Can I create my own S/MIME certificate for email encryption? [closed]
I'm having a bit of an issue here. Bear with me as this may be a case of "not asking the right question".
Background: Using Apple Mail. Want to encrypt/decrypt email but GPGMail (and apparently PGP) isn't supported with Snow Leopard.
Basically I need to create an S/MIME certificate for use in email encryption. I don't want, nor do I care for a Certificate Authority. I simply want a quick-and-dirty certificate. Is this even possible (using OPENSSL, etc) or does the whole process hinge on a higher authority forcing me to either set up a full-scale CA or deal with a company (e.g. Verisign, Thawte) for a cert? My criteria are instant gratification, and free.
Best.
Yeah, it sucks that Apple Mail does not support GPG. :-( I wish it did because I prefer GPG encrypted e-mail too.
I also agree that information surrounding S/MIME and generating your own e-mail certificates is hard to come by. I found Paul Bramscher's webpage has a good description of how to create your own Certificate Authority certificate.
I don't pretend to fully understand the certificate process, but this is what I've been able to piece together. You should consult the openssl manpage for more detailed information about each of the commands shown below.
Create Certificate Authority
The first step is to create your own Certificate Authority (CA). The commands are …
# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
and follow the prompts.
You will need to issue your CA's certificate (ie the content of ca.crt) to each and every recipient of your encrypted e-mail. The recipients will have to install and trust your CA certificate so that your encrypted e-mail will be trusted. The installation will vary for each mail client used.
In your case, you will need to add your CA's certificate to your Apple Keychain. There are lots of posts on the web about how to import and trust a CA certificate in the Apple Keychain.
Create Personal E-Mail Certificate Request
You now need to create a certificate request. Create one for each e-mail address you wish to send e-mail from. Execute the following commands …
# openssl genrsa -des3 -out humble_coder.key 4096
# openssl req -new -key humble_coder.key -out humble_coder.csr
and follow the prompts.
Certificate Authority Signs Your Certificate Request
Your personal certificate needs to be signed by your CA. In this case, you!
# openssl x509 -req -days 365 -in humble_coder.csr -CA ca.crt -CAkey ca.key \
-set_serial 1 -out humble_coder.crt -setalias "Humble Coder's E-Mail Certificate" \
-addtrust emailProtection \
-addreject clientAuth -addreject serverAuth -trustout
The output is your signed certificate.
Prepare Your Certificate for Importing into Your Mail Application
You need to convert your certificate from .crt
(PEM format, I think) to .p12
(PCKS12 format).
# openssl pkcs12 -export -in humble_coder.crt -inkey humble_coder.key \
-out humble_coder.p12
You can now import your *.p12*
formatted certificate into your mail client. In your case, import the *.p12*
file into the Apple Keychain. Once the certificate is installed correctly, Apple Mail will start using your certificate.
There is an Easier Way
Of course, once you've created your own CA there's an easier way of managing certificates created by your own Certificate Authority. openssl comes with a script named …
# /usr/lib/ssl/misc/CA.pl
which simplifies the process of being your own Certificate Authority. There's even a man page for CA.pl!
Free and signed by a CA: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html