Using S/MIME on iOS 5

Ok, here is how i solved my problem.

We have our own CA right where we can alter and do stuff however we please and it turns out to make the certifiacate work for IOS you need to add in the line in openssl.cfg:

[ v3_req ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

After this i could choose the certificate issued to me with no problems, it was available to pick for signing and encryption and all is good.

hopefully someone will get help from this.

I followed the instructions to export the .p12 file from 'My Certificates' and it worked, or at least I thought it did. My certificate shows up under the available certs (as trusted) in the S/MIME settings and finally allows me to select it. However, the whole process seems to fall apart when I send a message.

When I sent a message to an iCloud account, it doesn't say signed or anything, it just attaches an smime.p7s file to the message.

When I send a message to another email account that uses Exchange/Outlook, there isn't even an attachment, just a plain old text-only email.

This is not the case when I send from my mac Mail on my iMac. In that case, everything works perfectly weather the message is being received on Mail, Outlook or even Gmail.

I have to think that this has something to do with the way iOS sends messages, maybe they only send via plain text or something. Maybe iOS 5 isn't really ready to support certificates at all?

iOS 5 has proper support for certificates.

On the iPhone did you turn on S/MIME support for the specific email account? You'll have to go into the advanced settings for the account. There you will also find additional settings to indicate whether you want the certificate to be used for signing and encryption.

Sending sending yourself a signed message from your iMac but open it on the iPhone.

Gino...Yes, that is how I turned on S/MIME support for the email account in question. I don't think it would even attach the smime.p7s file if I hadn't. And I did double check, the advanced settings for the email account in question show S/MIME as ON and Sign & Encrypt both say 'Yes'...and the certificate is checked.

Sending from my iMac works perfectly, even receiving on my iPhone or iPad. It's only sending from the iOS device that doesn't work correctly.

I'm gonna have to back off my original comments. As it turns out, it is not a problem with IOS 5, but rather with the Premier Edition of Google Apps when using the Active Sync connector. Switching to the IMAP version of Google Apps rather than the Exchange version fixed the problem....no more p7s files, and the outgoing messages signed properly.

Hope this helps somebody that is dealing with the same frustration.

Guys, thanks a lot for helpful topic here. I just have one remained problem with my secure mail. I can read and write encrypted messages From/To MacOS clients with my IPad2 iOS 5, but can't read encrypted messages sent by colleagues using Windows. Any suggestions? Thank you!

Tell us more about the Windows environment. What email client are they using on Windows and what type of server are they relaying through? More info we have the better chance of someone coming up with a solution.

Can you read the same message fine on your Mac that is unreadable on the iPad?

All of them use MS Outlook as mail client. Server is MS Exchange server 2010. We have PC, Mac and Mobile clients that use the same e-mail infrastructure. Of course it works on my Mac and I can read all encrypted messages using my sertificate. Thank you.

After receiving the cert in Mac, I can right click the cert in keychain, export to .p12 but you must remember to add a password. ( We now know that iphone can not just receive the Comodo cert from comodo site as it's wrong format...)

Once in .p12 format, email to iphone, click on cert, go to install, enter cert password.

Then it's installed.

Then under s/mime, turn on signed + encrypt and you are, as Fabu writes, good to go...

Hi,

I now too have the problem that I can read the email mesages just fine on my Mac, but not on the iPhone. The mail messages come from the Windows Mail app. And I really don't see, why my iphone keeps telling me: "This message is encrypted. Install a profile with your encryption identity to decrypt that message.

To test that my certs work, I send myself an encrypted message and yep, I can read it. So does anyone have an idea?

Hi, this is a list of the X509v3 extensions in the CAcert.org root certificate. the CA:TRUE extension is there, but the certificate isn't detected as root certificate when importing (on iOS 5.1). X509v3 extensions: X509v3 Subject Key Identifier: 16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 X509v3 Authority Key Identifier: keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org serial:00 X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: Full Name: URI:https://www.cacert.org/revoke.crl Netscape CA Revocation Url: https://www.cacert.org/revoke.crl Netscape CA Policy Url: http://www.cacert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE head over to http://www.cacert.org I've seen this extensions in root certificates of some other CAs which are missing from CAcert.org's root certificate: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Key Usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign Perhaps this are the relevant extensions. Can anybody confirm this?

This is the point. I got it now.

You need to install the receiptients cert first..

Easy haha

It shouldn't be necessary to trust the senders certificate directly, this is why root certificates of CAs are used.

Yes but on the iPhone you MUST accept/trust/install it manally

This is maybe old-skool but it's the only way!! maybe ios6 and then it's automated?

??

Just wanted to say that this worked great! Thanks for the advice.

To all the Apple Employees who may be reading this out there, there has to be a better way of setting up S/MIME on the iPhone. I mean, its great that it is supported, but the implementation is really un-intuitive and complicated. I thought we were meant to be making things simpler and cooler here??

People shouldn't have to come to an Apple Support forum to figure out how to do this is all I'm saying.....