How to Install Self-Signed S/MIME Certificates on iOS and Enable Encrypted E-mail
S/MIME allows you to send signed and encrypted e-mails, enhancing your privacy and security. To use S/MIME with self-signed certificates on your iOS device, you’ll need to install and configure these certificates for use in the Apple Mail app. This guide walks you through the process step by step.
NOTE: If you don’t already have a self-signed S/MIME certificate, read my guide on how to create and package self-signed S/MIME certificates in PKCS12 format using OpenSSL.
Instructions
Step 1: Load the .p12 File on Your iOS Device
- Upload the
.p12
file to iCloud Drive or e-mail it to an address you can access on your iOS device. (E-mail is less secure but used here for simplicity.) - Once the file is available on the device, tap it to start the installation.
- If asked to
Choose a Device
, select the appropriate one and confirm. - The message
Profile Downloaded
is displayed. TapClose
.
Step 2: Install the Profile
- Open
Settings
and tapProfile Downloaded
. - Tap
Install
(top right). - Enter your device passcode if prompted.
- A warning that
The profile is not signed.
may appear since the certificate is self-signed. TapInstall
again. - Confirm the installation by tapping
Install
at the bottom of the screen. - Enter the password you set when creating the
.p12
file, then tapNext
. - The
Profile Installed
screen is displayed. TapDone
. - Once installed, the configuration profile appears in
Settings > General > VPN & Device Management
.
Step 3: Enable S/MIME in Apple Mail
With the certificate installed, you can now set up S/MIME in Mail:
- Open
Settings
. - Tap
Apps
. - Tap
Mail
. - Tap
Mail Accounts
. - Select your e-mail account (e.g., iCloud).
- Tap
Signing and Encryption
. - Tap
Sign
and enable it. - Confirm the correct certificate is selected.
- Tap
Back
to return toSigning and Encryption
. - Tap
Encrypt by Default
and enable it. - Confirm the correct certificate is selected.
- Tap
Back
to return toSigning and Encryption
. - Tap
Done
and exitSettings
.
S/MIME is now active and ready to use when you send e-mails from this account.
Step 4: Send Encrypted E-mails
Since S/MIME uses public-key encryption, you need the recipient’s public key to send encrypted e-mails. If a sender uses a self-signed certificate, Mail may show their certificate as untrusted. You can test this with two e-mail addresses, each with its own certificate:
- Send a signed (not encrypted) e-mail to a different address without the certificate profile installed. The Mail app displays a warning that the
Message is Unencrypted
. TapSend Anyway
. - When the e-mail arrives, the sender’s address will appear in red with a question mark icon.
- Tap the icon or address to view details.
- Tap
View Certificate
. - Tap
Install
. - Tap
Done
twice to exit. - Now, Mail recognizes the public key, and encrypted e-mail is possible. Reply to the signed e-mail — the contact will now show in blue with a lock icon.
Troubleshooting
If you get a No valid certificates found
error when enabling S/MIME, the certificate may be missing the extendedKeyUsage = emailProtection
extension. Double-check the certificate settings during creation.
Summary
By following these steps, you can successfully install self-signed S/MIME certificates on your iOS device, enable secure e-mail communication, and send encrypted e-mails. While self-signed certificates require extra steps for trust validation, they are a useful way to test and implement encrypted e-mail solutions. With S/MIME enabled, your e-mail exchanges can now be both signed and encrypted, enhancing your digital security.