Skip to main content

Configuring keychains

Apple Mail uses macOS keychains to store private keys and certificates. The S/MIME feature is not configured through the Mail application, but by adding the credentials to a keychain using the Keychain Access application.

Keychain Access application icon

Keychains are used for securely storing information. Every user account has a keychain called “login”, which is automatically unlocked when the user logs in. While it is possible to create additional keychains, for simplicity the “login” keychain will be used.

Viewing credentials in Keychain Access

  1. Start the Keychain Access application. Use a Spotlight search to find it, or look under /Applications/Utilities.

  2. Select the keychain from the left side (e.g. select “login”).

  3. Select the category from the top of the window. Select either “Keys”, “My Certificates” or “Certificates”.

  4. Select a certificate or key and choose “Get Info” from the “File” menu.

Importing credentials

Private key and certificates

Note: when renewing your certificate, you should not delete the old private key and certificate. Otherwise, you will not be able to decrypt messages that have been encrypted for it.

There are several ways to import a PKCS#12 file into a keychain.

From the Finder:

  1. Double click on the PKCS#12 file. This will open it with Keychain Access.

  2. Enter the passphrase to unlock the private key in the PKCS#12 file.

Alternatively, from inside the Keychain Access application:

  1. From the “File” menu, select “Import items…”.

  2. Select the PKCS#12 file containing your credentials.

  3. Press the “Options” button and check the Destination Keychain is the “login” keychain.

  4. Press the “Open” button to import the file.

  5. Enter the passphrase to unlock the private key in the PKCS#12 file.

The private key can be found under the “keys” category. The name of the private key is the “friendly name” from the PKCS#12 file. The name of the private key can be changed from the “Get Info” dialog.

Keychain Access window showning the Keys category of the login keychain

The client certificate can be found under the “My certificates” category.

Keychain Access window showing the My Certificates category

Adding other certificates

If a certificate is not trusted, you might need to import missing certificates into the keychain.

Certificate is not trusted error in Keychain Access

This can happen if you forgot to include the intermediate certificate in the PKCS#12 file, or the issuer’s root certificate was not in the “System Roots” keychain.

Viewing other certificates

Under the “Certificates” category are your certificates (i.e. those where the keychain has the corresponding private key) and other people’s certificates.

When signed emails are received, their certificates will be automatically added to the keychain and will appear here.

There may also be non-S/MIME certificates.

Keychain Access window showing the Certificates category