Secure emails with Apple Mail

Apple Mail uses the Mac OS X keychain to store your private key and certificates. A keychain is a file that contains security credentials that is protected by Mac OS X. Every account has a keychain called "login", which is unlocked when the user logs in. To keep things simple, we will store our keys and certificates in that default "login" keychain.

Start the Keychain Access program, which can be found in the /Applications/Utilities folder.

Choose the FileImport Items menu item.

Select the PKCS#12 file (.p12) containing your private key and associated certificates; set the Destination Keychain to be the "login" keychain; and select "Open".

When prompted, enter the password used to protect the private key in the PKCS#12 file.

Step 2: Get familiar with the keychain

This step if optional. Go to step 3 if you are eager to send your first signed email. But come back to learn how to manage the certificates that you get from other people.

Viewing the keychain

After importing your private key and associated certificates into the "login" keychain, and can be seen as separate items in that keychain. Use the categories on the left side of the Keychain Access window to restrict which the items to show (or select the All Items category to show them all).

In the following, make sure you have selected the "login" keychain.

The My Certificates category shows certificates that have corresponding private keys. Here you will see your imported certificate, and the corresponding private key can be revealed.

The Keys category shows private keys in the keychain. Clicking on the reveal triangle shows the certificate corresponding to the private key.

You can change the name of the private key by selecting it and choosing File > Get Info. This only affects how KeyChain Access displays the private key, so it doesn't matter what it is called.

The Certificates category shows certificates in the keychain. This shows all the certificates in the keychain, the ones with corresponding private keys (i.e. your certificates) and the ones without corresponding private keys (i.e. other people's certificates).

In this example, my certificate is called "Alice", and the certificate that signed it "UTN-USERFirst-Client Authentication and Email", and the root certificate that signed it "AAA Certificate Services" are shown.

Other people's certificates can also be seen here. Initially, there probably won't be many other certificates. If you use Apple Mail and receive signed emails from other people, their certificates will automatically be added to the login keychain so that they can be used to send encrypted emails to those people..

Under the View menu, select "Show Expired Certificates" to also show certificates which have expired. By default, these are hidden. Remember this option for the future, for when you have expired certificates that you want to remove from your keychainin your keystore.

Managing your key-pairs

I recommend keeping only one set of email credentials. Apple Mail automatically selects the private key to use for signing emails. It does not allow you to select which one to use. So when there is only one key-pair there won't be any confusion about which one it will use.

The only time it might be useful to have multiple key-pairs in the keychain is when your have new key-pairs, but want to be able to decrypt emails encrypted using the an old-key pair. Either the sender did not know you have changed key-pairs, or you are looking at an old email. In this situation, you can either temporily make the old key-pair available in the keychain and then remove it, or have the old key-pair in the keychain along with the new key-pair and hope that Apple Mail will never select the wrong key for signing new emails. Ideally, Apple Mail will choose the key based on expiry and issuing times, but it is not clear whether it actually works that way.

To see if there are more than one key-pair for a particular email address, run this command:

security find-identity -p smime -s alice@example.com

This command just lists the matching key-pairs. It does not indicate which one Apple Mail will choose to use.

Managing other people's certificates

It is important to manage the certificates in the login keychain, because many problems are caused by having the wrong certificates in the keychain. For example, if there are more than one certificate for an email address, the wrong one might be used to encrypt emails. This is likely to happen when people start experimenting with S/MIME and are experimenting with different certificates, as well as during normal use when they renew their certificates.

Be familiar with the certificates in the login keychain, so that you can spot and delete any certificates which should not be there. Keep the keychain tidy by deleting certificates that are no longer useful: such as those that have expired, their email address has changed, or for people that you no longer want to send encrypted emails to.

Common problems: Not deleting everything

To delete an item from the keychain, select it and press the delete key.

You have to delete a private key and its corresponding certificate in two separate operations. Deleting the certificate does not automatically delete its private key (even though it might be nested underneath the certificate in the My Certificates or Certificates category). Take note of the name of the corresponding item, so that you delete the correct one, since their names might not be very obvious.

You might also want to delete the certificates in your certificate chain if you no longer need them. For example, if you are changing from one certificate provider to another.

Step 3: Sending a signed email

Start the Apple Mail application. If it is already running, quit it and start it again, so that it will detect the new credentials in your keychain.

Compose a new message.

When there is a private key and certificate in your keychain that matches the email address of the sender configured in Apple Mail, two new icons appear to control encryption and signing. If these are not present, check that the correct private key and certificate are in the keychain. Make sure the email address in the certificate exactly match the email address configured in the Apple Mail account. Note: the text to the left of the "@" character is case sensitive.

Click on the signing icon (the seal) so that it becomes a tick mark.

The encryption icon (the padlock) is probably grayed out, because you do not yet have a certificate for the receiver.

Click the send button. The system will ask you for permission to let the Mail application use the private key to sign the email.

Clicks the Allow button and the email is signed and sent.

With this email the receiver will get your public certificate, so they can then send you back a signed and encrypted email (assuming they have their own set of credentials).

Step 4: Receiving a signed and encrypted email

Get the receiver to send you back a signed and encrypted email, and then open Apple Mail to receive that email.

Double click on the email to show it in its own window so that the security header can be seen. Alternatively, turn on View > Message > Long Headers.

The Mac will ask you for give Apple Mail permission to use the private key to decrypt the email message. Allow it.

The decrypted email is displayed. The security header shows that the message was encrypted (the padlock) and signed (the seal). If the message has not been tampered with, the seal is intact.

Click on the seal icon in the security header to bring up details about the signing certificate. This information can help you determine if the holder of the corresponding private key is really someone you really trust.

Apple Mail automatically saves a copy of the signing certificate into your login keychain, so you can now send them an encrypted email.

Step 5: Sending a signed and encrypted email

Send another email.

This time, the encryption padlock icon is enabled because the certificate for the receiver is now in your keychain.

If you get a MFMessageErrorDomain error 1035 error, try quitting from both Apple Mail and Keychain Access and try again.

Security controls

These are the possible options for sending signed and/or encrypted emails.

No security. It cannot be encrypted because the certificate for one or more of the recipients is not known.

Signed only. It cannot be encrypted because the certificate for one or more of the recipients is not known.

No security.

Signed only.

Signed and encrypted.

Encrypted only (this is rarely used).

Errors

If an email message cannot be decrypted, it will appear like this:

This occurs if you deny Apple Mail the permission to use the private key, or if the private key is not in your keychain. You might encounter this if you have renewed your key-pair and have removed the old key-pair from your keychain. Keep a backup copy of the PKCS#12 file handy (and remember the password), so that you can reload it if it is ever needed.

If the digital signature cannot be validated or verified, the message will appear like this:

This occurs if the message does not match the signature. The message might have been forged, was tampered with, or was corrupted. It can also occur if the signing certificate is not trusted.

Return to the overview or go to the next step of understanding the limitations of secure emails.