S/MIME Certificate

Being able to encrypt your emails and sign them so others know you personally sent them, is worth the struggle.

A personal S/MIME certificate is a digital certificate that allows you to sign and encrypt your emails, ensuring that your messages are authentic and secure. It binds your identity (typically your email address) to a cryptographic key pair: a private key that you keep secure, and a public key that others use to verify your signature or encrypt messages to you.

Here’s how to generate the necessary files and create a P12 (PKCS#12) file for use on your personal devices:

1. Generate an RSA 4096 Private Key

Open a terminal or command prompt and use OpenSSL to generate a 4096-bit RSA private key. This key will be used to create your Certificate Signing Request (CSR) and, later, to secure your emails.

openssl genrsa -out privatekey.key 4096

This command creates a file named privatekey.key, which contains your private key. Keep this file secure and never share it.

2. Generate a Certificate Signing Request (CSR)

Next, use your private key to generate a CSR. The CSR contains your public key and identifying information, which you’ll submit to a Certificate Authority (CA) to obtain your S/MIME certificate.

openssl req -new -key privatekey.key -out csr.csr -sha256

You’ll be prompted to enter details such as your country, state, organization, and—most importantly—your email address as the Common Name (CN). For S/MIME, the Common Name must be your email address. You don't have to enter more than the country letter code and the common name.

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (city) []:
Organization Name (company) []:
Common Name (your email address) []:you@example.com

This creates a file named csr.csr, which you’ll submit to your chosen CA to request your S/MIME certificate.

3. Submit the CSR to a Certificate Authority

Submit the contents of csr.csr to a CA that issues S/MIME certificates. After validation, the CA will provide you with your certificate, often in P7B (PKCS#7) format, which includes your certificate and the CA’s intermediate certificates.

You can open the CSR in a text editor or type cat csr.csr in the terminal. It's a block of text you paste into a web form.

You can use Entrust, DigiCert, or Sectigo. They can take significant time to generate the certificate.

4. Convert and Merge Certificates into a P12 File

Once you receive your certificate in P7B format (e.g., certificate.p7b), you’ll need to combine it with your private key to create a P12 file. First, extract the certificates from the P7B file:

openssl pkcs7 -print_certs -in certificate.p7b -out certificatechain.cer

This creates a file (certificatechain.cer) containing your certificate and the CA’s intermediate certificates. Now, merge your private key and the certificate chain into a P12 file:

openssl pkcs12 -export -out yourcertificate.p12 -inkey privatekey.key -in certificatechain.cer

You’ll be prompted to set a password for the P12 file. This password protects your private key within the file.

5. Install the P12 File on Your Devices

How you import and use the your certificate.p12 file is different on each device.

• For iOS and iPadOS, you just air drop the file to them, go to Settings, and enter the information needed.
• For macOS you double click on it and set it to install with the login keychain.

After you install there certificate pair, you have to give the application access to use it. For Mail on iOS and iPadOS you will need to go to Settings > Apps > Mail > Accounts > The account > Account Settings > Advanced. Under "S/MIME" you'll need to choose the certificate for both "Sign" and "Encrypt by Default."