Newsroom Update

The redesigned iPad Air and new iPad Pro with Apple silicon are now available. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Detlef Schmitt
Detlef Schmitt Author
User level: Level 2
301 points

Decryption Error

I created a self signed S/MIME for encrypted emails in OSX Keychain Access. I am using this S/MIME on my iPad (iOS8) and on my iMac (OSX 10).

With this S/MIME I have no problems on the iPad decrypting emails which were sent from devices running iOS or OSX.


But when receiving encrypted emails from a Windows PC I get the following error message:

"Decryption Error. This message is encrypted. Install a profile containing your encryption identity to decrypt this message"

The iMac, using the same S/MIME, has no trouble decrypting the same email from the Windows PC.


Does anybody have the same problem? Does anybody have a solution to this problem?

Posted on Oct 20, 2014 6:56 AM

Reply
Question marked as Best reply
User profile for user: Detlef Schmitt
Detlef Schmitt Author
User level: Level 2
301 points

Posted on Oct 22, 2014 7:25 AM

I solved this issue!


The problem is, when OS X or iOS sends a signed email there seems to be no indicator included which tells the receiving mail program what type of encryption method to use. This doesn't matter if the receiving mail program is OS X Mail or iOS Mail. But MS Outlook and Windows Live Mail, for that reason, fall back to a 40-bit RC2 encryption method. The 40-bit RC2 encryption method is an old standard that can still be decrypted by OS X but not by iOS. See herean herefor details.


To overcome this problem Windows Live Mail needs to be told to send emails in 3DES. To achieve that I did the following.

1. I added my Mac email account to Windows Live Mail

2. I imported my Mac email S/MIME (.p12 file) into the Windows Certificate Manager

(one copy needs to be in "Personal" and another copy in "Trusted Root Certification Authorities")

3. I added the S/MIME as signing and encrypting keys under Security in the Mail Account Properties. And set Algorithm to: 3DES

4. I sent a signed email in Windows Live Mail from my Mac email account to my Outlook email account.

This adds the S/MIME certificate in the Certificate Manager to "Other People"

5. Copy the certificate in the Certificate Manager to "Trusted People" and "Intermediate Certification Authorities" if it is not already there.

6. Delete the S/MIME in "Personal" and in "Trusted Root Certification Authorities". This will delete the private key.

7. Delete the Mac email account in Windows Live Mail.


When you are done with these 7 steps Windows Live Mail will only have the Mac S/MIME certificate/public key and knows that

it is supposed to send emails encrypted in 3DES.

And voila, decrypting emails in iOS send from Windows Live Mail is working!

View in context
2 replies
Question marked as Best reply
User profile for user: Detlef Schmitt
Detlef Schmitt Author
User level: Level 2
301 points

Oct 22, 2014 7:25 AM in response to Detlef Schmitt

I solved this issue!


The problem is, when OS X or iOS sends a signed email there seems to be no indicator included which tells the receiving mail program what type of encryption method to use. This doesn't matter if the receiving mail program is OS X Mail or iOS Mail. But MS Outlook and Windows Live Mail, for that reason, fall back to a 40-bit RC2 encryption method. The 40-bit RC2 encryption method is an old standard that can still be decrypted by OS X but not by iOS. See herean herefor details.


To overcome this problem Windows Live Mail needs to be told to send emails in 3DES. To achieve that I did the following.

1. I added my Mac email account to Windows Live Mail

2. I imported my Mac email S/MIME (.p12 file) into the Windows Certificate Manager

(one copy needs to be in "Personal" and another copy in "Trusted Root Certification Authorities")

3. I added the S/MIME as signing and encrypting keys under Security in the Mail Account Properties. And set Algorithm to: 3DES

4. I sent a signed email in Windows Live Mail from my Mac email account to my Outlook email account.

This adds the S/MIME certificate in the Certificate Manager to "Other People"

5. Copy the certificate in the Certificate Manager to "Trusted People" and "Intermediate Certification Authorities" if it is not already there.

6. Delete the S/MIME in "Personal" and in "Trusted Root Certification Authorities". This will delete the private key.

7. Delete the Mac email account in Windows Live Mail.


When you are done with these 7 steps Windows Live Mail will only have the Mac S/MIME certificate/public key and knows that

it is supposed to send emails encrypted in 3DES.

And voila, decrypting emails in iOS send from Windows Live Mail is working!

Reply
User profile for user: Detlef Schmitt
Detlef Schmitt Author
User level: Level 2
301 points

Nov 1, 2014 9:24 PM in response to Detlef Schmitt

Above my explanation is a bit complicated. Here is a more condensed version in less technical words.


Sending a signed email from a OS X or iOS device to a Windows PC will not enable the Windows PC to send emails that can be decrypted by an iPad or an iPhone. That is true for self-signed certificates and for official certificates e.g. from Comodo. To overcome this problem send the signed email from a Windows PC instead.


Since I have many friends with PCs I was looking for a convenient way to send my certificate. For myself I found Parallels Desktop to be most convenient for this purpose. On my iMac I run Windows 8.1 and Windows Live Mail in Parallels. In Windows Live Mail I set up my Apple email account and installed the certificate. So, whenever I want to add another PC friend to my encrypted email network I send this person a signed email from my Apple email account in Windows Live Mail.

Reply

Decryption Error

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up