SMIME signing stopped working with iPhone 6

So, I had this exact issue and now the mystery (for me anyway) is somewhat solved, but a work-around for Office365 or Exchange mailboxes still remains. Everything worked perfectly (albeit cumbersome to setup) and then broke as soon as I upgraded iOS. I have two mail accounts on my iOS mail app (iCloud & Exchange/O365). Installing the certificates worked great. Enabling S/MIME signing, and encryption was buried but pretty easy. Although for this post all I want to discuss in "signing" not encrypting, because the problem emerged with signing, so forget encryption if signing is not working yet.

Getting my iCloud account to sign (and encrypt) email was accomplished after sending myself a signed email, and installing my own public key associated with my own contact in my contact list. The problem started when I added my second mail account which happens to be O365/Exchange. Network packet captures showed that although I was attempting to sign emails to/from iCloud only accounts, the mail client was sending OCS packets/sessions across SSL/443 to O365 servers for validation/verification. Let me repeat; even though the ONLY emails involved were Apple iCloud accounts, the OCS certificate validation (the step that occurs when attempting to sign) was attempting to validate using the WRONG servers (Microsoft). It was doing this because I had an O365 profile loaded (my work account) but this was overwriting the process for my iCloud profile as default.

To make the issue even more problematic (other than the wrong servers attempting to be leveraged for OCS validation), Microsoft actually has an issue supporting S/MIME on certain O365 mail accounts. Their "auto-discovery" protocol for detecting what kind of endpoints (mail client apps) are connecting to O365, detect if you're an "Outlook App" client or leveraging something else (like iOS Mail App). If you're sending/receiving email from O365 mailboxes, while using a mobile device with Outlook app, Microsoft will email you letting you know they "DO NOT SUPPORT S/MIME OR ENCRYPTION ON THIS MAILBOX." Here's the article, and looming patch hopefully in the future.

So sorry for muddying the waters a bit more, but this is a combination of issues ranging from iOS Mail detecting and leveraging the wrong OCS servers because of multiple mail accounts loaded, as well as O365 not fully supporting S/MIME on all devices as of yet.

If anyone has further details please post :-)

-Justin

I have the same problem here. Iphone 6 / ios 8.

Working Certificates on iphone 5 / ios 7.12 don't work in the new phone / ios 8.

Getting the same error message:

Unable to Sign

You can't send signed messages because a signing identity for the address [redacted] could not be found. Go to the Advanced settings for this account to choose a signing identity.

Tried a couple of things already, but no success. (reconfigured the email account, send the certificate via different ways, installed the root certificate, etc)

Still the same error message

Signing works fine in my case. I use a CAcert certificate. Only encrypting doesnt work anymore. The error message was the same at the beginning. "...no identity... found" After a few attempts now I only got a message "Encrypting not possible" or similar (translated from German).

I can also answer encrypted mails and the mail from my iPhone 6 is also encrypted, but I'm not able to create a new, encrypted mail. Not even to the same person I already answered encrypted mails, so I guess that iOS must have the neccessary certificate from this recipient.

Unfortuneately I cant find any discripton of the new iOS8 S/MIME features and how to set up.

Same behavior on iPhone 5s /w IOS 8. Buggy crap... does anyone at apple test anything prior to release? Cant sign or encrypt even after deleting my (previously to iOS 8) working profiles and re-installing the certs. Apple fix this crap!!!

I think I fixed my issue. I installed the root and intermediate certs in addition to my personal email cert. Seemed to do the trick. My apologies to the Apple testing, that ire now belongs to the documentation crowd at Apple...

I already had the root certificates installed, bu unfortunatelly that didn't help. Are you able to use the new "per mail" encryption?

I just wanted to chime in and say that I'm also experiencing issues encrypting messages, though the signing appears to be working correctly. I used the iPhone Configuration Utility to install the certificates (issued by COMODO). The certificates install as expected, however Mail.app returns an 'Unable to Encrypt' error on my iPhone 6 Plus running 8.0.2.

I've used the same process to install these exact certificates in the past, including very recently on a replacement iPhone 5 handset. I am wondering whether the issue affects the newer iPhone 6 hardware only. In any case, I have now reported the issue and raised a RADAR (18480971).

I'm having the same problem. I've tried over the air (OTA) provision of .p12 files, both with and without passwords; I've tried manual import via Apple Configurator, both with and without password. Sadly it never works.

Unfortunately, this issue remains unfixed in iOS 8.1. Has anyone managed to get this working yet?

EDIT: it appears in iOS 8 you are required to manually install a user's Public Key — even your own! To test this:

1. Email yourself ensuring the message is signed

2. Touch the Verified badge beside your name

3. Touch 'View Certificate'

4. Touch 'Install'

Composing an email to yourself now should offer Encryption.

This appears particularly cumbersome given how automatic this process was in iOS 7 and earlier. Further discussion here: iOS 8 Per User S/MIME

Hello together,

do you have some news about that? I have the same problem since iOs 8.x and on my iPhone6. on my iPad2 everythink works fine with s/mime under iOs 8.x. But not on my iPad air too...

iOS 8.1 is not a solution for this problem.

Hello,

here are my reports:

I noticed this problem after enabling the iCloud keychain.

i had two accounts using S/MIME installed. Only one account was affected by this issue. Both certificates are from the same CA.

I first tried reinstalling the certificate without success. But since users were reporting in this thread, that playing around with the configuration suddenly resolved the issue i completely removed the mail account from the device and reconfigured it from scratch. This fixes the issue.

Its a little bit annoying to type in the account info again, but at least for me this is a solution.

HTH

It was working fine on my iPad 2 after the iOS 8 upgrade, but not on my iPhone 6 which was synced from a profile from my old iPhone 4. Removing and reinstalling the email accounts solved the problem.

Thanks odx!

I had a very similar issue too. I got the message that my profile wasn't installed and couldn't encrypt any messages, despite the fact that it was installed correctly. I simply did a hard reset of the device (iPhone 6 Plus), by holding the Home button and Power Button together for 10 seconds... and after it rebooted I was able to sign and encrypt my emails normally. That seemed to fix the problem.

Like for the others, I had also to delete and re-create my exchange mailbox. I moved today from iPhone 5s to 6 and used iTunes to migrate my settings. I installed root and intermedia certificate before my signing certificate including private key. iPhone said, the certificate could be verified. But still I got the same message as you. Deleting and recreating mailbox helped.