Alice would like to send a secure (S/MIME encrypted) email to Bob. Both of them use macs and Mail app. They are both creating self-signed certificates and are able to exchange signed mails, but there seems to be no way to activate the padlock icon.
Could somebody instruct her?
Gory details of failed attempt ensue:
Alice googles, discovers she must create a self-signed certificate in KeyChain.App which she does via the wizard (Keychain access -> certificate assistant -> create certificate), taking care to:
- select "S/MIME Email"
- check the "let me override defaults" checkbox.
- in "key usage extension", make sure 'signature' and 'certificate signing' are checked, as well as 'key encipherment' and 'data encipherment'
- in "extended key usage extension", 'email protection' is already checked, but check 'any' also just in case
It may be worth noting that Alice's email appears as me@alice.com whereas the actual email address is on Gmail: alice@gmail.com. Alice has discovered the hard way that she must use alice@gmail.com in the wizard.
She restarts mail app.
Actually after reading step 3 here she restarts the machine.
She then composes an email to Bob who has done the same.
In the subject field she notices two new icons: a padlock (encrypted Y/N) and a tick (signed Y/N).
The tick is blue. So the message she sends will be signed. However the padlock is greyed out.
Now the documentation says that if:
- Mail detects her certificate (which it clearly has) and
- Mail also finds a certificate in her keychain for Bob (which there is, because Bob has just sent her a signed email and Mail has been smart enough to automatically add his public key to the keychain — she can see it there)
… then she should be able to click on the padlock to encrypt her email to Bob.
But this doesn't seem to be happening.
https://www.macobserver.com/tips/quick-tip/macos-using-email-encryption-apples-mail/
^ Step 5 says that the first time she attempts to send a signed email, she should get that dialog. But she didn't.
Alice is at this point starting to contemplate landscape gardening as a possible career move.
PS possibly useful link:
Best Answer
This is how it works here, with the help of a self-signed root certificate:
Step 1: Alice creates a self-signed root certificate
Step 2: Alice and Bob trust the the root CA
.cer
format and publishes it to BobSince Alice and Bob have explicitly trusted the CA, all certificates signed by this CA will be automatically trusted on their computers.
Step 3: Alice creates an email certificate for herself.
Step 4: Alice creates a certificate for Bob
Now Alice repeats step 3 to create a certificate for Bob, then exports his certificate in
.p12
format, gives it to him, and Bob imports it into his keychain.Note: This is the easiest way to create Bob's certificate, yet not the recommended way. This is because Alice creates Bob's private key, so Bob has to trust Alice. Actually Bob would use the Certificate Assistent on his computer to Request a Certificate From a Certificate Authority.
Step 5: Alice and Bob send each other signed messages
Alice sends a signed email message to Bob, and Bob sends a signed email message to Alice. If all went well, the signatures will display as trusted because both trust the CA certificate.
Step 6: Alice and Bob can exchange encrypted email messages
Both can reply to the signed message using encryption with the reply message.