Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
S/MIME Encrypted Email Example with Gmail and Comodo and macOS

S/MIME Encrypted Email Example with Gmail and Comodo

A quick how-to installation for secure S/MIME installation for a Gmail account on macOS. This certificate can be used to simultaneously encrypt and sign emails.

Obtain and install an S/MIME Certificate

  1. Create a unique revocation passphrase in a password manager—long, random, unique.
  2. Browse to Comodo and request a free, secure email certificate:
  • Enter your name, email address, and specify the maximum 2048 bit length
  • Enter your revocation passphrase in case your private key is ever stolen or compromised
  • Accept Comodo's service terms and hit Next
  • A retrieval link will be sent to your email. Click the link and download the file, named CollectCCC.p7s
  1. Install the S/MIME certificate in your Keychain by simply double-clicking on this file.
  • Double-check that you see the S/MIME certificate in your keychain at Keychain Access>login>My Certificates
  • Use Keychain Access to save an encrypted backup copy of your certificate
    • Click the little down arrow next to your certifcate name,
    • Highlight the certificate and Key from
    • File>Save As…>Personal Information Exchange (.p12), choose a strong, unique passphrase saved in a password manager.
  1. Delete the unencrypted, insecure file CollectCCC.p7s.
  • Your file will not be securely deleted from disk unless you have enabled Full Disk Encryption
  • If you haven't already done so, enable File Vault for Full Disk Encryption
  1. Encourage your circle of correspondents to use S/MIME security by sharing this page.

Use your S/MIME certificate for email encryption and signing

  1. The macOS Maill app will automatically use this S/MIME certificate to encrypt and sign all emails from this email address.
  2. To use this certificate for email in a web client, see Fossa Guard for Chrome.
  3. To use this certificate on iOS:
  • Mail the (passphrase encrypted) .p12 backup file to yourself
  • On iOS Mail, open the email, and click on the .p12 certificate, enter the passphrase, and it will be installed in your Settings>General>Profiles
    • Alternatively, use macOS Server's Profile Manager to add this Certificate to all devices in your group
  • Turn on Email encryption and Signing using your certificate for this account
    • Settings>Mail>Accounts>Gmail>Account>Advanced>S/MIME> On, Sign, Encrypt by Default

Security details

  1. Comodo's free S/MIME certificates are issued for one year.
  • Every year you must request a new certificate after the old certificate has expired
  • You must keep old certificates in your Keychain if you would like to be able to decrypt old emails
  1. If you would like longer term (2 year) or higher security (4096 bit) certificates, you must issue them yourself using openssl commands to create a certificate authority.
  2. The contents of the unencrypted Comodo file CollectCCC.p7s may be view with the command:
  • openssl asn1parse -inform DER -in CollectCCC.p7s

This comment has been minimized.

Copy link

@Janet-Baker Janet-Baker commented Jan 5, 2021

Comodo CA has changed its name to Sectigo, and now their free S/MIME certificates are valid for only 30 days instead of a year, but they can be obtained here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment