Certificate support in OS X is fragile, frustrating, and broken by default when using certificates issued by the US Government or an external certificate authority (ECA) that meets US Government standards. The components for sending and receiving encrypted email are fortunately present in the UNIX underpinnings of OS X, so using certificates to sign and encrypt email can be made to work in OS X by using a few tricks that bypass the shortcomings of Apple's Mail application.

ECA digital certificates that meet US Government standards use two certificates per individual: an identity certificate and an encryption certificate. The Department of Defense Common Access Cards (CACs) and the Department of Homeland Security Personal Identity Verification (PIV) cards also contain this pair of US Government issued certificates. If you receive email from individuals using US Government or ECA certificates, getting these certificates working in OS X to encrypt email back to the sender often involves extra steps. OS X uses the first non-expired certificate that matches, in a case-sensitive manner, the recipient email address when performing encryption. Generally, the first certificate you receive from an individual is their signing certificate, not their encryption certificate. However, OS X Mail does not check whether the matched certificate is usable for encryption! So you must swap the identity and encryption certificates so that the encryption certificate is matched first for encryption to work. This is described in the following instructions.

Here are some cookbook tips to understand how certificates are stored on your machine will be used by Mail and how to get ECA and Government certificates to work for Snow Leopard 10.6.2 and earlier OS X operating systems. Open up Address Book and Keychain Access before proceeding through the following steps.

Your Certificate

  1. Select "login" and "Certificates" in Keychain Access, enter your name in the search field. Note whether you see one or two certificates for the expiration date farthest in the future. If you see two, they should have the same serial number with one being the identity certificate and the other the encryption certificate. If the encryption certificate is not obvious from the name, double click on both certificates and check the Usage fields. The encryption certificate will list something like "Key Encipherment". Note which one is the encryption certificate for future use.
  2. Open up your card in Address Book and look for a check mark to the left of your email address. Your certificate is good to go if you have check mark and a single certificate.
  3. If you don't have a check mark, double click on your certificate in Keychain Access to bring up the details and scroll down to the RFC 822 Name field. This email address must precisely (case sensitive) match the email address listed on your card in Address Book. Cut and paste is the way to be sure! You should see the check mark as soon as you edit the address in Address Book to match. You do NOT need to close and reopen Address Book when manipulating certificates on the Key Chain.
  4. Click on the check mark to bring up your certificate. You're done with this step if you only have one certificate. It should bring up your encryption certificate if you have both encryption and identity certificates. If it brings up your identity certificate you must reverse the order of installation of the certificates for Mail to work correctly. To make this change in certificate order, switch over to Keychain Access, select your encryption certificate and click on "File" "Export Items…" to export the certificate to your desktop. Use your login password to encrypt the certificate. Next, delete the certificate from Keychain Access followed by clicking on "File" "Import Items…" to import the certificate back from the desktop. This puts it above the identity certificate in Keychain Access. Finally, drag the certificate file into the trash and do a secure delete. Clicking on the checkmark in Address Book should now bring up your encryption certificate.

Recipient Certificates

  1. OS X automatically adds certificates from other people to Keychain Access when opening signed/encrypted emails your receive from them in Mail. As with your certificate, you can check whether OS X has linked to a recipient's certificate by looking for a check mark to the left of their email address in Address Book. If there's no check mark, make sure that the RFC 822 Name in the certificate matches the email address on the card in Address Book. Remember, the email address must match exactly, including case.
  2. OS X will often link to the identity certificate if a recipient has separate identity and encryption certificates since the identity certificate is generally the first certificate you receive. This makes it impossible to send encrypted email to that person. An easy way to check is by clicking on the check mark in the person's Address Book entry. You should see "Encrypt, Verify, Wrap, Derive" or "Verify, Wrap" in one of the Key Usage fields.
  3. Bring up the list of certificates for the intended recipient in Keychain Access if there's a problem. There are most likely two certificates. Delete the identity certificate. If it's not obvious from the name, double click on the certificate and scan the Key Usage fields. Delete the certificate if you see a Key Usage of "Wrap" followed by another of "Key Encipherment".

New Certificates

  1. Keep all of your old certificates for decrypting your old email. Remember, mail is encrypted with YOUR private key, so it is YOUR certificates you want to keep forever. You can always delete other people's certificates after they expire. If you open an old email from a person, their public certificate is embedded in the email and that is what is used for signature verification.
  2. You can safely delete the certificates for other people when they get a new certificate. This will ensure that OS X encrypts using their new certificate even though the old one may not yet have expired. All the information needed to authenticate messages is contained in the message attachment and your root CA certificates.

Signature Verification

Signature verification simply won’t work in many cases. Some of these are due to shortcomings in OS X while others are outside of its control. An example of the latter is when the message has been altered since it was sent, such as by email servers that append disclaimers to signed email. There’s nothing that can be done in this case. If the message is unaltered, OS X will verify the signature if the user’s email address on the “From:” field precisely matches the email address in the “RFC 822 Name” field of their certificate. You should be able to tell OS X to account for differences, but you can verify it doesn’t work as follows:

  1. A received signed message shows a yellow bar that says "Unable to verify message signature". Clicking on "Show Details" gives a message saying "Unable to verify message signature: Mail was unable to verify the authenticity of the S/MIME certificate provided by 'FRED.FOOBAR@US.ARMY.MIL'. Messages signed by this user may be coming from a different source.
  2. You can then click "Show Certificate" and get an unchecked box next to "Messages from 'FRED.FOOBAR...' are valid if signed by 'FOOBAR.FRED.F.1234567890'". Check the box and click "OK". Note that yellow bar and warning don't go away.
  3. Repeat the above process and notice that the check box is unchecked. Mail doesn't remember the setting!

Last edit: 19 January 2010