How to Set Up Encrypted Mail on Mac OS X
Pages: 1, 2, 3
Preparing the Keychain
This step is optional, but I recommend that you follow it. Indeed, although most users use the Keychain without even thinking about it, this application has some features that can greatly enhance the security of your data.
A Keychain is, in fact, an encrypted file that contains sensitive information like passwords, secure notes, and yes, private keys.
When you log in, Mac OS X's default behavior is to "unlock" the keychain. In other words, it decrypts the file.
When a Mac OS X application needs a password, it automatically asks the Keychain for it. If the keychain is unlocked, Mac OS X will look at the access authorizations for the password.
If it is set to "Allow all applications to access this item," it will give the password to the application silently. Or, if you have it set to "Confirm before allowing access," it will ask for your permission first.
This is a very secure system, since you can set the access authorizations yourself -- Mac OS X pre-sets them for you if you don't want to deal with this.
However, since private keys are so important, we want to keep them in a "locked keychain" (encrypted file) that we will only unlock on demand.
Sure, we could change the Mac OS X default behavior and not unlock Keychain automatically at login, but this is not convenient for our less secure passwords such as Safari auto-fills and mail accounts. For them, having the Keychain unlock itself automatically and setting access authorizations on a password-by-password basis should be enough. However, you be the judge.
|
Related Reading 
Web Security, Privacy & Commerce |
Therefore, we are going to create an additional keychain where we are only going to store our certificates. In order to do so, open the "Keychain access" utility, located in the "Utilities" folder.
Then use the "File" menu to create a new Keychain. Give it a good name and click on create. The next step is to create a good keychain password. Again, this password is as important as your Thawte account password but should not be the same. You should also be able to learn it by heart since you will have to type it to use your certificates.
Here's a tip: use the Keychain Access "View" menu to select "Show status in Menu Bar." This will be handy later on.
Now that the Keychain is created, minimize the "Keychain Access" window and go back to Mozilla.
The Transfer Process
To transfer the certificate, you will first need to access the certificates manager.
In order to do so, use the "Mozilla Firebird" menu to open the "Preferences" sheet. Then click on "Advanced" and use the disclosure box located next to the "Certificates" item if needed. Finally, click on "Manage Certificates."
The window that appears will show you all your key pairs. Select the one you want to export and click on "Backup." This will tell Mozilla to package the pair into an (encrypted) file and to save a copy of it somewhere where you can access it directly.
Give the backup file a name and save it onto the Desktop. Then pick a password for it. The password can be weaker than the others -- but not too weak, of course. You do not need to write it down, but simply to remember it for 2 minutes.
Once the file is on your desktop, you can quit Mozilla. Now double-click on the file as if you wanted to open it. This will launch (or unminimize) Keychain Access and it will ask where you want to import it.
Select the Keychain that you just created and click on "OK." The Keychain will now contain your private key and the associated certificates.
Certificates contain no secrets and are made public when you send a signed mail. There is therefore no need to protect them better than what we have done.
Your private key, however, is very important. To protect it even better, we are going to restrict access to it. To do so, click on it once and select "Access control" in the bottom half of the window.
In the panel that appear, deselect "Allow all applications" and pick "Confirm before allowing access." Now, Mac OS X will prompt you for confirmation before allowing an application to access the private key, even when the Keychain is unlocked.
The most paranoid of us (in the positive sense of the term) will want to check the "Ask for keychain password" box. When this option is selected, Mac OS X will ask you for the keychain password before allowing access to the private key even when the keychain is unlocked.
There is one minor drawback that you should be aware of. With this method, when you want to send a signed mail, Mail will begin the signing process, ask for your permission before fetching the certificate, and sending the mail. If you, for any reason, deny access to the certificate, the recipient would receive a mail with a message that states that the signature wasn't verified successfully, leading him to think that the mail has been tampered with.
Finally, drag the backup file created by Mozilla to the Trash and use the "Finder" menu to "secure empty" it. If you want, you can remove the certificate from Mozilla's certificate manager -- since you do not want to keep unneeded copies of such sensitive files on your hard drive.
You can now safely quit the Keychain Access application.
Before sending signed mails, use the "Keychain" menu to unlock the keychain that contains your private key and certificates, although you can also do that on-the-fly while sending the mails. When you are done, use the menu again to lock the Keychain, greatly enhancing the security of your keys.
Using Mail
Now that we have gone through this lengthy process, we can go back to the typical Apple way of doing things.
It's now time to fire up Mail and to click on the "New" button to create a blank mail. Mail will automatically detect that you are the proud owner of a certificate and display a button on the top right of the mail-composing window.
If you have multiple accounts in Mail, you will need to use the "Account" pop-up menu to select the account that the certificate is associated with before being able to see the button.
Signing Messages
The mail-composing process does not change at all. Just make sure that the button is clicked (it is filled with a dark gray color) and contains a checkmark in a black badge). This means that the message will be signed when you send it.
If you not want to sign a message, click on the button. The color lightens and the badge contains a small cross.
You can send signed message to everyone. Mail will send the message along with the necessary elements for the other computer to check your signature -- your public key.
Receiving Signed Messages
You receive signed messages like any other ones. The only difference lies in the last header of the message, displayed at the top of the window. You will see a header containing the small "Signed" badge, indicating that this is indeed a signed message.
If the message does not contain the public key or has been modified by a malicious user, a big yellow band will appear at the top of the message window, stating that Mail was unable to verify the message signature. This is usually a bad sign and should ring warning bells immediately.
As soon as you receive a signed message, Mail will import the sender's certificate into your login keychain.
Sending Encrypted Messages
Remember, to send an encrypted message, Mail needs to know the recipient's public key so that he can then decrypt it with his private key. Therefore, you can only send encrypted messages to people whose public keys you already have in your Keychain.
The easiest way to obtain someone's public key and immediately send this person encrypted messages is to ask her to send you a signed message. Upon arrival, Mail will store the certificate in the keychain and allow you to encrypt messages that you send to this person.
The process is exactly the same as when signing messages. However, this time you need to pay attention to a second button: the one with a padlock icon on it.
The padlock can be unlocked (the message won't be encrypted) or locked (the message will be encrypted).
You can send an encrypted message without signing it. However, this is not really a good thing to do since the message you are sending is probably important, and adding an authenticity check to it greatly improves the security of the transfer.
Receiving an Encrypted Message
In typical Apple fashion, receiving an encrypted message is completely transparent. When you open the message, you will immediately be able to see its contents, and this leads some users to think that the process failed.
However, the security header will state that it has been encrypted during the transfer.
Final Thoughts
Although obtaining a certificate is not the most straightforward thing in the world, it's easy enough to do, as is installing the certificates you obtain.
Apple's implementation of S/MIME support in Mail allows every user, whether they are experienced or are using a Mac for the first time, to protect the mail they are sending by encrypting them. And that's a very good thing. Indeed, using certificates will greatly increase the security of mail communications by reducing (not eliminating) the risk of impersonation, and preventing mails from being tampered with.
Talk to people about mail certificates and signing and try to use this method as often as possible. The security and comfort it provides are great and, since it can be integrated into your everyday workflow without any difficulty, it can only be an improvement. Encourage them to get certificates and to use them too.
However, you should not forget that signing a mail is like signing a piece of paper. Sure, someone can falsify your signature like someone can steal your private key, but in most countries, you are held responsible for what you sign. A signed mail comes with legal consequences and you should take every single step you can to protect your private key. For example, do not use them on shared computers. Keys are not something to play with, but they definitely are something to use when you are serious about the integrity of your written communications.
FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 32 of 32.
-
Firefox Certificate Manager
2007-04-12 06:47:07 jasonedwards [Reply | View]
I am new to this, please forgive me if this is a bad question.
What is the purpose of leaving the certificate in the Firefox Manager? I exported the certificate, saved it in a secure external drive and imported it to my keychain. Do I need to keep the certificate in Firefox for any reason or can I delete it?
Jay
-
Duplicate Certificates in Keychain
2007-04-12 06:41:27 jasonedwards [Reply | View]
I requested, received and installed the Thawte Certificate as per the instructions of the article. After I exported the certificate from Firefox I imported it to a separate keychain (B). My default login keychain is called (A). Everything seems to work except...
I have 2 certificate in keychain A... although I imported the certificate to keychain B.
Keychain A (defualt) contains:
1) jasonedwards@myemail.com certificate
2) Thawte Personal Freemail Issuing CA expires 2013
Keychain B (the one I imported cert to) contains:
1) jasonedwards@myemail.com certificate (duplicate from A)
2) Thawte Personal Freemail Issuing CA expires 2013 (duplicate from A)
3) Thawte Personal Freemail CA expires 2020
My questions are...
Why do I have anything in A if I imported the cert to B?
Can I delete the certificates from A?
What are the differences/uses for the 3 different Certificates?
Thanks for the time,
Jay
-
Mail security icons inoperable
2006-03-10 10:38:34 Daniel_Possin [Reply | View]
Hi -
I recently used your instructions to obtain a personal certificate from Thawte. I believe I've installed it correctly - it appears in my keychain etc. and, when I attempt to create a new signed message the appropriate icons appear but are inactive for some reason. I've tried obtaining new certificates using Firebird and Safari 2.0.3; I've checked my keychain with First Aid, and I've specified that the Mail program has permission to use the keychain certificates. Nothing has worked. I'm probably just doing something stupid, but canpt figure out what.
Thanks for listening to my lament. I look forward to your reply.
Dan
-
2006 - new issues
2006-02-16 00:27:28 Vicjoe [Reply | View]
Now that it has been revealed that the US Gov't broadly surveilles communications, particularly if they cross a border in or out of the USA, I have one question:
Does the US Government have the "master keys" or equivalent means of reading and or altering an encrypted e-mail message using the Thawte or other certification 3rd parties?
Thanks, I keenly await your reply.
-
Updates
2005-10-09 18:02:34 friendship1 [Reply | View]
Excellent Article. I am wondering if there have been any changes/updates to OS X, Mail, Safari, etc that need to be addressed. Additionally, there was an assumption that Mac users would use Thawte. Why and what other CA are there?
-
Potential unsecure issue
2005-09-12 11:15:14 scott.gardner [Reply | View]
I did a quick test to ensure the security of my email communication, as follows:
1. I sent an email from my digital-certificate signed email account (...@mac.com) to an alternate non-signed email account (...@yahoo.com), with the message body "asdf."
2. In my yahoo account, I redirected this email to a 3rd alternate non-signed email account (...@gmail.com), adding this text to the message body: jkl;
3. In my gmail account I received the redirected email with the altered message body, yet still showing signed by ...@mac.com
It appears to me that this digital signature is not accurate, because the message was altered by the recipient and then re-directed to another email.
I've emailed Thawte a couple times and they haven't responded.
-
Little confused about multiple computers and same email
2005-09-02 18:12:15 jehrler [Reply | View]
Well, I followed the tutorial and got some certs and that is working fine.
But, my wife and I share access to some emails (like sales! ones) and I want both of us to be able to sign and encrypt off the same email address off each of our computers
I created the cert using my main email address for sales and thought I could just copy the cert over to my wife's keychain for her to use it when she sends email from that same email account.
Doesn't work.
-
works with safari 1.2
2005-02-14 10:42:39 sammyjjr [Reply | View]
Thanks for the informative and detailed article. It seems that now one can use safari. I used thawte and safari to get the certificates. Certificates were automatically put into my keychain. I created a seperate keychain for my private certificate and dragged it there. I had some problem getting mail to recognize that I had a certificate so I temperarily allowed all aplications to access the certificates which seemed to do the trick. The process of acquiring a certificate is also documented in Mail Help to some extent.
Best regards.
sammyjjr
-
LIFESAVER!!
2005-01-31 13:52:51 chels120 [Reply | View]
HI, I'm a student at the University of Florida and I am currently enrolled in a computers for business majors course. I am apparently the minority in that class due to my powerbook. Seems I am one of the only students with a Mac and therefore I am faced with many hurdles to overcome to successfully complete the course. I have to say, that if it wasn't for your step-by-step article, I would have been a fish out of water in my class. You have saved my project and my grade! Just wanted to say thank you!
Sincerely,
A Struggling Mac-lover
-
Can't get Mail to sign...
2004-10-18 10:23:22 RogerAlexander [Reply | View]
I've managed to successfully obtain a Thawte certificate and keys for my email address. However, when I send a new message, I do not get the button for signing. Yes, I am sure that the email address for my account (only have one) and for the certificate are the same text and in the same case. I'm at a loss as what to do here? Any help would be greatly appreciated.
Suggestions?
-
Thankyou very much
2004-10-15 00:14:05 Clytie [Reply | View]
Thankyou very much for your article, which I found very informative, and easy to follow. I had just set up GnuPG, to work with Mail among other things (via GPGMail), and the first person with whom I wanted to test this, turned out to be using the S/MIME protocol instead.
I now have both working, although I think S/MIME integrates better with Mail, since it is using its existing capability. You only have a couple of unobtrusive, small boxes at the upper-right of the window, rather than a whole bar across it. However, since both protocols will be in comparatively common use, I'm probably better off with both, than with only one.
Your article helped me to avoid the difficulties I would have had by using my current browsers (OmniWeb 5 and Safari) since they do not appear to have the certificate management capability temporarily required (although otherwise excellent). You made a rather complex and confusing process much easier to understand, and highlighted capabilities within Mail and OSX which I had evidently underused.
The postcard image is powerful: email seems so private, straight from me to you, almost instant. But in fact it is extremely public, and the sooner we become more aware of that, the more chance we have of protecting our own privacy.
Is there any likelihood that Apple will make the certificate-gaining process more transparent, more part of the OS? As a preference in Mail, for example, once you had enabled it in the Security prefs, it would be much more widely used.
Thankyou again
from Clytie
-
multiple macs?
2004-09-15 18:13:45 jay o'frasca [Reply | View]
hi -
thanks for the great article.
I have an imac and a powerbook... can i simply copy the certificates from my imac and put them into a keychain on my powerbook?
or is there a smarter more secure way for having multiple macs using the same certificates?
-
how can i get my key pair from thawte again?
2004-09-05 18:39:18 jonmcauliffe [Reply | View]
in the process of moving thawte-related keychain items to a new keychain, my private and public keys got deleted. how i can
i retrieve them from thawte?
-
Can't get it to work
2004-07-18 05:26:38 ShaunO [Reply | View]
I think I have the certificate from thawte, but mail refuses to sign. I've checked the mail address in the certificate matches the account but no joy. Any suggestions?
-
Entourage
2004-03-17 12:04:03 paolob [Reply | View]
Does anybody know if i can use S/MIME and certificate also with Entourage or just with Mail? Thank you
-
Safari 1.2 works just fine
2004-03-04 18:19:30 slightly99 [Reply | View]
There's no need to go through the Mozilla Fire(fox) procedure - you can request your certificate through Safari 1.2 in Panther, and once you receive the email indicating that it's ready, click on the link in the mail, and the browser will export the certificate automatically to Keychain. You can then set up your separate "Certificates" keychain as the rest of the article instructs.
-
attachments don't work
2004-02-20 17:24:31 jesushouston [Reply | View]
I had no trouble setting up the certificates and sending encrypted emails, but whenever I attach jpgs or other files my friends tell me they can't read them. I then have to resend the attachments, turning off the encryption. I am using OS 10.3.2
-
Moving Certs From Windows To Mac
2004-02-08 21:14:37 macthemes [Reply | View]
I have a cert on my Windows machine, that I want to move over to my Mac. When I exported the cert, and then imported it in Keychain Access, I got my cert and my private key, but no public key. Apparently Mail won't let me sign things without a public key to go with the private key and the cert.
a) is there some way to extract the public key from the cert and add it to my keychain?
b) is there some way I can export my public key directly on the windows side and import it?
c) am I completely off base here?
Also, how does one use the "export" command in the file menu of keychain access to move keys/certs from one Mac to another?
-
Can't get Keychain Access to accept Backup
2004-01-30 12:25:17 khirt [Reply | View]
Everything worked perfect until I tried to get the Backup to load. Info shows the file is Adobe Reader Digital ID File. If I force Keychain Access to open the file, Keychain Access launches but nothing happens. I am running OS 10.2.8 on a PowerBook G4. Any help would be appreciated.
-
Difficulty Installing Thawte Certificate in Netscape
2004-01-30 09:43:43 inetwsnet [Reply | View]
I attempted to install a certificate in both the most current Netscape and Firebird on two Macintoshes one running 10.2.8 and the other 10.3.2. Both times clicking on the install link at Thawte does nothing. Trying it in Safari for the heck of it downloads an exe file to the desktop. I checked in the certificate manager in Netscape/Firebird and no certs are installed. Any help would be greatly appreciated since I am writing an article about this.
-
Allow Mail to use certificate
2004-01-28 23:07:20 maximus [Reply | View]
In Keychain you may still have the settings so to ask for password in order to use the certificate AND not having to confirm the use of the certificate for Mail.
Having to confirm Mail to use the certificate each time (without password) is just a nuisance that does not add to security. The way to avoid that is to Add Mail to the Access Control of the certificate so that Mail can use it if you have unlocked and provided the password.
All other applications will have instead to have the password reissued if want to use the certificate.
PS
Again, unless you have set the keychain so to have to issue the password for every signed email there is no added security in confirming Mail to send signed mail. It would be meaningful if denying access would send a regular email but it is not the case: it sends what your recipient would take as a *tampered* email.
-
Master Password for Software Security device?
2004-01-23 15:17:34 ftwilson [Reply | View]
Hello-
Running Firebird, I can't get past the step below:
" The window that appears will show you all your key pairs. Select the one you want to export and click on "Backup." This will tell Mozilla to package the pair into an (encrypted) file and to save a copy of it somewhere where you can access it directly.
Give the backup file a name and save it onto the Desktop. Then pick a password for it. The password can be weaker than the others -- but not too weak, of course. You do not need to write it down, but simply to remember it for 2 minutes. "
I when I try to save the backup file, I get a dialog box asking for the "Master Password for the Software Security device." What to do?
Thanks!
-
A flaw in the keychain process?
2004-01-23 12:35:23 mhelbing [Reply | View]
Following the instructions in the article for setting up a new keychain for managing S/MIME private keys, everything worked great for sending mail: every time I tried to send an encrypted message I was prompted for my keychain password. However, once Mail.app prompted me for my keychain password to *decrypt* an encrypted message, the message remained unencrypted on subsequent viewings, even after quitting Mail.app and restarting it.
-
Certificate Not Showing Up
2004-01-23 05:57:36 popezaphod [Reply | View]
I created a certificate at work without any problems. However, on my home machine when I go to fetch the certificate and then go to the Certificate Manager, no personal certificate appears. I have tried both Firebird and Mozilla and neither one shows a personal certificate for me to export.
(Granted, I can export it again at the office - I hope - and sneakernet it home, but I should be able to download it)
-
Certificate digital in Portugal
2004-01-22 20:10:55 manuelsilva [Reply | View]
Dear Sirs.
I`m write from Portugal.
The administration of justice and the lawyers for communicate used mail whit certificate digital.
This certificate is from a company Portuguese (www.multicert.pt).
I use a MAC for the work and after many, many, many ... hours in computer, in internet, in Apple Portugal, in ... my MAIL (10.3.2) not work whit the certificate -
I not see the certificate in Mail.
For me is very complicate make the process in Keychain Access.
In Mozilla works fine.
PLEASE, is possible envoy me a GRAB capture pass by pass of this part of article
-Related Reading Therefore, we are going to create an additional keychain where we are only going to store our certificates. In order to do so, open the "Keychain access" utility, located in the "Utilities" folder. Then use the "File" menu to create a new Keychain. Give it a good name and click on create. The next step is to create a good keychain password. Again, this password is as
only Here's a tip: use the Keychain Access "View" menu to select "Show status in Menu Bar." This will be handy later on. Now that the Keychain is created, minimize the "Keychain Access"
Select the Keychain that you just created and click on "OK." The Keychain will now contain your private key and the associated certificates. Certificates contain no secrets and are made public when you send a signed mail. There is therefore no need to protect them better than what we have done. Your private key, however, is very important. To protect it even better, we are going to restrict access to it. To do so, click on it once and select "Access control" in the bottom half of the window. In the panel that appear, deselect "Allow all applications" and pick "Confirm before allowing access." Now, Mac OS X will prompt you for confirmation before allowing an application to access the private key, even when the Keychain is unlocked.
unlock the keychain that contains your private key and certificates, although you can also do that on-the-fly while sending the mails. When you are done, use the menu again to lock the Keychain, greatly enhancing the security of your keys. Using Mail Now that we have gone through this lengthy process, we can go back to the typical Apple way of doing things. It's now time to fire up Mail and to click on the "New" button to create a blank mail. Mail will automatically detect that you are the proud owner of a certificate and display a button on the top right of the mail-composing window.
Thanks
Manuel Silva
PS- Sorry, my English is horrible.
-
Case sensitivity?
2004-01-22 09:01:57 mhelbing [Reply | View]
A friend just received his Thawte personal certificate yesterday (he is using Thuinderbird on some flavor of Windows). When he sends me an email, Panther's Mail.app recognizes that his message is signed, but I see a yellow bar that says something like "Cannot verify message." I verified my Keychain, and it did successfully import my friend's certificate. The only inconsistency I notice is that his certificate uses some capital letters, but the "from:" header of his email use all lowercase letters. Could this be the problem?
-
Does Mail.app import a PGP public key?
2004-01-22 06:46:16 felipemacpress [Reply | View]
Hi, I managed to get a certificate and use it with Mail, but a friend of mine uses GnuPG to sign his messages.
Is it possible to import a public PGP key to my keychain so I can send him encrypted messages? Or does it only work with certificates like Thawte's?
-
Run your own CA?
2004-01-22 06:46:01 greenergrad [Reply | View]
Is it possible to run your own CA if, say, you are in a university or corporate environment and want a good way to provide certificates to students or employees? Doesn't OS X include the open source tools necessary to do this? If so, how would they be used?
-
Doesn't Work :-/
2004-01-22 01:44:01 timb [Reply | View]
I purchased a S/MIME certificate from GeoTrust, and followed your instructions for installing it from Firebird. Mail.app doesn't seem to see it, but the cert and key show up in the Keychain (Timothy Brown, GeoTrust as a CA, 2048-bit...)
Any ideas?
-Tim
-
At multiple accounts I...?
2004-01-21 17:04:12 drogue [Reply | View]
Followed your article all the way through, but I have multiple email accounts. Panther 10.3.2. Don't see anything about associating the certificate with a particular email account. Wha am I looking for?
-
Mail can sometimes use the keys, and sometimes not
2004-01-21 12:45:42 eepalmer [Reply | View]
I was able to import a few different private/public keys to my ibook (running 10.3.2) and it works like a champ. However, when I imported them to my desktop (also running 10.3.2), it would not recognise them. Mail would not give me the icons for sign or encrypt. Bummer.
What is interesting is how I can get the desktop to recognize the keys. I can mail myself a signed email from my ibook. I receive it on my desk top. Mail tells me, "Unable to verify message signature. If I click details, I get an error, "Unable to verify message signature." Strange.
What comes next is stranger. I click "Show Details," and it tells me about the certificate. Now, using the desktop I can write emails that allow me to sign and encrypt. It works great. However, when I quit the program, it forgets.
I use an email alias, and my mail is configured to let me choose whether to send email from the alias or the account it directs mail to (lets call it main account). When I select the main account I am able to sign and encrypt messages, but when I select the alias, I can't. I have certificates for both in my keychain, but only one shows up in the "My certificates" category, the one that works fine. Is there a way to make the "alias" email send encrypted messages?
Thanks again for the wonderful article. I'd tried to sign/encrypt messages many times and never understood how to do it until I ran into your article.