Web Analytics

Installing an S/MIME Certificate and Sending Secure Email in iOS 14

This how-to will walk you through installing and using an S/MIME certificate to send signed and encrypted email in Apple’s Mail app on your iPhone or iPad.

These procedures were tested on a 5th generation iPad running iOS 14.6.

Certificate Download and Installation

Note: While it is generally a best practice to generate a private key on the device where it will be installed (as shown in this how-to), you can also use email or Apple’s AirDrop feature to send a PFX file containing your certificate and private key to the device. In this case you can either follow steps 1-3 below on your laptop or desktop computer to initially retrieve the file, or export a PFX file from an existing certificate and private key on your computer (for Apple, computers, please see this how-to on exporting PFX files from Keychain Access). Using AirDrop to send the file or tapping an attached PFX in an email message will bring you to step 5, below.
  1. In Mail on your iOS device, tap the link provided in your Certificate Activation Link email.
    Certificate activation link

  2. Tap the Generate Certificate button in the web page that opens. Note that you may be prompted to log into your SSL.com account first.
    Generate Certificate

    Note: You can choose between RSA and ECDSA with the Algorithm drop-down menu, but ECDSA cannot be used as an email encryption key, so it’s best to leave this set to RSA. You can also click the Show Advanced Options button, which will reveal a drop-down menu for choosing the key size. Finally, checking I have my own CSR will let you use your own certificate signing request and private key rather than generating a new CSR and key.
  3. Scroll down and create a new password at least 6 characters long in the Password field, and then tap the Download button. Remember this password! You will need it when installing your certificate.
    Create password and download

  4. Tap Allow on the dialog box that appears, giving permission to download the configuration profile (a file containing your new certificate and private key).

  5. Tap Close on the dialog box indicating that the profile has been downloaded.

  6. Open the Settings app.

  7. Tap Profile Downloaded.
    Profile Downloaded

  8. Tap Install. Note: Even though the PFX file contains a certificate issued by SSL.com, a certificate authority trusted on iOS devices, you will receive several notices that the certificate is Not Signed in this and the next few steps.

  9. Enter your iOS passcode. This is the passcode you would use to sign into your iOS device, not the password you entered when downloading your certificate.
    Enter passcode

    Note: Installing an S/MIME certificate on iOS requires that you have set a passcode for the device. For information on setting up a passcode, please refer to Apple’s documentation.
  10. Tap Install on the warning dialog that appears.
    Warning dialog

  11. Tap the Install button.
    Install button

  12. Enter the password you created in step 3, then tap Next.
    Enter password

  13. The certificate has been installed. Tap Done.

  14. Now that the certificate has been installed, we need to configure Mail to use it. Go to Settings > Mail.
    Mail settings

  15. Tap Accounts.

  16. Select the account you are adding the S/MIME certificate for.
    Select account

  17. Tap Account.
  18. Tap Advanced.

  19. Scroll down to S/MIME.
    S/MIME Settings

  20. To sign all outgoing messages, select Sign, then turn the switch to green and return via the <Advanced link.
    Signing preferences

  21. To encrypt outgoing messages by default, select Encrypt by Default, then turn the switch to green and return via the <Advanced link.
    Encryption preferences

  22. Tap <Account, then Done.
  23. Next, you should install SSL.com’s intermediate certificate. This step will ensure that your signed email will be trusted on all devices. Load this how-to in the Safari browser on your iOS device and click the following link:
  24. Tap Allow.
  25. Tap Close.
  26. Open the Settings app.
  27. Tap Profile Downloaded.
    Profile Downloaded
  28. Tap Install.
  29. Enter your iOS passcode.
    Enter passcode
  30. Tap Install.
  31. Tap Done.
  32. The intermediate certificate is now installed.
    Intermediate certificate installed

Sending Signed and Encrypted Email

  1. Your S/MIME certificate is now installed and configured to work with your email account. If you enabled email signing, all outgoing mail will be signed with your S/MIME certificate. If you enter an email address for which you have installed the recipient’s certificate with their public encryption key, you can toggle message encryption with the lock button at the right side of the address line (if the lock is closed, the message will be encrypted).
    Encryption toggle
  2. In this example we have previously installed the recipient’s certificate (see the next section, below) and are sending encrypted mail. Viewing the sent mail in Thunderbird for macOS shows that the message has indeed been signed and encrypted.
    Signed and encrypted email
  3. If you have not installed your recipient’s public key, your message cannot be encrypted, but will still be signed.
    message unencrypted
    Note: All outgoing mail will be sent using the default S/MIME signing settings for your account in iOS. You cannot choose not to sign email unless you disable this feature in the account settings. As shown above, message encryption can be toggled on and off.
  4. As can be seen from this screenshot from Outlook, the message above was received signed but unencrypted.
    Signed, not encrypted email

Installing a Recipient’s Certificate and Public Key

  1. In order to send encrypted S/MIME email to a specific email address, your recipient’s certificate with their public key must be installed on your device. The process begins when you receive a signed email from that person. A email message signed with a certificate issued by a trusted certificate authority (CA), such as SSL.com, will have a small seal with a check mark to the right of the sender’s address. Tap the sender’s email address, then tap again after the check mark turns blue.
    tap email address
  2. A screen should appear stating that “The sender signed this message with a trusted certificate.” Tap View Encryption Certificate.
    View Encryption Certificate

  3. Tap Install. Note: Even though Mail previously indicated that the certificate was trusted, there still will be a Not Trusted message above the certificate’s expiration date in this step.
  4. Tap Done to finish installing the certificate. After installing the certificate, Mail will automatically allow you to send encrypted email to this address.
    Encryption certificate installed

Compare Email, Client, And Document signing certificates from SSL.com, starting at just $20.00 per year.


Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com and stay informed of the latest changes about digital identity and encryption that can impact and enhance your life.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.