S/MIME Encrypted Email Example with Gmail and Comodo and macOS

SMIME Encrypted Email Example with Gmail and Comodo.md

S/MIME Encrypted Email Example with Gmail and Comodo

A quick how-to installation for secure S/MIME installation for a Gmail account on macOS. This certificate can be used to simultaneously encrypt and sign emails.

Obtain and install an S/MIME Certificate

0. Create a unique revocation passphrase in a password manager—long, random, unique.
1. Browse to Comodo and request a free, secure email certificate:

• Enter your name, email address, and specify the maximum 2048 bit length
• Enter your revocation passphrase in case your private key is ever stolen or compromised
• Accept Comodo's service terms and hit Next
• A retrieval link will be sent to your email. Click the link and download the file, named CollectCCC.p7s

2. Install the S/MIME certificate in your Keychain by simply double-clicking on this file.

• Double-check that you see the S/MIME certificate in your keychain at Keychain Access>login>My Certificates
• Use Keychain Access to save an encrypted backup copy of your certificate
  • Click the little down arrow next to your certifcate name, username@gmail.com
  • Highlight the certificate username@gmail.com and Key from secure.comodo.com
  • File>Save As…>Personal Information Exchange (.p12), choose a strong, unique passphrase saved in a password manager.

3. Delete the unencrypted, insecure file CollectCCC.p7s.

• Your file will not be securely deleted from disk unless you have enabled Full Disk Encryption
• If you haven't already done so, enable File Vault for Full Disk Encryption

4. Encourage your circle of correspondents to use S/MIME security by sharing this page.

Use your S/MIME certificate for email encryption and signing

0. The macOS Maill app will automatically use this S/MIME certificate to encrypt and sign all emails from this email address.
1. To use this certificate for email in a web client, see Fossa Guard for Chrome.
2. To use this certificate on iOS:

• Mail the (passphrase encrypted) .p12 backup file to yourself
• On iOS Mail, open the email, and click on the .p12 certificate, enter the passphrase, and it will be installed in your Settings>General>Profiles
  • Alternatively, use macOS Server's Profile Manager to add this Certificate to all devices in your group
• Turn on Email encryption and Signing using your certificate for this account
  • Settings>Mail>Accounts>Gmail>Account>Advanced>S/MIME> On, Sign, Encrypt by Default

Security details

0. Comodo's free S/MIME certificates are issued for one year.

• Every year you must request a new certificate after the old certificate has expired
• You must keep old certificates in your Keychain if you would like to be able to decrypt old emails

1. If you would like longer term (2 year) or higher security (4096 bit) certificates, you must issue them yourself using openssl commands to create a certificate authority.
2. The contents of the unencrypted Comodo file CollectCCC.p7s may be view with the command:

• openssl asn1parse -inform DER -in CollectCCC.p7s

Comodo CA has changed its name to Sectigo, and now their free S/MIME certificates are valid for only 30 days instead of a year, but they can be obtained here.

@Janet-Baker I get Sorry, this service is not currently available on that link sadly.

I discover this free S/MIME provider, which still gives 1-year certificates. Appears to be trusted by Apple and Google already.

https://extrassl.actalis.it/portal/uapub/freemail?lang=en

Downsides:

1. Cannot provide your own certificate signing request (CSR). This means that Actalis has/had your private key on their system at some point.
2. The private key is fixed at RSA 2048-bit, not 4096-bit.