Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Issue Your Own Self-Signed S/MIME Certs with OpenSSL
# Run this once
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Run this for each email account. The system must install the CA cert and the resulting p12 file in order to be happy.
# Borrowed from http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption
openssl genrsa -des3 -out smime.key 4096
openssl req -new -key smime.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey smime.key -out smime.p12

maknoll commented Jul 6, 2013

thank you very much for this

You need to add the following attributes to your key otherwise it will not work with iPhones/Mac etc.

in your openssl.cnf you need to define:

  • keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  • extendedKeyUsage = clientAuth,emailProtection
  • subjectAltName=email:move

see also: http://security.stackexchange.com/questions/30066/which-extensions-to-use-for-a-s-mime-certificate/30069#30069

scasei commented Aug 6, 2015

I had problems importing the *p12 into Thunderbird / Win8.1 .
If you have problems too, you could try following for makecert.sh:

openssl req -new -key ca.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey ca.key -out smime.p12
cat ca.crt smime.crt >> smime.pem

Than first import 'smime.p12' and next 'smime.pem'. Did it for me.

simsong commented Jan 6, 2016

Incredibly useful. Thanks.

neuhaus commented Jan 26, 2016

This is also helpful to generate CSRs for S/MIME certificates signed by a CA (StartSSL now lets you upload your own CSR even for S/MIME). Make sure you use the flag -sha256 while generating generate the CSR.
Thanks.

@scasei and @rockhouse, Are you still able to create a certificate, I followed the instructions and was able to install the certificate but my IPhone(9.3.2) still says that there is not valid certificate found when I tried to sign or encrypt. I'm issuing the command from Cygwin. I on Windows 10 Pro, if that matters.

Same problem here. The generated cert is not recognised by iOS :-(

If you use the same CA for more than one certificate you will have to increase the serialnumber or use
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout

Similar issues as nils-tekampe, the certs (even with the 3 extensions above) are not recognized by IOS. Android and IOS can decrypt the messages, but cannot encrypt. IOS doesn't see the cert and Android will only sign the message, not encrypt. Any thoughts? If I come up with a solution, I'll post here.

I'm using OpenSSL Win32, v.1.01.e and can't get this to work. Here are the steps I'm using if someone would please help out. I need to be able to sign/encrypt mail between Outlook 360 & 2016 and Android. Also, if you could please provide the .CNF file contents as well that would be awesome.

openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -set_serial 1152 -days 100000 -config email.cnf -key ca.key -out ca.crt
openssl genrsa -aes256 -out email.key 4096
openssl req -new -key email.key -out email.csr -config email.cnf
openssl x509 -req -sha256 -days 100000 -in email.csr -CA ca.crt -CAkey ca.key -set_serial 1153 -out email.crt -setalias MyEmailKey -clrtrust -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -aes256 -in email.crt -inkey email.key -out email.p12 -name MyEmailKey -passout 79112779

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment