Skip to main content

Troubleshooting

Seeing .p7s or .p7m attachments

If these attachments are visible on an email, the email reading program does not support S/MIME. This usually happens when email is viewed via a Web browser (e.g. Gmail) instead of using an email program.

A .p7s attachment is a PKCS#7 signature file and contains the signature and certificate. It can be ignored, because the email can still be viewed.

A .p7m attachment is a PKCS#7 encrypted attachment and contains the encrypted message. The message cannot be viewed without having the private key and an email program that supports S/MIME.

Having multiple credentials

Try to have only one set of credentials for the same email address in a keychain. Multiple ones are allowed, but Apple Mail does not let you choose which one to use for signing emails. Therefore, if there is only one, that is the only one it can use.

However, over time you may end up with multiple credentials. Because certificates expire and new ones will need to be added. This is fine, because the Mail application should use the non-expired certificate when signing new emails.

You should keep the old certificates and private keys, because they may be needed to decrypt previously encrypted emails. If you remove them, you can only decrypt emails encrypted for the latest credentials, and will not be able to decrypt emails encrypted with the older credentials.

Managing other people’s certificates

It is important to manage the certificates in the login keychain, because many problems are caused by having the wrong certificates in the keychain. For example, if there are more than one certificate for an email address, the wrong one might be used to encrypt emails. This is likely to happen when people start experimenting with S/MIME and are experimenting with different certificates, as well as during normal use when they renew their certificates.

Be familiar with the certificates in the login keychain, so that you can spot and delete any certificates which should not be there. Keep the keychain tidy by deleting certificates that are no longer useful: such as those that have expired, their email address has changed, or for people that you no longer want to send encrypted emails to.

Expired certificates

Expired certificates cannot be used to encrypt emails.

To show or hide expired certificates, under the “View” menu choose “View Expired Certificates” or “Hide Expired Certificates”.

Deleting credentials

To delete a set of credentials, the certificate and the private key have to be both manually deleted. Deleting one does not automatically delete the other.

Sender vs signer

When both operations are performed, the Mail application first signs the message and then encrypts both the message and the signature.

Receiving a valid signed and then encrypted message does not prove who sent the message: only who created the signature. For example, if A sent a signed and encrypt message to B, B can decrypt it and re-encrypt both the message and the signature for C. When C received the email (sent by B, but with forged email headers) it will be signed by A and encrypted for C. C might incorrectly assume it was sent to them by A: the message/signature was created by A, but it wasn’t sent to them by A.

Managing keychains through the command line

The security program can be used to manage keychains and other aspects of security.

Find all the identities (i.e. certificate and private key) that can be used for S/MIME:

security find-identity -p smime

List email addresses from all certificates:

security find-certificate -a -m | grep '^email addresses: ..*'

Find all certificates that match that match an email address:

security find-certificate -a -m -e account@example.com

Note: the account part of an email address is case sensitive; the domain name part is not.

Use security find-certificate -h to see the available options, security -h for available commands, or see the man page.