There is obviously a change in how Apple validates S/MIME signed emails in the Mail app of macOS 15 Sequoia, because the signatures made with our S/MIME certificates used to be accepted just fine up to and including macOS 14 Sonoma, but in Sequoia they no longer validate. They still work in iOS 18.2, as well as in Thunderbird. eM Client, on the other hand, complains about "an incomplete certificate revocation check". I suspect that there is a new requirement that a certificate must have a CRL and/or OCSP entry. Our certificate does not have either of them. Another certificate I've tried has a CRL entry and it validates okay, but it is not the only difference, so I'm looking for the exact specs. However, I'm unable to find them anywhere. I know that RFC 9325 places a normative requirement on *TLS* implementations to have some means of distrusting certificates, but I can't find anything like this for S/MIME. Sections *4.3. Signature Verification* and *6. Security Cosiderations* of [RFC 8551](https://www.rfc-editor.org/rfc/rfc8551.html) more or less only mention key sizes and algorithms, but no revocation checking. I also failed to find any documentation by Apple about this change. Is there any?

I am attempting to import a PFX/P12 certificate generated by the Windows certificate manager for use with S/MIME into MacOS Catalina Keychain. The certificate is encrypted with AES256. The same certificate and password work correctly when encrypted with 3DES. When the certificated uses AES256, Keychain complains "MAC verification failed during PKCS12 import" after I enter the password. The same error is achieved using the security cli. Any ideas what might be wrong? CLI examples that did not work:

security import ./foo.pfx -f pkcs12
security import ./foo.pfx -t cert -f pkcs12
security import ./foo.pfx -f pkcs12 -k ~/Library/Keychains/login.keychain
security import ./foo.pfx -f pkcs12 -T /usr/bin/codesign -k ~/Library/Keychains/login.keychain

### Update 1: How the Certificates were Created 1. Login with my user on a Windows 10 desktop 2. Open Manager User Certificates 3. Personal -> Certificates -> All Tasks -> Request New Certificate 4. Select the appropriate enrollment policy 5. Right click the certificate and choose "Export..." 6. Select the format: 1. PFX 1. include all certificates 2. enable certificate privacy 7. Set the password 8. Finish At some point in the process I chose AES256 or 3DES from a drop down (only two options available)

I am having an issue where S/MIME on my iOS 16.6 device is half working. I am able to receive/read encrypted emails and can send signed messages without issue. I am also **able to send encrypted emails**, but **only if it is a reply to another party**'s signed email. I cannot, for anyone, send a new email that is encrypted, regardless of the fact that I have their certificate installed and their signature trusted. **I am even unable to send myself a (new) encrypted email** to my own email address (the same as sender) on iOS as it says “Unable to encrypt”. I tried reinstalling my S/MIME certificate (.p12) as well and the certificates of other parties, but nothing changed. What makes even less sense is that, provided the other party emails me first (with a signed email), I can reply to their signed message and it will let it encrypt; it also works just fine for if they send me an encrypted message (I can reply, encrypted). It works 100% on macOS (I can send new encrypted mail etc. without it needing to be a reply). I have tried: * Installing root/intermediate certificates for SSL.com (my cert provider), Entrust * Ensuring that the default account is the one with S/MIME (per the Apple Discussion iOS Mail S/MIME cert installed and trusted but “No valid certificates found” and double-checking I did it right by the article How to change the default email account on your iPhone in 4 steps ) * Disabling mail privacy settings * Enabling encryption for all outgoing mail (Entrust’s documentation said that was part of install) I rebooted between all of these steps just on the off chance it was a caching issue. Still nothing. Has anyone run into this before? How did you get it working? I am absolutely stumped and have spent hours trying to figure this out.

I would like to deactivate S/MIME signing and encryption in Mail on iOS (latest version 16.3.1) as I no longer use it. In Settings > Mail > Accounts > [my account] > Account > Advanced, I see at the bottom two options for S/MIME signing and encryption that can, however, not be deactivated (see screenshots). If I recall correctly, there seemed to have been a third option in the advanced settings, and that was whether to use S/MIME at all. That option is not visible in my settings however. Any help with this is much appreciated !

After upgrading from Sierra to Mojave (macOS 10.14), Apple mail started to display the warning *Unable to verify message signature* above all signed and encrypted emails. When clicking on *Details*, it says: *The digital signature is incorrect. The message may have been tampered with or corrupted since signed by (sender's name).* We are using S/MIME certificates signed by a self-signed root CA, but I doubt that this is the problem. When checking the certificates in the Keychain app, they are reported to be valid and good. However, if in Apple Mail, I get the above message and click on *Show Certificate*, the root certificate is reported to be valid and trusted, but the S/MIME certificate is nonetheless invalid for no obvious reason. Note that some report similar problems for emails with attachments only.

We've set up Apple Mail on our Macs with S/MIME encryption which works quite well. However, users are able to select or deselect encryption by clicking on the lock symbol when writing an email. Sometimes users deselect encryption for some reason (maybe just accidentally), then Mail keeps that setting for any subsequent emails. Is there a way to configure Apple Mail in a way that it enforces encryption if a certificate is available for the recipient, so it cannot be turned off by the user? Maybe through a profile?

I'm trying to enable my S/MIME certificate but I can't. When I go to the Email Tab in settings, click accounts, click iCloud, then I go to the Account section in settings (Not the one in the iCloud section). I'm looking for the account section there but I can't find it. Please help! Sorry for my bad English.

I have received a signed and well encrypted E-Mail. I now want to reply to this particular sender using his public key in Apple Mail. But when I press the reply Button, the encrypt icon stays grey. Do I have to import his public key into my key chain first? And if yes, how does this work?

When I check details of a certificate I only see information about the certificate itself. Is there any way to see the issuer’s certificate? In my case it’s an intermediate CA. The certificate that I care is for S/MIME (hence the tag), but I think this should apply to all kinds of certificates in general. I think there should be a way because it’s very intuitive in Windows. Also Chrome on macOS displays the full chain for websites. I think Keychain.app has this information because it labels the certificate as a verified one.

Is it possible to use the Open Directory of the macOS Server app to store and retrieve S/MIME (X.509) certificates with the user data? *Background:* I would like to share our public S/MIME certificates over our LDAP, so they can automatically be retrieved from any (supporting) client without having to import them manually. I have found articles that claim it is possible in general with OpenLDAP, but how can it be done with Open Directory? I understand there are the attributes userCertificate and userSMIMECertificate for this. Are they available in Open Directory, and if not, can they be added? And once they are added, can they be updated through the Server app or just from the command line? The server is on Sierra in case that matters. I'd appreciate any reply or comment or link to a howto that could help.

Messing around with **Keychain Access** on **macOS Sierra**, it seems like I have accidentally deleted **trusted root certificates** in _Keychain Access_. What I did was opening a ***.p7s** file to add a **S/MIME** certificate. This threw an error: An error occurred. Unable to import the certificate. Error: -26276 , but still the certificate ended up being listed in _Keychain Access_. Next, opening **Mail** and creating a new Email I was able to use the certificate. I decided to delete the certificate from the Keychain and re-add it in order to resolve the error. Therefore I deleted all entries containing the name of the trusted source I have used for my certificate (I believe). Now adding the same certificate again, still an error appears but the then listed entry says: This certificate was signed by an unknown authority, and Mail doesn't let me use it anymore... I have also created and added a new certificate with the same authority leading to the same result. Is it even possible I have deleted the default _trusted root certificates_ from inside _Keychain Access_, or why else can I not use the certificate anymore? Is there a way to reset or fix it?

I tried to create my own S/MIME certificate with the help of this code : openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -des3 -out smime.key 4096 openssl req -new -key smime.key -out smime.csr openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout openssl pkcs12 -export -in smime.crt -inkey smime.key -out smime.p12 First, I have to say, on my Mac, everything works fine. I was able to import the root certificate on both devices and I also was able to load the .p12 file. I am even able to send certified emails to my iPhone which can be verified. But when I want to sign a message on my iPhone I go to the advanced Settings in E-Mail and the certificate is just not there. Are there any special requirements for the certificate which I miss here? Is maybe the key length an issue? **UPDATE**: An 2048 bit RSA certificate seems to work. I am not sure, if this is because it's shorter or because it's not self-signed. I also encountered problems installing the same (and valid) certificate on iOS 9.3.5.

I'm looking for a tool to digitally sign PDFs with the private key of my X.509 certificate. macOS' Preview app only copy a scan of my handwritten signature into a pdf...

Since updating to iOS 11 and renewing my SMIME certificates they've stopped working for encryption. Please see (Dutch) screenshots for the valid certificates and the grayed out options to choose "Encrypt" and "Sign". What options do I have, because the free Comodo service offers no solution. You can get the certificates (in IE only) via https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate Extra steps: Download the root certificate, because if you don't the certificate will be red "Untrusted".

Usually, a signed message shows a checkmark icon. Clicking on this icon displays the certificate that was used to sign the message: Not so when a message lies in an exchange mailbox, and is displayed with "Mail" on MacOS (tested up to 10.10): The iPad, on the other hand, handles the exact same message just fine. It is also connected via Exchange protocol to the server: So: How can I enable this also on "Mail" on OS X? Or is this a bug, or even a permanent restriction?

I've recently updated most of my certificates as they've expired at similar times. It appears that iOS mail is encrypting mail to one of my recipients using their old certificate, as such they cannot decrypt it when they receive it. I checked in the one profile that is installed and it only contains my own certificate and key. Where are my recipients public keys kept? I need to check them and delete the old ones. Otherwise how do you tell iOS which public key to use when encrypting mail?

Can I use > security cms for encrypting and decrypting S/MIME mails? Or is there any alternative?

I have recently started using S/MIME since we got a certificate from our school and are advised to use it when possible. I am using El Capitan 10.11.4. The encryption and decryption process ITSELF works fine, i.e. I can send and receive encrypted and/or signed mails and decrypt them correctly when I have the corresponding certificate. However, if I receive mails that are encrypted or signed and encrypted, it doesn't show in the security header. It's just not there. If I receive mails that are **only** **signed** using S/MIME, it will show correctly however (*Signed (John Doe)*) Again, I can **read** the mail just fine, it just doesn't give me any indication that it's encrypted or signed. On my iPhone it works fine, i.e. it will show the little lock and the "signed symbol". What could be causing this? PS: The "security header" I'm talking about should be this: " class="img-fluid rounded" style="max-width: 100%; height: auto; margin: 10px 0;" loading="lazy">

I do a lot of work with S/MIME and am very familiar with the standard and the software. Since upgrading to 10.11 (El Captain), S/MIME-signed and encrypted messages have not been appearing as such in my Apple Mail App on my laptop. The same messages do show signed and/or encrypted on my iPhone. I have never seen a problem like this. Any suggestions, other than reinstalling the OS or wiping out the Mail preferences?

Apple-Mail uses DES-EDE3-CBC and SHA1 for new S/MIME-messages. Nowadays, both algorithms are considered as VERY WEAK and probably crackable by security agencies ore even large botnets. Is it somehow possible to force Apple Mail to use something more secure like AES-CBC and SHA2?