S/MIME Secure E-Mail communication

If you want to communicate via E-Mail in a secure way, activate S/MIME for your E-Mail-Account in the settings of your iOS-Device. S/MIME was first introduced by Apple in iOS 5.

The problem …

Maybe you experienced an E-Mail from a friend where the subject line seems a little odd. Upon opening the E-Mail you noticed that it was SPAM. Somehow a spammer was able to use your friends E-Mail address (spoofing an address) which, understandably, made you feel comfortable enough to open and read the message. These experiences forced the need for having a more secure form of E-Mail.

If you send a letter through the post office do you simply print a piece of paper and drop off in a mailbox, or do you put it in an envelope? If you are worried about people reading your message, why do you send an email without a ‘virtual envelope‘? As an email passes through routers, switches, and from one mail server to another without it being inside a virtual ‘envelope’ (thus encrypted), anyone could look at your letter.

How it works …

Secure/Multipurpose Internet Mail Extensions (S/MIME) can secure your mail by encrypting a message at the source and only decrypting it once it’s in the hands of the receiver. S/MIME also supports digital signatures, so you can know for sure who sent the message and that it wasn’t changed in transit.

If S/MIME is activated the iOS-Mail application will show a little checkmark (within a gearwheel) after the sender’s name if a message was signed.

If something is wrong with the certificate or the message was changed after it was signed, iOS-Mail displays the senders name in red followed by an open padlock.

A common reason for signature failures is people using self-signed certificates or using CAcert, which isn’t considered a trusted authority by Apple and others.

The bad news is that you normally have to pay for a Digital ID from a Certificate Authority (CA) e.g. VeriSign.

If certificates are cheap (or even free) the certificate authority only checks whether the person requesting a certificate is actually in control of the E-Mail address in question, with no actual identity checking.

What you need …

A Class 1 Digital ID e.g. from Symantec/VeriSign.

The process from APPLY to INSTALL …

How to install …

  • Apply for a Digital-ID.
  • Wait for confirmation and issue. It may last up to several days depending on the verification strategy of the CA.
  • CA issues your digital certificate for installation on a PC/Mac.
    Follow the instructions of CA, when you get the download link for your certificate.
  • Install the certificate in the certificate storage of Safari/Internet Explorer.
  • Export it using file format PFX.
  • Send the PFX-File as an attachment to the appropriate E-Mail-Account (the account the certificate was applied for).
  • Open it on your iOS-Device and tap on the attachment (PFX-File).
  • iOS identifies this format as an importable Identity Certificate for installation as a Profile. Follow the instructions. Pay no heed to any strange message.
  • Turn on S/MIME-Option.
    Two additional sections (Sign, Encrypt) will be displayed.
  • Turn on Sign and Encrypt.
    You can select one of the certificates you own a private key for. Clicking it puts a checkmark next to it and this is the certificate that will be used to sign all outgoing messages from this account.

How to communicate securely …

  • Send a Mail to the recipient.
  • The Recipient must install your certificate (by tapping on the sender’s name) for future secure communication.


Additional information …

  • Apple has chosen to not indicate that a message was signed in the standard configuration under iOS. To enable this feature, you have to go into the Settings… Account… Advanced for each E-Mail-Account, and then enable S/MIME. If you have other iOS-Devices you have to repeat all steps for every device.
  • Recipients will get an attachment smime.p7s if you send an E-Mail with your certificate. This attachment can be ignored.
  • iOS doesn’t automatically store the certs of people who sent a signed E-Mail to you. Instead, when someone has sent you a signed message, you have to tap the sender’s name and then you can install the certificate for future use. If you try to send a message to someone you don’t have a certificate for while encryption is enabled, their name turns red to alert you to the problem. A lock icon indicates that a message was encrypted.

Related links …

Apple about S/MIME

IBM about S/MIME

Thanks for visiting iNotes4You.