« CouchDb Migrations | Main | EasyPay in the Apple Store 2.0 app »

Using S/MIME on iOS Devices

The following article explains how to set up your iPhone or iPad to send and receive encrypted emails via S/MIME. Prerequisite is an S/MIME certificate from a certificate authority. Some CAs provide them free for personal use. The procedure is not very complicated even though the description may look lengthy due to the many screenshots. The biggest hurdle is to pick the correct file format when exporting your S/MIME key on your Mac. (A description on how to export the correct certificate on Windows will follow.)

Set-up for Receiving Encrypted Emails

1. Export your private key in a format that you can import on your iOS devices.

To do this, open “Keychain Access” and find your certificate. Select it and choose “File” / “Export Items”, as shown below.

01 export key

2. Next, save the certificate in p12 format.

In the process of saving the certificate, as detailed below, you will be asked to provide a password to encrypt your key. This will allow you to send it via email without fear of it being intercepted and used by someone else. Depending on your keychain settings you will also be asked to provide your administrator password to read the privatekey for exporting.

02 save p12

3. Now drag this exported file to your icon to send it to yourself.

(Make sure you don’t encrypt it ;)

03 send key

4. Turn to your iOS device to import the certificate.

Open the email you just sent to yourself and tap on the attachment to import your certificate.

04 import on ios 05 unsigned certificate 06 enter password 

5. Enable S/MIME in advanced mail settings and choose your certificate.

On your iOS device go to “Settings” / “Mail, Contacts, Calendars” / “<Your Account>” / “Advanced” (at the very bottom of your account settings) and activate S/MIME. Important: Make sure you leave the account settings by tapping “done” in the top right of the tool bar. Changes don’t appear to be applied until you do so.

07 enable smime 07b confirm settings

You can also enable signing and encrypting of messages here but more on that in a moment. What we’ve achieved so far is being able to read messages that have been signed with our public key. Unfortunately, sending encrypted messages involves a few more steps and has a few caveats.

Set-up for Sending Encrypted Emails

In order to send an encrypted message, you need to do the following.

1. Import the recipient’s public key.

This happens automatically in on OSX but requires some manual interaction on iOS. You may have noticed when looking at signed messages (like the one you sent yourself earlier) that there’s a new little star icon in the blue email address bubble after S/MIME has been activated. This is the UI indicator for signed messages. And the address bubble is also a button that you can tap to bring up address - and certificate - information.

08 address bubble star

Tapping this button will bring up the address info view:

09 address info

Tap install to register this public key, which will allow you to send encrypted emails to the key’s owner. You will need to repeat this procedure once for every recipient.

2. Send email.

There’s not really a step two other than making sure you’re sending to the recipient’s correct email address and from your correct account so that the available keys match up with the email addresses used in the process. You can tell that your message is being encrypted by the “Encrypted” string in the title bar of your message:

10 encrypted message


What’s a bit unfortunate is that there’s no easy way to selectively send encrypted emails. The encryption setting is global for the account under “Settings”, meaning that you have to go there and enable/disable encryption for all messages from that account. It would be nice if that were the default only, with an option to override it in the message composition view.

It would also be nice if public key importing were automatic, like it is on the Mac.

But all in all, it’s nice to be able to read encrypted emails on iOS devices now.

Reader Comments (7)

If you have 2 certificates you will have to export them in separate p12 files. iOS does not recognize p12 files with multiple certificates

February 10, 2012 | Unregistered CommenterVadim

Another really annoying caveat is that if you have multiple email certificates, only one shows up when you're in the mail settings trying to assign the certificate under the S/MIME settings, so the recipient gets an 'email address mismatch' message when trying to validate the signing certificate.

February 13, 2012 | Unregistered CommenterChris (@xcagg)

Is it secure to email yourself a public key without encryption?

August 24, 2012 | Unregistered Commenterb

Well, your public key is just that – public :) You're handing it out so people can encrypt mails intended for you to decrypt using the matching private key.

If you're referring to mailing yourself your private key to install it on the iPhone, you should give the key a passphrase as described in the post to make that mode of transfer secure. If you're still uncomfortable about that, you can use the iPhone Configuration Utility to install the certificate.

August 25, 2012 | Registered CommenterSven A. Schmidt

I tried this with iOS 6 (on an iPhone 4 and an iPad 3) and was not completely successful. Exporting and transferring the certificate in P12 format to the devices works, as does importing the certificates. The Mail app then is able to decrypt e-mail and verify S/MIME signatures. However, encryption does not work. In the advanced settings for the mail accounts, I can enable S/MIME, but when I then try to enable either e-mail signing or encryption, iOS tells me that no valid certificates are available.

I tried self-signed certificates and "real" certs signed by my own CA. The CA root certificate I also imported on the iOS devices, and all certs are listed as trusted iOS profiles. Signing and encrypting with said certificates works fine with the OS X 10.8 Apple Mail client.

Any ideas?

September 22, 2012 | Unregistered CommenterRalph

Hi Ralph, I've seen a problem like that even on iOS 5 but did not yet have time to investigate further. I need to set up my certificates again soon and will hopefully be able to say more then.

September 28, 2012 | Registered CommenterSven A. Schmidt

Looks like I found the reason why some certificates were not selectable in iOS: the certs in question, all created with OpenSSL, were either missing nsCertType = email or keyUsage = dataEncipherment. In these cases, iOS was correct not to offer the certificates for S/MIME. With the appropriate extensions/attributes present, OpenSSL generated certificates can be used without a fuzz.

September 29, 2012 | Unregistered CommenterRalph
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.