John Dalesandro

How to Install Self-Signed S/MIME Certificates on iOS and Enable Encrypted E-mail

S/MIME allows you to send signed and encrypted e-mails, enhancing your privacy and security. To use S/MIME with self-signed certificates on your iOS device, you’ll need to install and configure these certificates for use in the Apple Mail app. This guide walks you through the process step by step.

NOTE: If you don’t already have a self-signed S/MIME certificate, read my guide on how to create and package self-signed S/MIME certificates in PKCS12 format using OpenSSL.

Instructions

Step 1: Load the .p12 File on Your iOS Device

  1. Upload the .p12 file to iCloud Drive or e-mail it to an address you can access on your iOS device. (E-mail is less secure but used here for simplicity.)
  2. Once the file is available on the device, tap it to start the installation.
  3. If asked to Choose a Device, select the appropriate one and confirm.
  4. The message Profile Downloaded is displayed. Tap Close.

Step 2: Install the Profile

  1. Open Settings and tap Profile Downloaded.
  2. Tap Install (top right).
  3. Enter your device passcode if prompted.
  4. A warning that The profile is not signed. may appear since the certificate is self-signed. Tap Install again.
  5. Confirm the installation by tapping Install at the bottom of the screen.
  6. Enter the password you set when creating the .p12 file, then tap Next.
  7. The Profile Installed screen is displayed. Tap Done.
  8. Once installed, the configuration profile appears in Settings > General > VPN & Device Management.

Step 3: Enable S/MIME in Apple Mail

With the certificate installed, you can now set up S/MIME in Mail:

  1. Open Settings.
  2. Tap Apps.
  3. Tap Mail.
  4. Tap Mail Accounts.
  5. Select your e-mail account (e.g., iCloud).
  6. Tap Signing and Encryption.
  7. Tap Sign and enable it.
  8. Confirm the correct certificate is selected.
  9. Tap Back to return to Signing and Encryption.
  10. Tap Encrypt by Default and enable it.
  11. Confirm the correct certificate is selected.
  12. Tap Back to return to Signing and Encryption.
  13. Tap Done and exit Settings.

S/MIME is now active and ready to use when you send e-mails from this account.

Step 4: Send Encrypted E-mails

Since S/MIME uses public-key encryption, you need the recipient’s public key to send encrypted e-mails. If a sender uses a self-signed certificate, Mail may show their certificate as untrusted. You can test this with two e-mail addresses, each with its own certificate:

  1. Send a signed (not encrypted) e-mail to a different address without the certificate profile installed. The Mail app displays a warning that the Message is Unencrypted. Tap Send Anyway.
  2. When the e-mail arrives, the sender’s address will appear in red with a question mark icon.
  3. Tap the icon or address to view details.
  4. Tap View Certificate.
  5. Tap Install.
  6. Tap Done twice to exit.
  7. Now, Mail recognizes the public key, and encrypted e-mail is possible. Reply to the signed e-mail — the contact will now show in blue with a lock icon.

Troubleshooting

If you get a No valid certificates found error when enabling S/MIME, the certificate may be missing the extendedKeyUsage = emailProtection extension. Double-check the certificate settings during creation.

Summary

By following these steps, you can successfully install self-signed S/MIME certificates on your iOS device, enable secure e-mail communication, and send encrypted e-mails. While self-signed certificates require extra steps for trust validation, they are a useful way to test and implement encrypted e-mail solutions. With S/MIME enabled, your e-mail exchanges can now be both signed and encrypted, enhancing your digital security.