User profile for user: HenrikWL
HenrikWL Author
User level: Level 1
4 points

S/MIME certificates

Ok, so I decided to get S/MIME certificates for all of my secure emailing needs. I made and downloaded a free one from CACerts.org, containing both of my email addresses. Loaded it into my keychain and everything works hunky dory. I can sign all of my emails from both of my addresses, and even encrypt email when sending from one of them to the other.

There are only two catches: the name on the certificate is “CACert WoT User” and there are no CACert notaries anywhere close, and practically no clients have the CACert root certificate installed meaning anyone recieving my emails will have certificate errors when they open my emails.

So, I decided to check out VeriSign since they let you put your name on the certificate and pretty much everyone has VeriSign root certificates installed. I downloaded a trial certificate from them and entered onto my keychain.

And here's the rub: Mail won't let me choose certificates. It automatically uses the CACert one. Is there any way to get Mail to prefer the VeriSign certificate, other than deleting the CACert certificates?

On a tangent: anyone know of any other free certificate issuers that are also common enough to be installed on most clients?

MacBook Pro, Mac OS X (10.5.8)

Posted on Dec 13, 2009 1:52 PM

Reply
5 replies
User profile for user: Golden Shoes
Golden Shoes
User level: Level 5
4,020 points

Dec 13, 2009 2:27 PM in response to HenrikWL

I don't see why anyone would need to have a CACert root certificate to open your email. The issue is whether or not they can decrypt your message to open it, and that is done by your Public Key, which you send to the recipient before you start sending encrypted email.

The usual process for this is to send a Signed (but not encrypted) email to your future recipients of encrypted email. That email will contain their public key, which they need to add to their Keychain or whatever system their OS uses for managing certificates. Once that's done, you can exchange encrypted email; there is no need for them to have a root certificate, just their own S/MIME certificate.

Try reading this for more info (some info is a bit out of date): http://joar.com/certificates/

Another place for free S/Mime certificates (must use Firefox to get it): <https://secure.instantssl.com/products/frontpage?area=SecureEmailCertificate&c urrency=USD&region=North+America&country=US&entryURL=http%3A//www.instantssl.com /ssl-certificate-products/free-email-certificate.html>
Reply
User profile for user: HenrikWL
HenrikWL Author
User level: Level 1
4 points

Dec 14, 2009 1:10 AM in response to Golden Shoes

Thanks for the links. 🙂

I know they don't need the CACert root certificate in order to actually read my email, but I'm pretty positive that the warning messages thrown by their email client that the signing certificate can't be validated against any known certificate authority and that I might be a fraud will cause confusion and mistrust (rather than assurance and trust which is the whole point of S/MIME encryption and signing).

I suppose I might be fussing too much about this. It's not like I'm running a business doing e-commerce or anything so maybe I could just as well be using a self-signed certificate (or use no certificates at all if the net result is that my emails appear less trustworthy).
Reply
User profile for user: Golden Shoes
Golden Shoes
User level: Level 5
4,020 points

Dec 14, 2009 7:29 AM in response to HenrikWL

the warning messages thrown by their email client that the signing certificate can't be validated against any known certificate authority and that I might be a fraud will cause confusion and mistrust


I doubt any warning will appear; it certainly has never appeared for me when sending encrypted email. Only those with the proper keys can encrypt and decrypt mail; no outside authentication is needed or required. And those keys can only be exchanged by the actual parties who want to use that method of communication. It's not as though you're dealing with an unknown and faceless party on the Internet.
Reply
User profile for user: Hoylen
Hoylen
User level: Level 1
14 points

Jan 1, 2010 3:33 AM in response to HenrikWL

If there are multiple matching certificates in the keychain, the one that Apple Mail will use is not documented. This posting <http://lists.apple.com/archives/fed-talk/2009/Mar/msg00036.html> suggests that it is usually the oldest non-expired certificate (which is probably not the one you want to use), but sometimes it is unpredictable and does not obey that rule.

Deleting the unused certificate from your keychain is the safest option. You can store the other certificates and private keys in separate keychains: adding that keychain when it is needed and deleting its reference when it is not.

Other email certificate authorities to consider are: <http://www.startssl.com> and <http://www.comodo.com/>. Both offer free and paid S/MIME certificates.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

S/MIME certificates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up