Using S/MIME on iOS 5

In key chain did you select "my certificates" under category before exporting.

If you just export from the main window they your cert won't work. You have to select "my certificates" from the left menu then export.

Yes, pretty sure I did that before. Just did another export to confirm, making sure I selected "my certificates" before exporting. The resulting file is the same size as my previous export. An MD5 checksum of the new export and my previous export don't match, but I think that's because the private key gets encrypted with a different salt each time you export it. Passing both old and new exports through 'openssl pkcs12' shows the only difference as the encrypted key data.

It turns out, that this issue is actually related to the CAcert certificates. I tried it with my company certificate which is issueed by a Windows 2003 server and either way (sending the cert by mail or installing a profile with the configuration utility) works fine.

The certificates you can see in account settings/SMIME do not depend on the emailadress of the account as I thought. You can also see personal certificates for other identities and simply select the right one.

The CAcert issued certificates work well as client certificates for the browser. Even at the iPhone. So I was able to do a certificate login at Cacert site at my iPhone.

The CACert certificates also work for smime if you create the email account for your iPhone by the iPhone configuration utility, but not if the account was created directly on the iPhone. So where's the difference and whats the decisive factor in the CACert certificates which avoids using it outside a predefined email-account? Is it maybe because those certificates contain more then just one purpose?

If you're exporting the certificate, getting it onto the iDevice, and still can't turn on signing because there aren't valid certificates, it's because you're not getting the private key in the export.

Open keychain access. Select 'My Certificates.'

Here's the important part: clicking on the certificate and exporting does not export the private key at the same time. You have to explicitly select it, or else you only get the certificate. You can't sign without the private key.

Click the disclosure triangle beside the certificate you want to export. Select the certificate, and command-click or shift-click the private key. Now, with both highlighted, do the export and mail yourself the resulting .p12 file.

I had the same problem with being unable to sign until I discovered this.

Hope this helps!

Sorry, but this is definitely not the problem. I exported the private key and I bet, the konfiguration utility did the same, because I have to put in a password for export/installing the certificate

The certificate is also working as Client certificate to authenticate me at the CAcert website where I Need my personal key. The problem must be somwhere else.

I'd thought the same thing at first but, at least in my case, this isn't true. I confirmed via 'openssl pkcs12' that my previous export did in fact contain a private key. If I do the export as you recommend (expanding and selecting both the certifcate and the private key) the resulting .p12 file contains two private key entries (presumably the same key encrypted twice). It imports into the phone as before and still doesn't work.

You've mentioned a few times that you got this to work by configuring the email account via the iPhone Configuration Utility. I thought I'd give that a try and I'm wondering how you did it. When I create the mail account configuration in ICU I don't see anything about enabling/disabling S/MIME. Once I push that configuration to the phone and check the S/MIME settings for that account S/MIME is off and greyed out, I can't turn it on. Is there something I'm missing? I put the IMAP account and the p12 certificate in the same configuration profile in ICU.

You'll find those Settings under the outgoing Server configuration. Be aware that smime signing is allways enabled if you configure the account this way! Every signed Email you answer will be encrypted!

I have this partially working. I'm using a certificate I purchased from Verisign. It works perfectly in Mail on the Mac but on the iPhone I can only use it to sign messages not encrypt them.

The error I'm getting when I try to encrypt a message is,

? Unable to Encrypt

You can't send encrypted messages because an encryption certificate for the email address "emailaddress" could not be found.

As far as I can tell the certificate has been installed correctly. I exported the certificate from my Keychain as a .p12 file. Added it to my configuration profile in the iPhone Configuration Utility and installed it on the iPhone. Checking the settings on the iPhone for the account in question shows that S/MIME is turned on for the account and that signing and encryption is set to yes and the certificate is present and trusted for both uses.

Any idea what I could be doing wrong? Anyone who has this working able to confirm that they can in fact encrypt a message sent from their iPhone? Not just sign.

To sign, you only need your own private key & certificate.

To encrypt, you need the certificate of the person you're trying to email. Encryption is performed with their certificate (i.e. their public key) so that the recipient can decrypt it with their own private key.

The first time you exchange a signed mail with someone (you send them a message, and they send you one) Mail will save their certificate. At that point you should be able to encrypt messages to them.

I got it to work just before you sent your reply. But thank you anyway.

The problem was that I thought that since I was installing my own certificate using the iPhone Configuration Utility that it would take care of installing both the Public and Private keys and that does not appear to be the case.

Once I email myself a signed message I found the extra steps involved to install the public key that was used to sign the message. Now encryption works.

For those that run into this problem in the future merely installing the certificate in .p12 format is not enough. You also need to send yourself a signed email. Once you open the signed email on the phone tap on the sender name in the header. On the next screen tap on 'View Certificate' and on the next screen tap on the 'Install' button to install the senders public key. You'll need to do this for everyone who sends you a signed message if you want to be able to send them back an encrypted message from your iPhone.

Hm, i have the same issue. only i am pretty sure my problem is not public/private key related. more a lack of s/mime capabilities in the certificate i have.

I have two identities set up on my iphone, i can only use one for signing email and i have all public/private keys i need. up until beta 3 of io5 this certificate was working fine. i have been able to sign before. i no longer have beta but a proper io5 non-beta, just to get that info out of the way.

the only thing i still believe is the fact that ios is looking for a specific Extension OID in the certificate - "S/MIME Capabilities ( 1.2.840.113549.1.9.15 )" to be exact. i have this extension in one certificate but not the other.

however. this extension should not be the only one ios is looking for, because in the non-working one i have the extension "E-mail protection (1.3.6.1.5.5.7.3.4)"

I feels like ios just will not work on the certificate that lacks those extensions.

Oh, and for information, the working certificate was issued by a windows AD cert server and the non-working one by a openssl linux system with the options

extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.4, 1.3.6.1.4.1.311.10.3.3, 1.3.6.1.4.1.311.10.3.4, 2.16.840.1.113730.4.1

perhaps i should have started a new thread but it would be intresting to see what extensions you guys have in your working/non-working certificates.

cheers

Daniel

I'm not sure if this is a reason. My CACert certifikate contains different purposes including "E-mail protection (1.3.6.1.5.5.7.3.4)" This certificate doesn't work-

My company certificate, issued by a Windows AD CA only contains one purpose: "E-mail protection (1.3.6.1.5.5.7.3.4)" Nothing else. This certificate works fine.

None of my certificates includes purpose "S/MIME Capabilities ( 1.2.840.113549.1.9.15 )"

Thanks for the update, i have tried and tried again to make my non-working cert to work with exporting keys back and fourth with no luck, send signed mail to myself, install. trusted everything - still I cannot use it for signing.

If you inspect your cetificate (profiles), does the working one have S/MIME Capabilities listed there somewhere? my AD issued one does but the openssl one does not.

Not if you mean the exact OID 1.2.840.113549.1.9.15 for S/Mime capabilities. Even the working one doesn't contain this OID. They both only contain the OID 1.3.6.1.5.5.7.3.4 which stands for purpose "Email protection"