S/MIME Certificates in OS X

S/MIME Certificates are a great way to make sure people know when email is actually from you and let them easily encrypt email they send to you. Finding a free certificate authority which is included in most browser and OS list of validated root certificates, however, can be difficult. I found two: Thawte and StartSSL both are discussed below.

Thawte’s “Personal E-mail Certificates” site. While still operational now (October, 2009) it will stop validating certificates in November 2009. Since this option has effectively disappeared I searched around for an alternative and found “StartSSL.” This post will cover how to open an account at StartSSL, validate an email address, request a certificate, and get Apple Mail to use that certificate.

OS X support of S/MIME certificates is great. Properly setup sites can give OS X new certificates which are added virtually by default to the correct email account and will thus be used to sign/encrypt email as needed. One such site was Thawte’s, unfortunately StartSSL makes this process MUCH more difficult.

First things first what do you need to get started. On OS X you need two browsers, yup stupid I know but it makes things easier in the long run. For some reason I cannot fathom, StartSSL’s site does not load properly in Safari the first time you try, that is if you click here with Safari and it behaves like mine then you can’t actually complete a request for an account because the drop down boxes do not work.

Open up the StartSSL main page in Firefox since it doesn't work in Safari.

Head over to StartSSL’s site using Firefox and you should see something like the above image. Click on the icon labeled “Express-Lane.” This should take you to the following page which I couldn’t get to work in Safari. Fill in the information requested as in the example image below.

Fill in the information requested making sure to get the email correct since this is needed to proceed.

When you click “Continue” there is no user feedback for some time (the page does not change, nothing. really rather unprofessional.) However, you should receive an email in the address you provided shortly. Once you get that email the page should have updated to a page requesting the Validation number given in the email. Enter it and click Continue.

The next page should be for generating a private key. Select “High Grade” and click continue, it will generate a certificate and then offer to install the new certificate in your browser. Click “Install.” Firefox will tell you it is installed and you should back it up (which you should and will need to do.) The next page will ask you for a Domain you want to validate. You can ignore this page or go through it if you know what you are doing.

Backup certificate to secure location using a difficult password.

Next you need to back up the private key. In the Firefox Menu Bar goto Firefox>>Preferences>>Advanced>>Encryption and click on the “View Certificates” button (the correct page looks like the one in the image above.). This will bring up a new window with a few tabs, go to the “Your Certificates” tab and select the Certificate labeled “StartCom Ltd.” or “StartCom Free Certificate Member” and click the “Backup…” button. Save this to a file you can find with a password you can remember and keep it in a safe place, it is important to back up and will be needed below.

Wherever you saved the Certificate back up, click on it in Finder; this will attempt to import the key into your keychain. I suggest adding it to the default keychain “login” which is unlocked when you log into the computer. If you want to be extra safe add it to a different keychain with a different password.

Enter the email address used to create the account here.

Find the certificate in the keychain you saved it to and right click on it, select “New Identity Preference…” (see picture above) this brings up a small dialog with a text box, enter the email address you used to create the account into this box. This should be all you need to get up and running with a single email account capable of using S/MIME signing and encryption. If you want to make things a little easier you can also select the key associated with the Certificate and add “Mail” (and or “Safari”) to the list of “Always allow access by these applications” list.

If you want to use Safari to add more email addresses to your StartSSL account you can do so by going to their site and clicking “Authenticate” you should be presented with a list of available certificates from your Keychain, select the StartCom certificate and continue (allowing access to the keychain if needed). Go to your “Control Panel”, which should look like the page below, and follow the directions for validating and creating Certificates for any other email addresses you may want to use with this account.

Adding more email addresses

Once you have created a Certificate it should be downloaded to your machine and you can add it to your Keychain in the same manner as with the first one described above. Remember to set the “New Identity Preference.”

And that is it.