The previous post was all about self-signed certs on my Mac. Worked fine until I tried to export the cert to my iPhone. Then I ran into the dreaded “no valid certificates” problem when trying to authorize the profile to sign and encrypt outbound mail. My homebrew cert worked fine for enabling s/MIME on the device, but it was crippled. So I ran off and got me a Comodo free email cert and pounded that in.
Get the cert — using your Mac
Go HERE — but don’t use Firefox, use Safari on your Mac. If your default browser is Firefox, copy and paste this link into Safari. You’ll thank me later. It works fine in Firefox, but it doesn’t install the cert in a way that actually talks to email. Their download is highly automated and there’s breakage along the way.
Follow the steps on the Comodo site and keep your fingers crossed, by the end of the normal process the cert will be correctly installed. Go look in Downloads for the Collectccc.p7s file if the Comodo site stalls on the “attempting to collect and install your free certificate” step. Double-click that file and the Keychain Access app will pop up and start prompting for the password you created when you configured the cert at Comodo.
Click HERE for more detail on managing email certs in the Keychain app. I deleted the old cert once I had the new cert installed and the Mail.app included in the cert-key access-control tab
Put a reminder on your calendar to renew the cert before it expires in a year.
Configuring Mail to use the cert, on the Mac
If the cert has been properly loaded, restart Mail and the signing and encrypting buttons should show up when launching a new email message. Note that they’re toggles — pay attention to what state they’re in. Otherwise you’ll be signing or encrypting all your mail which may make your recipients a little crazy.
Configuring iOS to use the cert
I sure hope this post never goes away. That’s what I used to learn how to load the cert on my iPhone. I’m going to put a shorthand version here, just to preserve it (since I’m going to need to repeat this every year when I renew the cert).
Find the Comodo cert in the Keychain Access app. UPDATE: Open the Keychain Access app, Click the “My Certificates” choice in Category, select the cert with your email address. This will solve the “.p12 option greyed out” problem that PY Schobbens noted in the comments.
Export it in Personal Information Exchange (.p12) format. Pay attention to the password you put on the export file, you’ll need it on the other end.
Email the exported cert (drag it into a Mail message to yourself) to the iOS device that’s using the same email address as your Mac.
Open the attached cert on the iOS device and blast through the “Unsigned Profile” warning. This is where that password will come in handy.
Enable s/MIME on the phone (Settings/Mail, Contacts, Calendars/<your email account>/Advanced). Check to make sure that the signing and encrypting options actually find your cert. Then take care to back up a layer and tap “Done” to actually write the change to the account. Note: this bold highlighting is mostly a message to myself — surely you won’t skip that last step. But if you send yourself a test message from your phone and it isn’t signed, that’s probably the cause.
Note: with the arrival of iOS 8, the toggles for encrypting have changed. So now the “encrypt” option is available at email-sending-time even when “Encrypt by default” is toggled off for the account — much better arrangement for those of us who only encrypt to a few people.