Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Gino Cerullo
Gino Cerullo Author
User level: Level 4
1,480 points

iOS 8 Per User S/MIME

According to the new iOS Security Guide (September 2014) iOS 8 now includes per user S/MIME (page 41).


You can download the Guide in PDF format using this link: http://images.apple.com/privacy/docs/iOS_Security_Guide_Sept_2014.pdf


From the guide:


“Mail leverages certificates for authenticated and encrypted Mail by supporting S/MIME, which, as of iOS 8, permits per-message S/MIME, so S/MIME users can choose to always sign and encrypt by default, or selectively control how individual messages are protected.”


In previous iOS versions that supported s/mime, it was always on or always off as configured in the settings for the mail account. Supposedly, this can now be toggled on and off on a per message basis right from the mail composition screen.


The new “Lock” icon in mail composition window can be seen below. I would’ve expected a separate icon for signing-only purposes like there is in Mail on Mac OS X.


User uploaded file


I'm trying to test this new feature but I'm currently experiencing another error with my newly installed certificate.


Here is the error I'm currently getting. Any ideas as to a solution. And yes, I've checked the “Advanced” settings and they are correct as far as I can tell. S/MIME is turned on for the account. I'm using a free certificate issued by COMODO and it works fine in Mail on Mac OS X.


User uploaded file

iPhone 5s, iOS 8

Posted on Sep 18, 2014 10:36 AM

Reply
38 replies
User profile for user: mwu
mwu
User level: Level 1
138 points

Jan 15, 2015 8:20 PM in response to Peter Link

Thank you. I was about to reply that I had both problems (transferring cert to iPhone and to another Mac) solved, but it turns out I've only solved the Mac side. My problem there, and perhaps partially with the iPhone piece, is that I was not exporting the cert from Keychain Access properly. I was either exporting the cert, or the private key under the cert, or both individually. What I needed to do was to select them both and export them simultaneously as one file. This made the transfer among Macs work properly. Now both computers are using the same cert successfully.


I had hoped this would also solve the iPhone issue, but it does not. However I've noticed a possible reason why, which I now need to look into. See attached screenshot:


User uploaded file

You can see that it is Not Trusted, which is probably the root of my issue. However, the CA is showing AddTrust External CA Root, even though this is a cert from Comodo. I believe Comodo should be shown there, as it is in the cert screen shot shown in Gino Cerullo's post above. Need to figure out why this is. As you pointed out in a prior post, Comodo is a trusted CA by default in iOS8 so I should not have to add their cert to the phone, too.

Reply
User profile for user: Peter Link
Peter Link
User level: Level 1
10 points

Jan 15, 2015 8:44 PM in response to mwu

iOS 8: List of available trusted root certificates - Apple Support lists COMODO as part of the available trusted root CAs.


I deleted my current certificate from my iPhone (says not verified instead of not trusted). When I reinstalled it, it worked fine and is trusted, just not verified because COMODO doesn't perform the additional steps necessary to verify my identity.


What certificate did you attempt to add? You shouldn't be adding a root CA certificate because the COMODO root CA is already installed and trusted per the link I sent.


I emailed my exported .p12 certificate to myself, then clicked on the attachment. I went through the menus to install it and it worked. Are you sure you're going through the complete installation process? Mine required a password to protect the exported certificate along with my login password to do the actual export process. The first password is required to get through all the menu items.

Reply
User profile for user: mwu
mwu
User level: Level 1
138 points

Jan 15, 2015 8:58 PM in response to Peter Link

I just figured out the issue. I feel rather stupid.


I am setting this up on an icloud account. I actually don't use the main mailbox for messages, but rather an alias. The cert is for the alias. The account on the phone was set up for the main mailbox by default, and apparently the mismatch between that mailbox and the alias on the cert caused the cert not to be trusted. Once I changed the default mailbox on the phone, the cert became trusted and all is now well. I was able to complete step 9 in your earlier post and can now sign and encrypt messages from the desired account on the phone. Silly of me not to have noticed that previously.


I appreciate your replies on this topic! Thanks much.

Reply
User profile for user: dmrich
dmrich
User level: Level 1
0 points

Dec 12, 2015 11:52 PM in response to Peter Link

I also had the "several attempts" issue.


If you're special like me, the several attempts were because after you install the certificate, then to to:

Mail,Contacts,Calendars

accountnamehere@address.com

Account

Advanced

and turn on S/MIME and the defaults you desire


you then MUST GO BACK the same way you came in:

top left click

<Advanced (skip this step if not configuring defaults)

<Account

THEN clck Done in the top right


otherwise the changes you made will not be saved. hope this helps someone in the future


*note my comodo cert is also not verified - i'd imagine it doesn't meet something apple requires for signing profiles, not just acting as an email cert

(signed profiles most often used for education/corporate environments where you set up a profile, sign it, and apply your company data/apps/configuration to a bunch of phones) - but that's just a guess


**note if you email yourself and click on the sender of a signed message (you) and click view certificate, it'll be trusted, regardless of whether it is installed. that's what you are looking for

Reply

iOS 8 Per User S/MIME

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up