en English

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Installing an S/MIME Certificate and Sending Secure Email in iOS 12

This how-to will walk you through installing and using an S/MIME certificate to send signed and encrypted email in Apple’s Mail app on your iPhone or iPad.

These procedures were tested on an iPhone 7 running iOS 12.

Certificate Download and Installation

Note: While it is generally a better security practice to generate a private key on the device where it will be installed (as shown in this how-to), you can also use email or Apple’s AirDrop feature to send a PFX file containing your certificate and private key to the device. In this case you can either follow steps 1-3 below on your laptop or desktop computer to initially retrieve the file, or export a PFX file from an existing certificate and private key on your computer (for Apple, computers, please see this how-to on exporting PFX files from Keychain Access). Using AirDrop to send the file or tapping an attached PFX in an email message will bring you to step 5, below.
  1. In Mail on your iOS device, tap the link provided in your Certificate Activation Link email.

    Certificate Activation Link

  2. Tap the Generate Certificate button in the web page that opens.

    Note: You can choose between RSA and ECDSA with the Algorithm drop-down menu, but ECDSA cannot be used as an email encryption key, so it’s best to leave this set to RSA. You can also click the Show Advanced Options button, which will reveal a drop-down menu for choosing the key size. Finally, checking I have my own CSR will let you use your own certificate signing request and private key rather than generating a new CSR and key.

    Generate Certificate

  3. Scroll down and create a new password at least 6 characters long in the Password field, and then tap the Download button. Remember this password! You will need it when installing your certificate.

    Create password and download

  4. Tap Allow on the dialog box that appears, giving permission to download the configuration profile (a file containing your new certificate and private key).


  5. Tap Close on the dialog box indicating that the profile has been downloaded.

    Profile Downloaded

  6. Open the Settings app.


  7. Tap Profile Downloaded.

    Profile Downloaded

  8. Tap InstallNote: Even though the PFX file contains a certificate issued by SSL.com, a certificate authority trusted in recent iOS devices, you will receive several notices that the certificate is Not Signed in this and the next few steps.


  9. Enter your iOS passcode. This is the passcode you would use to sign into your iOS device, not the password you entered when downloading your certificate.

    Note: Installing an S/MIME certificate on iOS requires that you have set a passcode for the device. For information on setting up a passcode, please refer to Apple’s documentation.


    Enter Passcode

  10. Tap Install on the warning screen that appears.


  11. Tap the Install button that appears at the bottom of the screen.


  12. Enter the password you created in step 3, then tap Next.

    Enter Password

  13. The certificate has been installed. Tap Done.


  14. Now that the certificate has been installed, we need to configure Mail to use it. Go to Settings > Passwords & Accounts.

    Passwords & Accounts

  15. Tap the account you are setting up to use with S/MIME. In this case we are going to be using a Gmail address that we have previously set up in Mail and purchased the S/MIME certificate to protect.

    Select account

  16. Tap the line with the email address.

    Gmail account

  17. Tap Advanced.


  18. Scroll down to S/MIME.


  19. To sign all outgoing messages, select Sign, then turn the switch to green and return via the <Advanced link.


  20. To encrypt outgoing messages by default, select Encrypt by Default, then turn the switch to green and return via the <Advanced link.

    Encrypt by Default

  21. Tap <Account, then Done.
    Account Done

Sending Signed and Encrypted Email

  1. Your S/MIME certificate is now installed and configured to work with your email account. If you enabled email signing, all outgoing mail will be signed with your S/MIME certificate. If you enter an email address for which you have installed the recipient’s certificate with their public encryption key, you can toggle message encryption with the lock button at the right side of the address line (if the lock is closed, the message will be encrypted).

    Lock button

  2. In this example we have previously installed the recipient’s certificate (see the next section, below) and are sending encrypted mail. Viewing the sent mail in Thunderbird for macOS shows that the message has indeed been signed and encrypted.

    Signed and encrypted email
    Signed and encrypted mail sent from iOS Mail
    Signed and encrypted email
    Signed and encrypted email received in Thunderbird
  3. If you have not installed your recipient’s public key, your message cannot be encrypted, but will still be signed.

    Unencrypted message
    Signed, unencrypted email sent with iOS Mail
    Signed, unencrypted mail
    Signed, unencrypted mail received in Thunderbird
    Note: All outgoing mail will be sent using the default S/MIME signing settings for your account in iOS. You cannot choose not to sign email unless you disable this feature in the account settings. As shown above, message encryption can be toggled on and off.

Installing a Recipient’s Certificate and Public Key

  1. In order to send encrypted S/MIME email to a specific email address, your recipient’s certificate with their public key must be installed on your device. The process begins when you receive a signed email from that person. A email message signed with a certificate issued by a trusted certificate authority (CA), such as SSL.com, will have a small blue seal with a check mark to the right of the sender’s address. Tap the sender’s email address.

  2. A screen should appear stating that “The sender signed this message with a trusted certificate.” Tap View Certificate.

    View Certificate

  3. Tap InstallNote: Even though Mail previously indicated that the certificate was trusted, there still will be a Not Trusted message above the certificate’s expiration date in this step.


  4. After tapping Install, the message will change to Trusted . Tap Done to finish installing the certificate. After installing the certificate, Mail will automatically allow you to send encrypted email to this address.


Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com