Configuring keychains
Apple Mail uses macOS keychains to store private keys and certificates. The S/MIME feature is not configured through the Mail application, but by adding the credentials to a keychain using the Keychain Access application.
Keychains are used for securely storing information. Every user account has a keychain called “login”, which is automatically unlocked when the user logs in. While it is possible to create additional keychains, for simplicity the “login” keychain will be used.
Viewing credentials in Keychain Access
Start the Keychain Access application. Use a Spotlight search to find it, or look under /Applications/Utilities.
Select the keychain from the left side (e.g. select “login”).
Select the category from the top of the window. Select either “Keys”, “My Certificates” or “Certificates”.
Select a certificate or key and choose “Get Info” from the “File” menu.
Importing credentials
Private key and certificates
Note: when renewing your certificate, you should not delete the old private key and certificate. Otherwise, you will not be able to decrypt messages that have been encrypted for it.
There are several ways to import a PKCS#12 file into a keychain.
From the Finder:
Double click on the PKCS#12 file. This will open it with Keychain Access.
Enter the passphrase to unlock the private key in the PKCS#12 file.
Alternatively, from inside the Keychain Access application:
From the “File” menu, select “Import items…”.
Select the PKCS#12 file containing your credentials.
Press the “Options” button and check the Destination Keychain is the “login” keychain.
Press the “Open” button to import the file.
Enter the passphrase to unlock the private key in the PKCS#12 file.
The private key can be found under the “keys” category. The name of the private key is the “friendly name” from the PKCS#12 file. The name of the private key can be changed from the “Get Info” dialog.
The client certificate can be found under the “My certificates” category.
Adding other certificates
If a certificate is not trusted, you might need to import missing certificates into the keychain.
This can happen if you forgot to include the intermediate certificate in the PKCS#12 file, or the issuer’s root certificate was not in the “System Roots” keychain.
Viewing other certificates
Under the “Certificates” category are your certificates (i.e. those where the keychain has the corresponding private key) and other people’s certificates.
When signed emails are received, their certificates will be automatically added to the keychain and will appear here.
There may also be non-S/MIME certificates.