SMIME in OS X Lion

In a previous article I showed how to get and install an SMIME certificate. Now let’s look at installing it into Mail. It’s really, really hard. First, open Mail. Then, click on the Mail menu and select Preferences. Then click on Accounts. Then click on the account you got an SMIME cert for. Then, in the TLS box, select the certificate you want to use. Next, go to compose a new message. You will see the little disclosure triangle to the left of the From dialog. Click on it and then check the box for the lock and the icon to the right of that, meant to look like a Beholder from Dungeons and Dragons. Beholders see well, so they can see if you’re the person who really is the person allowed to send the email. The lock encrypts email (provided you have a certificate for all recipients) and the eye of the beholder icon signs messages. Once you’re happy with your checkboxes, click on OK. Now, in your new email message, use the icons. Sign or encrypt. If you don’t have a certificate for a user, have them sign an email and send it to you. When you read their email you should then have their public key in your Keychain. Now, take your 100 sided dice and take the rest of the day off (after all, you just figured out how to make email more secure for your company). Also, you may notice that in these screens I’m using MobileMe certs. If you use the System Preferences pane to install MobileMe into your account then you’ll be greeted by the cert automatically being installed into your keychain for you. So for MobileMe users, you don’t even need to go get a 3rd party cert. I also use this on my work email, but didn’t want to put those screens in here (after all, I did misplace my tin hat and would hate to get hax0r’d by government goblins before I can track it down).

S/MIME in OS X Isn't Just For Tin Hat Wearing Nerds Anymore

S/MIME, or Secure/Multipurpose Internet Mail Extensions is the de facto standard for encrypting and signing mail. You can encrypt mail to keep prying eyes off of it. Signing though, is much more common as it addresses the issue of non-repudiation in many organizations, or giving people a way to make sure that the email that they think you sent really came from you. It was also available in GPG plug-ins for mail, back in the day. But S/MIME used to really be for people who thought the government was out to get them, work for government agencies, just liked to be kinda’ nerdy or actually had something to hide. But is email security overkill? After a bunch of people get their Google Apps accounts exposed from phishing attacks I’d argue not. I use it for various situations but not all. That may just change in Lion, because while S/MIME has been built into OS X for some time in the form of the smime command it will be much easier to use in OS X as of Lion and now available in iOS 5.

First, get a certificate from one of these providers (my favorite is Verisign, but Comodo is free):

  • Comodo: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html
  • CAcert: https://www.cacert.org/index.php?id=1
  • Secorio: http://www.secorio.com/index.php?S_MIME_Email_Certificates
  • Symantec: http://www.trustcenter.de/en/index.htm
  • StartCom: https://cert.startcom.org
  • Verisign: https://www.verisign.com/authentication/digital-id/index.html
  • GlobalSign: http://www.globalsign.com/authentication-secure-email

Once you have downloaded the certificate files from the sites you can easily install them by double-clicking them, which imports them into the login keychain. Many organizations are going to want to script this process. To import the certificates, use the security command. Here we’ll import a Comodo p7 cert:

security import -/Downloads/CollectCCC.p7s -f pkcs7 Once imported, the certs can be escrowed by control-clicking on the cert in Keychain Access and exporting as .pem files. For organizations that want users to import their certs off of a site, the certs can be curl’d down for user-specific entries and intermediaries and certificates imported: curl -o /tmp/mycert.crt http://username:password@www.krypted.com/username/username.crt Which brings up a final point. If you give certificates to users, rather than having them download and load up their own, you will have control over whether or not keys get escrowed and if so, how. When just using signing, you may not care. But when messages are being encrypted, many organizations will have regulatory or eDiscovery situations that require the escrowing of keys to be able to unlock the contents of messages that are encrypted. For this reason, the some will need to export the certificate that was imported. Of course, if you escrow private keys for certificates then can the receiver ever know for certain you sent the message? I guess that comes down to process. If you require two people to turn a key at the same time when the sun shines through this one special crystal and makes the tomb glow red, then you may be able to keep people out. But then there are conspiracies and we’re back to preparing our tin foil as head gear… Anyway, mail has supported smime for some time, as can be seen in this O’Reilly article from 8 years ago. There’s also an smime command line tool that goes pretty far back. Importing certificates into iOS is about as easy as importing them into OS X, but you can also distribute certificates using mobileconfig files, which I wrote an article on awhile ago. One can assume that the Profile Manager feature announced in OS X Server will allow you to deploy these over MDM, but then we might just have to wait until fall to see what that’s all about…