Issue Your Own Self-Signed S/MIME Certs with OpenSSL

makeauthority.sh

# Run this once
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

makecert.sh

# Run this for each email account.  The system must install the CA cert and the resulting p12 file in order to be happy.

# Borrowed from http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption

openssl genrsa -des3 -out smime.key 4096
openssl req -new -key smime.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey smime.key -out smime.p12

thank you very much for this

You need to add the following attributes to your key otherwise it will not work with iPhones/Mac etc.

in your openssl.cnf you need to define:

• keyUsage = nonRepudiation, digitalSignature, keyEncipherment
• extendedKeyUsage = clientAuth,emailProtection
• subjectAltName=email:move

see also: http://security.stackexchange.com/questions/30066/which-extensions-to-use-for-a-s-mime-certificate/30069#30069

I had problems importing the *p12 into Thunderbird / Win8.1 .
If you have problems too, you could try following for makecert.sh:

openssl req -new -key ca.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey ca.key -out smime.p12
cat ca.crt smime.crt >> smime.pem

Than first import 'smime.p12' and next 'smime.pem'. Did it for me.

Incredibly useful. Thanks.

This is also helpful to generate CSRs for S/MIME certificates signed by a CA (StartSSL now lets you upload your own CSR even for S/MIME). Make sure you use the flag -sha256 while generating generate the CSR.
Thanks.

@scasei and @rockhouse, Are you still able to create a certificate, I followed the instructions and was able to install the certificate but my IPhone(9.3.2) still says that there is not valid certificate found when I tried to sign or encrypt. I'm issuing the command from Cygwin. I on Windows 10 Pro, if that matters.

Same problem here. The generated cert is not recognised by iOS :-(

If you use the same CA for more than one certificate you will have to increase the serialnumber or use
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout

Similar issues as nils-tekampe, the certs (even with the 3 extensions above) are not recognized by IOS. Android and IOS can decrypt the messages, but cannot encrypt. IOS doesn't see the cert and Android will only sign the message, not encrypt. Any thoughts? If I come up with a solution, I'll post here.

I'm using OpenSSL Win32, v.1.01.e and can't get this to work. Here are the steps I'm using if someone would please help out. I need to be able to sign/encrypt mail between Outlook 360 & 2016 and Android. Also, if you could please provide the .CNF file contents as well that would be awesome.

openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -set_serial 1152 -days 100000 -config email.cnf -key ca.key -out ca.crt
openssl genrsa -aes256 -out email.key 4096
openssl req -new -key email.key -out email.csr -config email.cnf
openssl x509 -req -sha256 -days 100000 -in email.csr -CA ca.crt -CAkey ca.key -set_serial 1153 -out email.crt -setalias MyEmailKey -clrtrust -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -aes256 -in email.crt -inkey email.key -out email.p12 -name MyEmailKey -passout 79112779

Thanks!