Using S/MIME on iOS 5

I've successfully used iPhone Configuration Utility on Mountain Lion to install StartCom root and intermediate certificates along with my free StartSSL S/MIME certificate and private key. It shows up as trusted, and I can turn on S/MIME along with Sign and Encrypt. Under both of these it displays the correct certificate with the email address it was assigned with. All so good so far.

But: when I attempt to send an email from Mail, it shows "Encrypted" for the _wrong_ email address! The email account is iCloud, and the certificate is for one of my aliases, but the encryption only shows up for the default iCloud address. If I change the "From" to the email address the certificate is actually issued for, no encryption or signing is done. Anyone seen that before?

Another thing is that turning on "Sign" but leaving "Encrypt" off results in no Signing being done for _any_ of the iCloud email addresses, least of all the one that _should_ be signed. I sent several emails to a web-based email provider but there was no sign of any signing-related attachments, just the plain text of the email.

Just to confirm: the certificate works just fine with Mail.app on ML.

Just to follow up: I removed the profile I used to install my cert and followed the hint here instead:

https://forum.startcom.org/viewtopic.php?f=15&t=2365

Basically, installing certs using Safari to navigate to a secure site containing them.

Whilst this method doesn't require the installation of the StartCom root and intermediate certs, the same probelm arises in practice: encryption appears for the wrong email address, and signing appears for none.

This is a brand-new non-jailbroken iPhone 4S. What the smeg is going on here?

butterscrack wrote:

Ok, here is how i solved my problem.

We have our own CA right where we can alter and do stuff however we please and it turns out to make the certifiacate work for IOS you need to add in the line in openssl.cfg:

[ v3_req ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

After this i could choose the certificate issued to me with no problems, it was available to pick for signing and encryption and all is good.

hopefully someone will get help from this.

This doesn't work anymore (not that I ever saw it work). Perhaps iOS 6 has strictly forbidden the use of self-signed CAs and certs?

I've been using Thunderbird and Google apps for a long time now, never had this much problems with OpenSSL and self-signed certs. That is to get the question of "did you flip a wrong switch" out of the way.

I've resorted to packing an Ultrabook with me at all times. Very soon now, I'll be switching to Samsung and Android, completely dumping all my macbooks, ipads and Apple-related equipment. Heck, even composing and writing orchestral scores on Windows is getting easier, so I see no more reason to stick with Apple.

I'm pretty sure Apple will bounce back as a productivity tool after it has managed to take over XBox and PS. Maybe. Gotta go with Android for work. Oh well.

Hello,

go her: http://www.startssl.com/certs/

and go to the folder class? (?=class number of your certi).

Now choos your sha Version folder choos your format an take the "sub.class?.client.sha?.ca.pem".

Now your get a Trusted.

Regards

Joern

Hey, guys. I was really motivated to get this working across these four platforms: iOS 6, Mac Mail (OSX 10.6.8), Outlook Mac 2011, Outlook 2007 Windows.

Was finally successful after following clues on this thread and in other internet posts. The key to success for iOS seems to be ensuring that the OpenSSL generated certificate has the extended attributes in it that indicate that the certificate/key can be used for Data Encipherment and Digital Signature, although I can't say I went through a lot of trial and error on the various extended attributes to find out which ones were the bare minimum required.

Below is my OSX Terminal command sequence that led to success, along with my openssl.cfg file. After running the command below, you will have a PFX file that you can successfully import into OSX KeyChain Access, and from there you can export a .P12 file that will be importable into both iOS and Windows.

Be careful when loading your new certificate/key combo into KeyChain Access and Windows, since your old digital Ids (the ones you are replacing with the new cross-platform Id) can easily create conflicts/confusion. I had to move my old digital Ids in KeyChain access to a new "Archive" keystore to prevent them from being used by Mac Mail, delete the old digital Ids from my iOS Preferences -> General -> Profiles, and I had to re-specify which digitial Ids to use in Outlook Mac Account Preferences and Outlook Windows Trust Center. Also note that you will have to dumb down Outlook Mac's encryption algorithm to "3DES" in the Account Preferences if you want Outlook Windows to be able to decrypt the messages. I was using Outlook 2007, this may not be necessary for Outlook 2010 clients. (Edit: Doing some cursory Internet research indicates that this may be because I am running Outlook 2007 on Windows XP, and not an inherent limitation in Outlook 2007 itself).

Hope this info helps others to success in this arduous journey!

Ian

--

OSX Terminal command sequence:

# Generate the key

openssl genrsa -des3 -out imercado201307.key 2048

# Generate the certificate with the necessary extensions for iOS usage

openssl req -new -x509 -key imercado201307.key -out imercado201307.crt -days 365 -config openssl.cfg -extensions usr_cert

# Concatenate the key and certificate into a single PEM file

cat imercado201307.key imercado201307.crt > imercado201307.pem

# Generate a PFX file for importing into OSX KeyChain

openssl pkcs12 -export -out imercado201307.pfx -in imercado201307.pem -name "Ian Mercado"

Contents of openssl.cfg file:

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

[req_distinguished_name]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (company)

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 40

[ v3_req ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

[ usr_cert ]

keyUsage = digitalSignature, nonRepudiation,keyEncipherment, dataEncipherment, keyAgreement

nsComment = "OpenSSL Generated Certificate"

subjectKeyIdentifier = hash

Message was edited by: imercado

wow 10000x thanks.. it's working. Now i see if i can add it to z-push.

It's working on my iphone as wel..

This is big!!! :-)

Can i ask you, how do i renew this certificate?

Hi marcelkraan,

No.

You need a new one.

The step without money is to have a 2nd mail account, generate for this address a s mine with your account having the s mine that will end. Before it ends!

After the old one ran out of time build a new one.

The other way is to pay 59 dollar, and you will get a class2 s mine for your mail address the will have a live time of 2 years.

Regards

Joern

Then we make this one 5 years and do what you told me in the email

thank you very much.. i really is working great

One aspect not discussed so far:

what about the option to generate your own certificates with the Keychain utilty? There are tutorials on this on the web but I never made it work with Computer and iPhone/iPad?

Actually meanwhile I followed your recipe but it does not work on iOS 6 for my iPhone or Mac 😟 Certificates are regocnized, trusted but I only can send signed messages, the encryption button is always grayed out.

Anybody for a working solution on iOS 6?

You mean with the keychain utility?

Because with openssl it works like a charm

Nothing works for me on Mac OSX 10.6 and iPad iOS 6. Neither openssl nor Comodo or self assigned certificates.

I am giving up on this, too much hassle 😢

type this in a shell script and then type a few time the same passwd

#!/bin/sh

# Generate the key

DAYS=360

EMAIL=$1

NAME=$2

DATE=`date +%Y%m%d%H`

if [ "$NAME" == "" ]; then

echo "makecert email@address.com \"Full Name\""

echo "don't forget the \"\" in \"Full Name\""

exit

fi

echo "Creating Certificate for $DAYS days from $DATE for: $NAME ($EMAIL)"

KPATH=/root/certs/$EMAIL

mkdir -p $KPATH

# Generate the key

openssl genrsa -des3 -out $KPATH/$EMAIL.$DATE.key 2048

# Generate the certificate with the necessary extensions for iOS usage

openssl req -new -x509 -key $KPATH/$EMAIL.$DATE.key -out $KPATH/$EMAIL.$DATE.crt -days $DAYS -config /root/openssl.cfg -extensions usr_cert

# Concatenate the key and certificate into a single PEM file

cat $KPATH/$EMAIL.$DATE.key $KPATH/$EMAIL.$DATE.crt > $KPATH/$EMAIL.$DATE.pem

# Generate a PFX file for importing into OSX KeyChain

openssl pkcs12 -export -out $KPATH/$EMAIL.$DATE.pfx -in $KPATH/$EMAIL.$DATE.pem -name "$EMAIL ($NAME)"

# after this import the pfx file into your device

Hello Emilia,

for encryption you have to exchange to S/MIME Certifcate.

If the iPhone show's an open lock you have done you work.

So after senden a mail that is sign the reciver should ansers with his Certifcate.

After that you are able to crypt you mails.

Regards

Joern