Skip to content

Instantly share code, notes, and snippets.

@richieforeman
Created July 23, 2012 21:38
Show Gist options
  • Save richieforeman/3166387 to your computer and use it in GitHub Desktop.
Save richieforeman/3166387 to your computer and use it in GitHub Desktop.
Issue Your Own Self-Signed S/MIME Certs with OpenSSL
# Run this once
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Run this for each email account. The system must install the CA cert and the resulting p12 file in order to be happy.
# Borrowed from http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption
openssl genrsa -des3 -out smime.key 4096
openssl req -new -key smime.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey smime.key -out smime.p12
@maknoll
Copy link

maknoll commented Jul 6, 2013

thank you very much for this

@rockhouse
Copy link

You need to add the following attributes to your key otherwise it will not work with iPhones/Mac etc.

in your openssl.cnf you need to define:

  • keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  • extendedKeyUsage = clientAuth,emailProtection
  • subjectAltName=email:move

see also: http://security.stackexchange.com/questions/30066/which-extensions-to-use-for-a-s-mime-certificate/30069#30069

@scasei
Copy link

scasei commented Aug 6, 2015

I had problems importing the *p12 into Thunderbird / Win8.1 .
If you have problems too, you could try following for makecert.sh:

openssl req -new -key ca.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey ca.key -out smime.p12
cat ca.crt smime.crt >> smime.pem

Than first import 'smime.p12' and next 'smime.pem'. Did it for me.

@simsong
Copy link

simsong commented Jan 6, 2016

Incredibly useful. Thanks.

@neuhaus
Copy link

neuhaus commented Jan 26, 2016

This is also helpful to generate CSRs for S/MIME certificates signed by a CA (StartSSL now lets you upload your own CSR even for S/MIME). Make sure you use the flag -sha256 while generating generate the CSR.
Thanks.

@cheyrico2
Copy link

@scasei and @rockhouse, Are you still able to create a certificate, I followed the instructions and was able to install the certificate but my IPhone(9.3.2) still says that there is not valid certificate found when I tried to sign or encrypt. I'm issuing the command from Cygwin. I on Windows 10 Pro, if that matters.

@nils-tekampe
Copy link

Same problem here. The generated cert is not recognised by iOS :-(

@juergenniessen
Copy link

If you use the same CA for more than one certificate you will have to increase the serialnumber or use
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout

@sopsmattw
Copy link

Similar issues as nils-tekampe, the certs (even with the 3 extensions above) are not recognized by IOS. Android and IOS can decrypt the messages, but cannot encrypt. IOS doesn't see the cert and Android will only sign the message, not encrypt. Any thoughts? If I come up with a solution, I'll post here.

@defaultusername1152
Copy link

I'm using OpenSSL Win32, v.1.01.e and can't get this to work. Here are the steps I'm using if someone would please help out. I need to be able to sign/encrypt mail between Outlook 360 & 2016 and Android. Also, if you could please provide the .CNF file contents as well that would be awesome.

openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -set_serial 1152 -days 100000 -config email.cnf -key ca.key -out ca.crt
openssl genrsa -aes256 -out email.key 4096
openssl req -new -key email.key -out email.csr -config email.cnf
openssl x509 -req -sha256 -days 100000 -in email.csr -CA ca.crt -CAkey ca.key -set_serial 1153 -out email.crt -setalias MyEmailKey -clrtrust -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -aes256 -in email.crt -inkey email.key -out email.p12 -name MyEmailKey -passout 79112779

Thanks!

@sm5050
Copy link

sm5050 commented Nov 16, 2018

Similar issues as nils-tekampe, the certs (even with the 3 extensions above) are not recognized by IOS. Android and IOS can decrypt the messages, but cannot encrypt. IOS doesn't see the cert and Android will only sign the message, not encrypt. Any thoughts? If I come up with a solution, I'll post here.

A year later but what I did:

Used modified instructions from https://www.dalesandro.net/create-self-signed-smime-certificates/

It appears that the critical step for ios/iphone/ipad is a proper config file.

Did this on my raspberry pi using root:

Add a file called smime.cnf to root/etc/ssl with the contents:

``[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = email:copy
extendedKeyUsage = emailProtection

I then followed everything exactly from https://www.dalesandro.net/create-self-signed-smime-certificates/

I copied the output files to my google drive then downloaded and installed the profiles to my iphone and it worked.

As usual once you figure out how to do it it takes about 5 minutes!!!

Copy link

ghost commented Feb 23, 2019

Thanks so much @sm5050 !!

https://www.dalesandro.net/create-self-signed-smime-certificates/

That was the perfect guide and now I can do a self signed S/MIME cert on my Mail.app on macOS 10.14.3.

@chinsyo
Copy link

chinsyo commented May 9, 2019

Thanks so much @sm5050 !!

https://www.dalesandro.net/create-self-signed-smime-certificates/

That was the perfect guide and now I can do a self signed S/MIME cert on my Mail.app on macOS 10.14.3.

I have step by step follow the post above, and could not encrypt mail with smime.
Generate certificates successful but there is no lock display in the mail receiver.
Could you please describe the steps you've done?

@chinsyo
Copy link

chinsyo commented May 9, 2019

Thanks so much @sm5050 !!

https://www.dalesandro.net/create-self-signed-smime-certificates/

That was the perfect guide and now I can do a self signed S/MIME cert on my Mail.app on macOS 10.14.3.

I’m not able to get Mail on macOS(10.14.4) or Mail on iOS(12.2) to cooperate with me.

I’ve create ca and test user(test@gmail.com for example), install test user’s p12 on my iphone, and Login test user on iOS Mail.

Turn on the settings for sign and encrypt in account/mail/advanced.

Finally, go to mail and send mail to my self. Nothing happend (no lock as describe in many other tutorials), login to webpage and the mail is plain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment