S/MIME can't install public cert

I know this is a late response, but here it is anyway. Apple doesn't provide a way to manage public certs in iOS for non-enterprise users, other than by using the Mail.app like you tried. Unfortunately, there are limitations as you ran into. The main limitation is that you cannot install an email correspondent's new certificate until his/her old one is removed. But, in order to remove the old certificate you have to have an email from them that is signed with the old certificate, which by clicking on their name in the header of the email and viewing the certificate, you have the option of removing it (the red button). Then, by reading their new email that has been signed with their new certificate you click on their name and then the certificate install process you normally do will be honored (at which time the blue install button will turn into a red remove button, which is how you know it got installed). There is a catch-22 to this process because if your corresnpondent's certificate has expired, then they cannot sign an email with their old certificate, so if you don't have an old signed email from them, you're hosed. At this point the only way is to totally wipe your phone of all data and start over. In my case, since I had access to my team's desktop computers, I set their computer time back to before the old certificate expired (their certificates were still in Keychain), sent a signed email using their old cert, then removing in iOS Mail.app, then setting the date back to the correct date/time (this required turning off Network Time Protocol >> in System Preferences, Set Date & Time, uncheck "Set date and time automatically"). This isn't a good solution, obviously, especially if you have 100's of s/mime correspondents whose certificates expire every year! Apple just hasn't provided support for public certificate management for individuals in iOS other than what I've described above and does not plan to. There are too few s/mime users even in enterprise to make it worth the time and money to do so.

As for enterprise, through Apple Configurator, you can set up MDM (Mobile Device Management) servers to manage hundreds or thousands of iOS devices over the Internet thru secure channels. This would be how the NSA, FBI, or military would configure their user's phones and s/mime settings. But even then, the public certificates would then be between known email correspondents that are trusted and part of the group, not ad-hock unknown ones.

As individual users of s/mime, I suggest either/both of the following:

• Maintain a mail folder and archive at least one signed email from every s/mime correspondent you have received a signed email from. Do not delete because you'll need the old email in order to remove their old certificate once their's expires.
• If all of your s/mime correspondents are on your own team, then setup both their iOS and desktop email accounts to leave s/mime signatures turned on. This presumes you've obtained "real" s/mime certificates from a root CA (certificate authority) such as Comodo (which still offers free s/mime certs for individual use). This will not work very well if you use self-signed s/mime certificates because the signatures will not be trusted outside your team, thus making signed email problematic.

The other option is to use GPG, but it has it's own headaches, especially with iOS ease of use.

worked in my case. Thanks

Hi,

When you click the blue "install" will change in red "delete". Then click on "OK" and is done.

To Decrypt / Sign :

- install CAs first or after

- install p12(pfx)

To Crypt :

- install CAs first or after

- install cert used to sign.

This is mandatory, with p12(pfx) installation only, or with cer(crt) installation only, cannot crypt !!!

Always : Ask sender to sign. Install cert used to sign !!!!

(send to yourself a signed mail and install cert used to sign to be able to encrypt to yourself)

To see certificates you need to look for "Profiles" in General tab.

To delete old or any certificate you must go on General and down on Profiles

Certificates on iOS are "Profiles" :-)

The only thing you'll not see different is if the certificate has a private key associated or not.

May be :

Try to find an old mail (someone's or wife's) with same mail address of course, but signed with the old certificat (and old public key) to see if it's installed. In fact it should appear expired may be or invalid but surely with delete option :-)

As I understand as iOS bug, it can detect the new cert&key for same mail address as install option is present but cannot override old cert&key, with no error popup, nor profile access. (To delete it as old profile)

As SMIME or pkcs7, the system, or mail system with associated keystore, or mail with integrated keystore, or mail system with middleware and smartcard, Must Always always be able to keep archive or history of all encryption certificates and private keys in such to be Always ready and able to read and decrypt any old, archived, encrypted mail as keys and certificates become expired.

So, the keystore (on iOS, Mac OS, etc) must also be able to import (install) any old and expired encryption cert&private key to be able to decrypt and unable to encrypt of course because of expiration condition.

If on PKI strategy, we are renewing certificate only, keeping same key pair, we'll have in keystore only one private key and as many certificates associated as validity cicles (5 certificates for 2 years of validity and 10 years of data encryption. This is for understanding that in SMIME or pkcs7, the standard is looking for certificate serial number instead of public / private key serial which should simplify decryption of archived mails.

And as things on SMIME rest more touchy, mails systems based on, does not have any transcription method or functionality : decrypt the session (symmetrical) key with old RSA private key, than decrypt the message with session key, than generate new session key, than encrypt the message with session key, than encrypt the new session key with new public RSA key on new x509 certificate.

I'm very sad, and really hard to believe that Apple engineers don't skill at high level all this cryptographic goodies :-(

For encryption minimum 2 years and you can easily go for 4 years.

Anyway, old encrypted mails became unsecure because of weakeness of old keys length. And as I said we cannot transcrypt with new stronger keys and stronger certificates.

Yep, I have the EXACT same problem. Did you find out what the issue is, or is it a bug? I'd submit a bug report, but Apple just ignores them. The "Install" button for the user's certificate also does nothing for me. So frustrating, because you need that new cert installed in order to sent the other user an encrypted e-mail.