22

I'm having a bit of an issue here. Bear with me as this may be a case of "not asking the right question".

Background: Using Apple Mail. Want to encrypt/decrypt email but GPGMail (and apparently PGP) isn't supported with Snow Leopard.

Basically I need to create an S/MIME certificate for use in email encryption. I don't want, nor do I care for a Certificate Authority. I simply want a quick-and-dirty certificate. Is this even possible (using OPENSSL, etc) or does the whole process hinge on a higher authority forcing me to either set up a full-scale CA or deal with a company (e.g. Verisign, Thawte) for a cert? My criteria are instant gratification, and free.

Best.

humble_coder
  • 533
  • 2
  • 6
  • 14
  • 1
    Note that *your* certificate is used for two purposes in S/MIME. To sign *your* emails, and to decrypt email sent *to you* by someone else. To encrypt email to someone else, you'll need their certificate. Typically, email clients are setup out of the box to trust some predetermined set of CAs. If certificates are not signed by one of these, you'll get at least a nasty message and possibly even a non-functioning system. – President James K. Polk Jan 16 '10 at 20:46
  • 1
    I know this is an older question, but for future reference, GPGMail plugin does now work on Snow Leopard http://www.gpgtools.org/installer/index.html – Jason Whitehorn May 29 '11 at 14:21
  • I know this is an older comment - but GPGMail is not free for OSX anymore. – nycynik Sep 25 '18 at 23:05

3 Answers3

25

Yeah, it sucks that Apple Mail does not support GPG. :-( I wish it did because I prefer GPG encrypted e-mail too.

I also agree that information surrounding S/MIME and generating your own e-mail certificates is hard to come by. I found Paul Bramscher's webpage has a good description of how to create your own Certificate Authority certificate.

I don't pretend to fully understand the certificate process, but this is what I've been able to piece together. You should consult the openssl manpage for more detailed information about each of the commands shown below.

Create Certificate Authority

The first step is to create your own Certificate Authority (CA). The commands are …

# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

and follow the prompts.

You will need to issue your CA's certificate (ie the content of ca.crt) to each and every recipient of your encrypted e-mail. The recipients will have to install and trust your CA certificate so that your encrypted e-mail will be trusted. The installation will vary for each mail client used.

In your case, you will need to add your CA's certificate to your Apple Keychain. There are lots of posts on the web about how to import and trust a CA certificate in the Apple Keychain.

Create Personal E-Mail Certificate Request

You now need to create a certificate request. Create one for each e-mail address you wish to send e-mail from. Execute the following commands …

# openssl genrsa -des3 -out humble_coder.key 4096
# openssl req -new -key humble_coder.key -out humble_coder.csr

and follow the prompts.

Certificate Authority Signs Your Certificate Request

Your personal certificate needs to be signed by your CA. In this case, you!

# openssl x509 -req -days 365 -in humble_coder.csr -CA ca.crt -CAkey ca.key \
  -set_serial 1 -out humble_coder.crt -setalias "Humble Coder's E-Mail Certificate" \
  -addtrust emailProtection \
  -addreject clientAuth -addreject serverAuth -trustout

The output is your signed certificate.

Prepare Your Certificate for Importing into Your Mail Application

You need to convert your certificate from .crt (PEM format, I think) to .p12 (PCKS12 format).

# openssl pkcs12 -export -in humble_coder.crt -inkey humble_coder.key \
  -out humble_coder.p12

You can now import your *.p12* formatted certificate into your mail client. In your case, import the *.p12* file into the Apple Keychain. Once the certificate is installed correctly, Apple Mail will start using your certificate.

There is an Easier Way

Of course, once you've created your own CA there's an easier way of managing certificates created by your own Certificate Authority. openssl comes with a script named …

# /usr/lib/ssl/misc/CA.pl

which simplifies the process of being your own Certificate Authority. There's even a man page for CA.pl!

Sera H
  • 115
  • 7
Convict
  • 1,593
  • 9
  • 8
  • In the section Certificate Authority Signs Your Certificate Request. The "-CAKey" argument needs to be "-CAkey" with a lower case 'k' - at least for my version Open SSL 1.0.0a 1 Jun 2010 – KevM Jan 25 '12 at 20:32
  • 3
    I changed -CAKey to -CAkey. This is a really excellent answer, but the side-comment about GPG is unwarrented. S/MIME has many advantages over GPG. Besides wider support, it includes the certificate with each signed message, providing a built-in certificate distribution mechanism. – vy32 Nov 02 '12 at 00:13
  • 1
    Don't forget to set some restrictions to the certificate, see http://security.stackexchange.com/a/30069/3272 – Tobias Kienzler Feb 08 '13 at 11:26
8

Free and signed by a CA: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Andrew McGregor
  • 1,152
  • 7
  • 4
  • 1
    Commodo uses the tag to let your browser make a CSR without sharing the privatekey. That doesn't work in most modern browsers (e.g. Chrome 49+). – mhvelplund Dec 08 '17 at 12:19
  • Quote from the page: “*Please use Mozilla® Firefox® or Microsoft® Internet Explorer® 8+ to collect your certificate. Email Certificates **cannot** be collected using Google® Chrome® or Microsoft Edge.*”. This matches the [compatibility table from MDN](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen#Browser_compatibility). – Franklin Yu Aug 23 '18 at 03:24
  • works using safari. – nycynik Sep 25 '18 at 23:06
  • This appears to be a paid service only - the link above offers NO FREE certs. – user3788685 Feb 07 '22 at 18:34
1

As others have said, the answer is obviously yes. You can generate it via openssl, or you can use one of the providers that gives a free x509 email cert.

That being said, the most important question is: what do the people you exchange email with use? I'm active in the Free software community, so most of the people I exchange email with use GPG. The only ones I know of that use S/MIME do so on their work email as a matter of corporate policy.

If the people you're emailing don't use S/MIME, you won't be able to encrypt to them, and they won't be able to verify signed emails.

David
  • 1,012
  • 6
  • 9