Q: S/MIME on iPhone 6s:  unable to sign or encrypt

I have almost the same issue.

Signing a message with S/MIME does work, but encryption does not work.

When when trying to encrypt a message on the iPhone default mail app I get the error message:

Unable to Encrypt

You can't send encrypted messages because an encryption identity for the address t*@g***.*g could not be found. Go to the Advanced settings for this account to choose an encryption identity.

I can set to encrypt by default in Advanced settings, however, the error message still appears and it is not possible to encrypt.

Installing a new certificate did not solve the issue.

The same is the case for Apple Mail on my laptop. You can sign a message with S/MIME, but you can't encrypt.

My certificate is self-signed, created with Key Chain Access.

Best

Thomas

iPhone 6

IOS 9.0.2

MacBook Pro Retina 15 inch Mid 2014

Mail 9.0 (3094)

Key Chain Access 9.0 (55171)

OSX 10.11

If one creates an email protection certificate using Certificate Assistant (which is accessed from Keychain Access) and takes the default settings, the resulting certificate will sign but not encrypt email. This bug has existed since at least 2008. A work-around is to not use the defaults and check the "key encipherment" capability under key usage extension. It is also good to specify a longer valid period. I use 7300 days.

I have contributed this information to Apple Support Communities several times over the years but it keeps getting deleted. Some people found that checking "key encipherment" was the magic bullet that made things work. For others, it didn't help. Best of luck.

I am experimenting with using XCA rather than Certificate Assistant. I believe both are gui front ends for openssl. I am having good luck with XCA. It seems to be high-quality software.

Interesting, I thought that Apple might be responsive to security bugs. If Apple Support do not attend to things relating to security, then what is there to attend to? Or do Apple try to match the support standards of Microsoft?

Anyway, I have sold all my Apple shares. Apple are clearly slacking, and slacking increases risk of a Black Swan.

Thanks much for the workaround, I will try it.

For those of you that are having the issue where email signing works but email encryption fails with the "Unable to Encrypt: You can't send encrypted messages because an encryption identity for the address [Mail] could not be found. Go to the advanced settings for the account to choose an identity."

See my post here:

Re: Can't encrypt email. "Identity could not be found"

"After struggling with this for a while I managed to fix it.

Even though I exported the certificates as a package from my computer including my public cert, intermediate certs, root cert, and private key, and imported that into my phone, the iPhone fails to install the private key.

Here is what I did:

-Export your private key *only*

-Email it to yourself or get it to your iPhone in some way

-Install your private key

-Restart your iPhone / restart your mail application.

I can now sign and encrypt email."

there's a much easier way to do this.

AFTER you install your own .pfx which contains your public and private key (STEP1), send yourself an email NOT encrypted but YES on signed

open the message in mail and

click on the sender (you) where it says From:

click view certificate

click install

you must "re-install" your own public certificate so you can use your own public key to send it to yourself

     (you will have to do this to send an encrypted message to anyone else in the future)

before you can decrypt said message with your own private key which is what you installed in the first place

looks like when you install the pfx in the beginning it either ignores your public key, or just doesn't properly associate it with the contact or wherever apple mail wants to pull it from

I tried dumpsterdave's approach, but when I added my account back (Gmail, in this case), the certificates (1 expired, 1 valid) automatically appeared again, I did not get a chance to add them back.  Perhaps they are coming in from iCloud Keychain?  I do have that turned on.

I figured it out: they are coming back from installed profiles (Settings -> General -> Profile).  2 with my e-mail address were displaying, I could tap to find the expiration date on the issued certificate, and delete the profile with the expired certificate.  This left the valid certificate both in Profile, but also back in the mail account's S/MIME settings.

I could have also deleted both profiles and started over from scratch with the re-import of my .p12 certificate.

indeed this worked fine to me for three accounts. Sending to the same account with only the signature and then clicking to install the public key to the device is the key solution. Great. (Worked out for iPhone 6 and iPAD Mini