Go to InstantSSL and request a free S/MIME signing certificate. It's valid for a year, only for the address you specify. You'll be prompted to set a revocation password, which you'll need if you ever want to stop the key from being trusted. I suggest you save the password as a secure note item in the keychain.
Click the link in the message you'll receive at that address. A file named "CollectCCC.p7s" will be downloaded in your web browser. Double-click the file. It will open in Keychain Access. Confirm that you want to import the keys it contains.
Two items will be added to the keychain you specify. Both are named "Key from secure.instantssl.com". One is of type private key and one is of type public key. You'll want to delete those items when the key expires or is revoked.
Quit and relaunch Mail. When you next compose a message from the certified address, you'll have the option to sign it, as detailed here: How to Use a Secure Email Signing Certificate (Digital ID).
The first time you sign a message with the new certificate, you'll be prompted to allow Mail to use it in the keychain. Click Always Allow.
Important:
- You must quit and relaunch Mail before the certficiate will be recognized.
- Mail that is only signed is not encrypted; anyone can read it. The recipient can be reasonably sure that it came unaltered from a person who receives mail at the sender's address. That is not proof of the sender's identity.
- To encrypt messages, the recipieint must already have gone through a similar setup process, and you must know his or her public key. The key can be sent to you in the clear, attached to a signed message, but again, you have no proof of the sender's identity. All you know is that he can receive mail at the specified address.
