I change the "From" to the email address the certificate is actually issued for, no encryption or signing is done.  Anyone seen that before?

     

    Another thing is that turning on "Sign" but leaving "Encrypt" off results in no Signing being done for _any_ of the iCloud email addresses, least of all the one that _should_ be signed.  I sent several emails to a web-based email provider but there was no sign of any signing-related attachments, just the plain text of the email.

     

    Just to confirm: the certificate works just fine with Mail.app on ML.

  • Scotch_Brawth Level 3 Level 3 (800 points)
    Currently Being Moderated
    Aug 15, 2012 5:44 PM (in response to Scotch_Brawth)

    Just to follow up: I removed the profile I used to install my cert and followed the hint here instead:

    https://forum.startcom.org/viewtopic.php?f=15&t=2365

    Basically, installing certs using Safari to navigate to a secure site containing them.

     

    Whilst this method doesn't require the installation of the StartCom root and intermediate certs, the same probelm arises in practice: encryption appears for the wrong email address, and signing appears for none.

     

    This is a brand-new non-jailbroken iPhone 4S.  What the smeg is going on here?

  • viewport Calculating status...
    Currently Being Moderated
    Mar 29, 2013 9:54 AM (in response to butterscrack)

    butterscrack wrote:

     

    Ok, here is how i solved my problem.

     

    We have our own CA right where we can alter and do stuff however we please and it turns out to make the certifiacate work for IOS you need to add in the line in openssl.cfg:

     

    [ v3_req ]

    basicConstraints               = CA:FALSE

    subjectKeyIdentifier           = hash

    keyUsage                       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

     

    After this i could choose the certificate issued to me with no problems, it was available to pick for signing and encryption and all is good.

     

    hopefully someone will get help from this.

    This doesn't work anymore (not that I ever saw it work). Perhaps iOS 6 has strictly forbidden the use of self-signed CAs and certs?

     

    I've been using Thunderbird and Google apps for a long time now, never had this much problems with OpenSSL and self-signed certs. That is to get the question of "did you flip a wrong switch" out of the way.

     

    I've resorted to packing an Ultrabook with me at all times. Very soon now, I'll be switching to Samsung and Android, completely dumping all my macbooks, ipads and Apple-related equipment. Heck, even composing and writing orchestral scores on Windows is getting easier, so I see no more reason to stick with Apple.

     

    I'm pretty sure Apple will bounce back as a productivity tool after it has managed to take over XBox and PS. Maybe. Gotta go with Android for work. Oh well.

  • schluej Calculating status...
    Currently Being Moderated
    Jun 16, 2013 12:29 PM (in response to Scotch_Brawth)

    Hello,

    go her: http://www.startssl.com/certs/

    and go to the folder class? (?=class number of your certi).

    Now choos your sha Version folder choos your format an take the "sub.class?.client.sha?.ca.pem".

    Now your get a Trusted.

     

    Regards

    Joern

  • imercado Calculating status...
    Currently Being Moderated
    Jul 15, 2013 9:03 AM (in response to viewport)

    Hey, guys. I was really motivated to get this working across these four platforms: iOS 6, Mac Mail (OSX 10.6.8), Outlook Mac 2011, Outlook 2007 Windows.

     

    Was finally successful after following clues on this thread and in other internet posts.  The key to success for iOS seems to be ensuring that the OpenSSL generated certificate has the extended attributes in it that indicate that the certificate/key can be used for Data Encipherment and Digital Signature, although I can't say I went through a lot of trial and error on the various extended attributes to find out which ones were the bare minimum required. 

     

    Below is my OSX Terminal command sequence that led to success, along with my openssl.cfg file. After running the command below, you will have a PFX file that you can successfully import into OSX KeyChain Access, and from there you can export a .P12 file that will be importable into both iOS and Windows.

     

    Be careful when loading your new certificate/key combo into KeyChain Access and Windows, since your old digital Ids (the ones you are replacing with the new cross-platform Id) can easily create conflicts/confusion. I had to move my old digital Ids in KeyChain access to a new "Archive" keystore to prevent them from being used by Mac Mail, delete the old digital Ids from my iOS Preferences -> General -> Profiles, and I had to re-specify which digitial Ids to use in Outlook Mac Account Preferences and Outlook Windows Trust Center. Also note that you will have to dumb down Outlook Mac's encryption algorithm to "3DES" in the Account Preferences if you want Outlook Windows to be able to decrypt the messages. I was using Outlook 2007, this may not be necessary for Outlook 2010 clients. (Edit: Doing some cursory Internet research indicates that this may be because I am running Outlook 2007 on Windows XP, and not an inherent limitation in Outlook 2007 itself).

     

    Hope this info helps others to success in this arduous journey!

     

    Ian

     

    --

     

    OSX Terminal command sequence:

    # Generate the key

    openssl genrsa -des3 -out imercado201307.key 2048

     

    # Generate the certificate with the necessary extensions for iOS usage

    openssl req -new -x509 -key imercado201307.key -out imercado201307.crt -days 365 -config openssl.cfg -extensions usr_cert

     

    # Concatenate the key and certificate into a single PEM file

    cat imercado201307.key imercado201307.crt > imercado201307.pem

     

    # Generate a PFX file for importing into OSX KeyChain

    openssl pkcs12 -export -out imercado201307.pfx -in imercado201307.pem -name "Ian Mercado"

     

    Contents of openssl.cfg file:

    [req]

    distinguished_name = req_distinguished_name

    req_extensions = v3_req

     

    [req_distinguished_name]

    countryName = Country Name (2 letter code)

    countryName_default = US

    stateOrProvinceName = State or Province Name (full name)

    localityName = Locality Name (eg, city)

    0.organizationName = Organization Name (company)

    organizationalUnitName = Organizational Unit Name (eg, section)

    commonName = Common Name (eg, YOUR name)

    commonName_max = 64

    emailAddress = Email Address

    emailAddress_max = 40

     

    [ v3_req ]

    basicConstraints               = CA:FALSE

    subjectKeyIdentifier           = hash

    keyUsage                       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

     

    [ usr_cert ]

    keyUsage = digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment, keyAgreement

    nsComment = "OpenSSL Generated Certificate"

    subjectKeyIdentifier = hash

     

    Message was edited by: imercado

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jul 15, 2013 10:33 AM (in response to imercado)

    wow 10000x thanks.. it's working.  Now i see if i can add it to z-push.

    It's working on my iphone as wel..

     

    This is big!!!  :-)

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jul 18, 2013 1:44 PM (in response to imercado)

    Can i ask you, how do i renew this certificate?

  • schluej Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 18, 2013 8:53 PM (in response to James Ferguson)

    Hi marcelkraan,

    No.

    You need a new one.

    The step without money is to have a 2nd mail account, generate for this address a s mine with your account having the s mine that will end. Before it ends!

    After the old one ran out of time build a new one.

     

    The other way is to pay 59 dollar, and you will get a class2 s mine for your mail address the will have a live time of 2 years.

     

    Regards

     

    Joern

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jul 18, 2013 10:57 PM (in response to schluej)

    Then we make this one 5 years and do what you told me in the email

    thank you very much.. i really is working great

  • Emilia Level 1 Level 1 (10 points)
    Currently Being Moderated
    Aug 2, 2013 6:24 AM (in response to imercado)

    One aspect not discussed so far:

     

    what about the option to generate your own certificates with the Keychain utilty? There are tutorials on this on the web but I never made it work with Computer and iPhone/iPad?

  • Emilia Level 1 Level 1 (10 points)
    Currently Being Moderated
    Aug 19, 2013 5:04 AM (in response to imercado)

    Actually meanwhile I followed your recipe but it does not work on iOS 6 for my iPhone or Mac Certificates are regocnized, trusted but I only can send signed messages, the encryption button is always grayed out.

     

    Anybody for a working solution on iOS 6?

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 19, 2013 8:42 AM (in response to Emilia)

    You mean with the keychain utility?

    Because with openssl it works like a charm

  • Emilia Level 1 Level 1 (10 points)
    Currently Being Moderated
    Aug 22, 2013 3:49 AM (in response to marcelkraan)

    Nothing works for me on Mac OSX 10.6 and iPad iOS 6. Neither openssl nor Comodo or self assigned certificates.

    I am giving up on this, too much hassle

  • marcelkraan Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 22, 2013 3:56 AM (in response to Emilia)

    type this in a shell script  and then type a few time the same passwd

     

    #!/bin/sh

    # Generate the key

     

     

    DAYS=360

    EMAIL=$1

    NAME=$2

    DATE=`date +%Y%m%d%H`

     

     

    if [ "$NAME" == "" ]; then

            echo "makecert  email@address.com  \"Full Name\""

            echo "don't forget the \"\" in \"Full Name\""

            exit

    fi

     

     

    echo "Creating Certificate for $DAYS days from $DATE for:  $NAME ($EMAIL)"

     

     

    KPATH=/root/certs/$EMAIL

    mkdir -p $KPATH

     

    # Generate the key

    openssl genrsa -des3 -out $KPATH/$EMAIL.$DATE.key 2048

     

    # Generate the certificate with the necessary extensions for iOS usage

    openssl req -new -x509 -key $KPATH/$EMAIL.$DATE.key -out $KPATH/$EMAIL.$DATE.crt -days $DAYS -config /root/openssl.cfg -extensions usr_cert

     

    # Concatenate the key and certificate into a single PEM file

    cat $KPATH/$EMAIL.$DATE.key $KPATH/$EMAIL.$DATE.crt > $KPATH/$EMAIL.$DATE.pem

     

    # Generate a PFX file for importing into OSX KeyChain

    openssl pkcs12 -export -out $KPATH/$EMAIL.$DATE.pfx -in $KPATH/$EMAIL.$DATE.pem -name "$EMAIL ($NAME)"

     

     

     

    # after this import the pfx file into your device

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.