S/MIME encryption does not work

Question

Level 1

0 points

S/MIME encryption does not work

Hello everbody,

since 2 days I'm trying to get email encryption up and running without any success.

I have a personal certificate from the german mail provider WEB.DE installed including a private key. I also installed the necessary root and mail certificates of this provider so that the chain of trust is given. Keychain says, that the certificate is valid.

I now received a signed email from a friend. This gets his certificate installed into keychain. It is also shown in the adressbook next to his email adress. When I now reply to this mail and check the encrypt button, I get the error message, that the email can not be encrypted and I shall check wether valid certifcates are installed for all recipients.

Sending signed emails works like a charm and I can also check the encrypt button. It is not grayed out.

I deleted all certificates and reinstalled them multiple times with no effect. I also ensured, that I do not have any conflicts with other certificates. The mail adress in the TO field of mail is written in the same way, it is given in the recipients certificate. I also executed first aid from the keychain application. No problems found.

I changed the trust settings in both my own and the recipients certificate in different ways and restarted mail in between. I also restarted osx multiple times. Nothing solved the issue so far.

I read about 50 articels on the web including everything about SMIME encryption in this commuity but I can not find a solution.

What is the problem here?

Best regards...

MacBook Pro (Retina, 13-inch, Late 2012), OS X Mountain Lion (10.8.4)

Posted on Jun 23, 2013 10:51 AM

Reply

Answer 1

Linc Davis

Level 10

209,541 points

Jun 23, 2013 12:58 PM in response to LosWochos

First, the address associated with the S/MIME public key must exactly match the address to which you're trying to send the encrypted message. The matching is case-sensitive. "Foo@Bar.com" does not match "foo@bar.com".

The recipient's certificate must be valid: not self-signed, expired, or revoked. You can check the status of the certificate in Keychain Access (see below.)

If you can't encrypt messages to a valid address with a valid certificate, continue.

Back up all data.

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.

Select the login keychain from the list on the left side of the Keychain Access window. If your default keychain has a different name, select that.

If the lock icon in the top left corner of the window shows that the keychain is locked, click to unlock it. You'll be prompted for the keychain password, which is the same as your login password, unless you've changed it.

Right-click or control-click the login entry in the list. From the menu that pops up, select

Change Settings for Keychain "login"

In the sheet that opens, uncheck both boxes, if not already unchecked.

From the menu bar, select

Keychain Access ▹ Preferences ▹ First Aid.

If the box labeled Keep login keychain unlocked is not checked, check it.

Select Keychain from the menu bar and repair the keychain.

Quit and relaunch Mail. Test. If the problem isn't resolved, continue.

Export all S/MIME certificates, delete them from the keychain, and reimport. For instructions, select

Help ▹ Keychain Access Help

from the menu bar and search for the term "export" in the help window. Test.

If the test fails, delete all the certificates again, then reinstall them from fresh copies.

Reply

Answer 2

LosWochos Author

Level 1

0 points

Jun 24, 2013 12:37 AM in response to Linc Davis

Sorry, but this generic textblock which can already be found in multiple other discussions about comparable topics does not help at all. I already did all of these things and nothing of it solved the issue.

Reply

Answer 3

Linc Davis

Level 10

209,541 points

Jun 24, 2013 6:35 AM in response to LosWochos

In the upper left corner of the Keychain Access window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.

In the Keychains list, there should be an item named System. If not, select

File ▹ Add Keychain

from the menu bar and add the following item:

/Library/Keychains/System.keychain

From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu at the top, select

When using this certificate: Use System Defaults

Close the inspection window. You'll be prompted for your administrator password to update the settings. Revert all the certificates with non-default trust settings.

From the menu bar, select

Keychain Access ▹ Preferences ▹ Certificates

There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.

Next, select the login keychain. Delete any expired or otherwise invalid certificates.

Log out, log back in, and test.

Reply

Answer 4

LosWochos Author

Level 1

0 points

Jun 28, 2013 4:55 AM in response to Linc Davis

Nothing of this did solve the issue. I also have the feeling, that this is rather fumbling around instead of a systematic approach with an idea about the root cause of the problem. What a pitty! So far, I really liked the apple products...

Reply

Answer 5

LosWochos Author

Level 1

0 points

Jun 29, 2013 2:07 AM in response to LosWochos

Everybody,

i finally got everything up and running. But not with the Web.de certificates. I tried everything but I did not manage to get encryption up and running with the Web.de certificates.

So, I removed everything that looked like them from the keychain. After that I retrieved a free certificate from COMODO (http://www.comodo.com/home/email-security/free-email-certificate.php). Please ensure, that you always select "United States" as you country of residence. Otherwise, you will not get a proper private key embedded into you certificate.

With that cert everything works as expected. You can install them into your keychain and suddenly mail can sign AND encrypt mails. It also works to install them into an iOs device by exporting them into a p12 file via the keychain app.

Finally, my email communication is secure.

Reply

Answer 6

Stefan_

Level 1

8 points

Jul 21, 2013 11:36 AM in response to LosWochos

Thanks a lot, LosWochos. You saved me a lot of time!

I do experience the same behavior here. I do not see any differences in requesting certificate with an US or German country of residence from COMODO though.

One funny thing still. I'm only able to encrypt a message if I myself own a certificate of the sending mail address. From my understanding: while encrypting a mail only the certificate of the recieving account is used. Am I wrong?

Reply

Answer 7

awado

Level 2

220 points

Aug 31, 2013 4:08 AM in response to Stefan_

No, you always need both: your own certificate (+ private key) and the public key of the recipient. The recipient must have your public key to encrypt the message. This public key depends on its corresponding private key.

Reply