iOS 8 Per User S/MIME

Which Comodo certificate did you get? When I check their website, they want $16.36/year for an email certificate. The free certificate is for browser SSL. Try opening the certificate on your Mac and see what it's good for. It should show something under Usage like digital signature, key encipherment. Under Key Usage it should show what it can be used for.

I thought I read an article that said Apple might/would act as a certificate vendor, using your iCloud credentials to create the proper certificate and manage them. I could be wrong but it would be a great service for Apple to be in. I know I can create a self-signed certificate but this can't be used when a trusted certificate is required.

Ok, why do they have two websites? I found them at ssl.comodo.com. Are they the same company?

I created a certificate for myself. I'm a little worried about the directions for installation since it's geared towards a Windows system. I don't like automatic installations of things I've never used before so I downloaded the file. It's a typical p7s file and installed into the keychain. When I opened it, it doesn't list encrypt in key usage so I believe it can only be used for signing. I'll check on this with Comodo. It's been awhile since I had to deal with Entrust certificates at work so I need to dig out those memory cells and remember all the pain I went through trying to get them to work with Macs over the last dozen+ years.

I did find this Apple page that lists Comodo as a trusted vendor. iOS 8: List of available trusted root certificates so I feel comfortable using them.

I read their agreement and it says they have a public repository for user certificates, probably the public key the recipient needs to validate the sender's certificate but it's not on the specified page. http://www.comodogroup.com/about/comodo-agreements.php Public repository of user certificates.

I recently did some playing around with OpenSSL (on linux), S/MIME, and certificates. Rather than using a cert from one of the vendors available, I simply created my own root CA and CA. At any rate, in all of my reading, I've seen that Comodo certs do not work, probably for the reasons stated above. If you go Settings > General > Profiles > [Your Cert] > More Details > [Your Cert], you'll find the summary of your cert. It has to at least have the following extensions:

Usage (Netscape Certificate Type): SSL Client, S/MIME

Usage (Key Usage): Digital Signature, NonRepudiation, KeyEncipherment

Extended Key Usage: Client Authentication, Email Protection

To that end, the free certs provided by StartSSL will work straight away or you can make your own.

Sorry, creating my own root CA and CA won't work for me. It wouldn't be trusted by anyone else and wouldn't be accepted by most legitimate services. I want a certificate from a trusted vendor that is managed properly and would be able to be used by anyone with trusted credentials to send and receive encrypted email from myself. I worked for a government contractor for way too long and we were required to use encrypted and signed email for certain types of information.

Understandable. The free certificates from StartSSL will work as they do have the proper extensions.

I checked them out and StartSSL is based in Israel so I'll think a bit before using them (you need to have worked for the US government to know why).

I'm also wondering about which email address to use and whether I can include aliases in the certificate. My official Apple email is in the icloud.com domain but I continue to use my mac.com and to a lesser extent, me.com, email domain, which are actually aliases to the icloud.com email domain. Neither Comodo or StartSSL includes this feature when signing up. Historically, Apple Mail didn't accept the alias attribute, requiring the email address used to match the email address in the certificate exactly. Does anyone know if this has changed? Maybe someone from Apple will answer this question.

Gino, it works fine for me on my Mac even though it doesn't include the encrypt attribute. I can sign and encrypt emails to and from myself. I received a p7s file from Comodo. It installs just fine into my OSX keychain without any modifications. It says it's valid. I can sign and encrypt when sending to myself. I exported my certificate resulting in a p12 certificate (only option that actually does anything). When I click on the p12 attachment, it opens up Settings/General/Profiles and wants to install. Before and after installing it says it's not signed. When I enter my iPhone pin and certificate password (from exporting from my Mac), it says it's Not Verified. I turned on S/MIME in my Mail settings. Any ideas?

Wait a minute, I think it works now--I hadn't completed the Mail setup but even that took several attempts before settings would stay. The process of getting everything installed is a mess.

1. On my Mac I simply double-clicked the p7s certificate from Comodo. This puts the certificate in my login keychain and Mail works fine from there.

2. I exported my Comodo certificate, getting a .p12 file. I emailed that file to myself.

3. On my iPhone, I clicked on the p12 file and went through the installation.

4. On the iPhone, under Settings/General/Profiles, my Comodo certificate is listed (it still says Not Verified).

5. Under "Mail, Contacts, Calendar" I select my account at the top.

6. Inside my account I scroll to bottom and click on Advanced/Mail

7. I scroll to bottom and click on Advanced

8. I scroll to bottom and slide the S/MIME button to turn it on, then click on Sign. I slide the button to turn it on. My Comodo certificate shows and when I click on it it says Trusted

9. On my iPhone I send a signed email to myself. When I get it I click the "From" name (which should have the signed icon), then the blue "Install Certificate" link under the signed message. It should install quickly. Click Done and everything should work. (hopefully I didn't forget anything because I did things too many times)

If you make any changes to any of the settings and it shows a "Done" in the upper right corner, click on it to make sure your settings were saved. I had to go through things a couple times because it wasn't saving my changes.

Makes sense and brings me back to my original desire, for Apple to manage certificates, including them with our iCloud account. They should be able to verify/validate everything about the person making it a one-stop shop.

"Okay, I found out something else that is different in Mail on iOS regarding s/mime. You can only send a signed message to people for whom you already have their public certificate."

I don't think that is true. I am able to sign an email to a recipient without having his public certificate. It does not make sense to require a recipient's public certificate when you are signing the email using your own.