Email cert for S/Mime not working with iOS 6 update

That's weird. I had a feeling I was only detailing the steps you'd probably already tried, so I apologise for that, but I have the flag option right there. This is with an iPhone 5.

Just done some Googling for you. Are you by any chance using a GMail Exchange account. Apparently, there is a bug with iOS6 and GMail Exchange, but there is also a workaround here:

http://forums.macrumors.com/showpost.php?p=15815971&postcount=4

HTH

ventmore

And this is why Forums are so helpful!

Thanks @ventmore - that did the trick!!! :-)

No problem at all mate......I'm glad it's working for you now! 🙂

I did your suggestion and managed to get the "Not Trusted" Comodo-issued certificate to become Trusted. Right now i can send an signed and encrypted email and the recipient (testing it using my own email) will see that the message is both signed and encrypted. However, if i choose to just signed the email, the recipient will receive an email that is not signed but one that comes with the attachment smime.p7s.

Anyone else having this problem? My personal Comodo certificate was exported from KeyChain in the p12 format (which requires a password be set), emailed to myself, and then installed on my iPhone.

I also tried a Verign digital signature with the same outcome: Sending just a signed email would show up as an email with the smime.p7s attachment while sending a signed and encrypted email worked.

In preferences I let sign and encrypt (booth) "on" and send a email to a mailaddress who not have a cert. The mail app send a uncrypted but signed email out. I send this from iOS6 to myself and received it on iOS6 too. No attachement but a checked-signed-star on the from-address, meaning the signature is working well.

Then i turned "off" the encryption in preferences, signation was still "on". And send a email to the same address, and additionally to a email-address who have a cert to see if there are any differences. But all emails came without a p7s-attachements but well-signed.

I can not reproduce your problem, sorry.

The signature really IS a p7s-attachement of the email. If your mail-client dont know how to use this attachement it will show it as a attachement. In a webmailer like roundcube you will see a attachement called "smime.p7s" for example.

Hi an.ke,

Questions:

- Is your digital certificate the free one from Comodo?

- Did you export it out of KeyChain Access as a .p12 format file?

- Did you email that file to yourself and install it on your iPhone?

Thanks,

Changren

hi Changren,

- yes, I use the free email cert from comodo.

- yes, I got this cert from comodo-website on my mac and exported it as a .p12 -file.

- yes I send the .p12-file from mac as a attachement per email to my iPhone. By using the email-account who have got the comodo-cert I switched OFF the cert-signature (the email was not signed and it was unencrypted) so that this email dont have a p7s-attachement too.

I did it for more than one email-account, it was working all time the same way .. with success.

hope this helps

an.ke

I have just narrowed down the issue to my gmail account (set up as Microsoft Exchange). I created a digital cert for my mac.com email account and the digital signature for that account works perfectly. I then configured another Gmail account using IMAP (instead of MS Exchange). For that account, the digital signature works.

So looks like the issue is with email account configured using MS Exchange.

Same Problem here:

Google Apps Account

Configured as GMail or Exchange Account the digital signature is not working without encryption.

Configured as Imap its working well.

That definitely worked for me. Thank you very much. This was driving me crazy.

I wonder if this has to do with the security breach Comodo had back in March 2012. Maybe Apple decided not to include Comodo in the default keychain so people would have to explicitly trust Comodo as a Certification Authority.

We use Comodo certs and after spending about an hour playing around this morning I believe I've figured out the issues:

1. Make sure you export the Comodo intermediate cert from your keychain (it's called "COMODO Client Authentication and Secure Email CA" in my keychain).

2. Make sure you export both the public AND private keys for your email certificate! This is the certificate whose name is the email to which it applies. This was also the tricky step for me. I was blindly assuming that if I selected that certificate and clicked export that all was well. However, doing that only exports the public key as a CER file. To get both the public and private keys as a p12, you have to click the arrow next to the cert to expand it and then select both the public cert (the parent cert whose arrow you clicked) AND the private cert (the cert that appears below the public cert when the arrow is clicked). When you export those you will be prompted to enter a password and then they will happily export as a pk12.

3. E-mail all of those to your iOS device, and then click on them (intermediate cert first) to install the profiles. After that, toggle S/MIME on should work fine.

Hopefully that will help some. Most probably already new this, but I've always used CLI for my certificates and haven't played with the Keychain much.

I think I found a fix, and the "Comodo Client Authentication and Secure Email CA" intermediate cert isn't necessary. The problem is that sender's public certificate isn't getting automatically installed.

In iOS 6 Mail, go to a signed email and tap the sender's name (which has the little blue "signed" checkmark seal). It should say "Signed - The sender signed this message with a trusted certificate". Tap the [View Certificate] button immediately under that. The certificate should say "Trusted". Tap the [Install] button. Nothing happens; the button simply toggles between Install and Remove. But that's the key. Now you should be able to decrypt encrypted messages and also send encrypted messages to that same contact.

This is all assuming that S/MIME is configured normally. It works both with and without the Comodo intermediate cert.

Upon further thought, this manual step of installing the sender's certificate is probably only necessary due to that missing intermediate cert.

Not sure if you already solved your problem...

But i want to share my findings on this topic.

I played with signatures and encryption on OS X some years ago.

At that time i used certificates from Thawte and it worked quite well ( after some trial and error ).

I could sign and encrypt messages between OS X clients ( mail, thunderbird ) and windows clients ( thunderbird ).

So now that i have some expensive iOS equipment ( iPad, iPhone, ... ) i wanted to see if S/MIME signing and encryption is possible between these machines.

Since Thawte is no longer providing free email certs i choose comodo.

I did some trial an error on requesting and collecting the certificate with both safari and firefox. It somehow worked and somehow not...

Then i came across this nice Howto article :

http://www.hoylen.com/articles/it/email/security/cert-comodo.html which helped me a lot.

I followed the steps explained there and managed to get signature and encryption of messages working on a macbook pro runnning ML and an iPad 2 running iOS 6.01.

Here are some things that caused trouble and confusion for me :

use of the browser for the request and collection of the cert

Some years ago it was not possible to collect and export the certificates with safari. You had to use mozilla/firefox to do this, because in safari there was no way to export the private key that was generated during the process.

It is possible now to collect the cert with safari and it wil be in the keychain after you collected it, so will be the private key ( with no name ! ).

In any case, request and collection of the cert has to be done with the same browser!!!

So my smart idea to request with firefox and collect with safari didnt work.

I personally prefer collection with firefox because it gives me thze possibilty to check the whole process and i like to import the .p12 file ( exported from firefox ) into an empty keychain so i can check what is in the package.

"moving" the certificate to the iOS device

Right now it seems that there are ( at least ) two options to bring the cert/key package to the iOS device.

- making a profile ofr the device with the cert/key included

- sending the cert/key package as a mail attachment

I used the latter one with success. Instead of exporting it from the keychain ( which i did before with some success ) i choose to mail the firefox exported ( see link above ) .p12 file to myself. After opening the attachment and providing the password my iPad added that as a profile.

This profile showed in the General->Profiles-> section of my Settings.

As the Original Poster mentions this profile is listed as "Not Trusted" ( in red color ).

I did not care and went on to my @me.com account in the Mail settings section.

There at the Account->Advanced->Advanced settings i switched on S/MIME and Sign and checked my cert under the Certificate section of Sign. It showed the certificate of my email adress as "Trusted" ( in green color ).

Under the "More Details" tab it showed 3 certficates, one of them my freshly collected email cert.