iOS 8 Per User S/MIME

This doesn't seem like a very 'Enterprise'y way of doing certificate distribution. Has Apple not provided any proper guidance?

I'm struggling to make this work again, was absolutely fine in iOS 7.

I actually am using an over the air MDM provider for certificate distribution, and it isn't working properly. I can distribute .P12 files but they are unaccessible to my users. Essentially with the same error as reported earlier.

I've generated the profiles using the Apple configurator, and tried to apply them manually and also using MDM.

I followed these steps on two of my colleague's iPhone 6. One person gets an error message that reads "unable to sign" when the .p12 file is installed. He is able to read encrypted emails from me, but when he attempts to compose an encrypted email the error message states that he needs to select a signing identity. Under settings>general>profile the identity appears to be in order. The second person can send encrypted messages to me which I can read, but she can't read the ones from me. When I try to install her public key on my phone, nothing happens when I click "Install." The encryption is working on my iPhone 6 (iOS 8.0.2) with everyone who is on iOS 7 and earlier. I'm only having trouble with folks who are on iOS 8.

That is exactly the issue I'm having. I can read any email encrypted and sent to me but cannot reply signed or encrypted.

I tried the step you are describing here, but it hasn't fixed these problems.

I'm using MDM for public key distribution so I have the public keys I'm trying to sign against already on the phone. Unfortunately that doesn't make a difference and I still have the same issue.

I observed the same issue, but beginning with iOS 8. You even have to send a signed mail to yourself before you can encrypt for yourself.

In iOS 7 and 6, installing a certificate profile with P12 and your own plus all issuer certificates was sufficient. The mail app then "knew" your own certificate.

Same with MDM / iPhone Configurator generated certificate profiles, with or without P12 - they don´t install implicit trust to the owner.

My own iOS app for S/MIME key generation and sharing is suffering from this, and mail encryption setup for iOS becomes more inconvenient again. I´ve opened a bug report in Sept 2014, describing this obvious regression, but got no response yet.

I'm walking through Peter's steps and things are not working for me.

I've got an email cert from Comodo that is working properly on my Mac.

I export it from Keychain Utility as a .p12 file and mail it to myself. Tap on the cert in iOS Mail to install it.

I get a warning that the cert is not trusted. I install anyway.

I turn on S/MIME for the mail account, and switch on signing. The cert is there as expected, but it is still labeled "not trusted".

Back in Mail, I see the lock button indicating that the cert is recognized. I send an email to myself using that account -- step 9 in Peter's list -- and the received email is not signed. Therefore I don't get a public key to add back to the system to complete the loop.

I suspect this is because the cert I imported has never been trusted. I don't understand why not, since it was issued by a trusted CA. I don't see any way to manually trust it, either.

Frustrating.

mwu, let's check a few things.

1. On your Mac, open Keychain Access, click on Login and My Certificates to find COMODO certificate under your name. Does it show trusted with a valid date?

2. If so, double click it to open it. Look down to Key Usage. It should look something like this:

Does it? If not, then you probably didn't fill in the blanks completely on the COMODO site.

Let's start with this. If everything looks good, reply and I'll think about what's going on in your next step.

Hi Peter,

Thanks for replying. Yes indeed, all is as you described.

I'm mystified, although I have to say this isn't the only problem I'm having with Comodo certs. I would like to use this same one (with the same account, obviously) on another Mac, but when I import it into the Keychain on the other Mac, only the public key comes along. I have a second Comodo cert for a different account on that other Mac that copies back to this first Mac for that account just fine. That second one doesn't work on the iPhone either.

Anyway, more important to me to solve the iPhone issue first -- so if you have further thoughts there I would be glad to hear them. I've been doing a fair bit of Googling and have found nothing.

Mark

Couple requirements that might be overlooked, especially when using more than one SMIME certificate.

1. The certificate only works for one email address, unless you included aliases when buying the certificate. (you said same account so you should be fine)

2. You can have multiple certificates on a Mac for multiple email accounts (certificates are linked to email accounts, not logon users) but it gets a little messy selecting which one to use when you have multiple certificates for the same user. This does work on a Mac but I'm not sure it works on an iOS device.

3. When you ran the COMODO certificate installer on the second Mac, did the process look any different? I don't remember if they simply sent me a certificate or an installer when I go it.

4. I don't know of a way to take this conversation off-line so you could try sending me a signed email so I can look at your public key and try and send you an email back. Typically we don't include personal email addresses in forums.

When I contacted COMODO support, they sent me this link. Hopefully it will help.

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/76/18/w hy-can-some-people-reply-to-my-digitally-signed-emails-and-some-not