Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Issue Your Own Self-Signed S/MIME Certs with OpenSSL
# Run this once
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Run this for each email account. The system must install the CA cert and the resulting p12 file in order to be happy.
# Borrowed from http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption
openssl genrsa -des3 -out smime.key 4096
openssl req -new -key smime.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey smime.key -out smime.p12
@maknoll

This comment has been minimized.

Copy link

commented Jul 6, 2013

thank you very much for this

@rockhouse

This comment has been minimized.

Copy link

commented Jan 19, 2014

You need to add the following attributes to your key otherwise it will not work with iPhones/Mac etc.

in your openssl.cnf you need to define:

  • keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  • extendedKeyUsage = clientAuth,emailProtection
  • subjectAltName=email:move

see also: http://security.stackexchange.com/questions/30066/which-extensions-to-use-for-a-s-mime-certificate/30069#30069

@scasei

This comment has been minimized.

Copy link

commented Aug 6, 2015

I had problems importing the *p12 into Thunderbird / Win8.1 .
If you have problems too, you could try following for makecert.sh:

openssl req -new -key ca.key -out smime.csr
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in smime.crt -inkey ca.key -out smime.p12
cat ca.crt smime.crt >> smime.pem

Than first import 'smime.p12' and next 'smime.pem'. Did it for me.

@simsong

This comment has been minimized.

Copy link

commented Jan 6, 2016

Incredibly useful. Thanks.

@neuhaus

This comment has been minimized.

Copy link

commented Jan 26, 2016

This is also helpful to generate CSRs for S/MIME certificates signed by a CA (StartSSL now lets you upload your own CSR even for S/MIME). Make sure you use the flag -sha256 while generating generate the CSR.
Thanks.

@cheyrico2

This comment has been minimized.

Copy link

commented Jul 4, 2016

@scasei and @rockhouse, Are you still able to create a certificate, I followed the instructions and was able to install the certificate but my IPhone(9.3.2) still says that there is not valid certificate found when I tried to sign or encrypt. I'm issuing the command from Cygwin. I on Windows 10 Pro, if that matters.

@nils-tekampe

This comment has been minimized.

Copy link

commented Dec 31, 2016

Same problem here. The generated cert is not recognised by iOS :-(

@juergenniessen

This comment has been minimized.

Copy link

commented Mar 21, 2017

If you use the same CA for more than one certificate you will have to increase the serialnumber or use
openssl x509 -req -days 365 -in smime.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out smime.crt -setalias "Self Signed SMIME" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout

@sopsmattw

This comment has been minimized.

Copy link

commented Apr 10, 2017

Similar issues as nils-tekampe, the certs (even with the 3 extensions above) are not recognized by IOS. Android and IOS can decrypt the messages, but cannot encrypt. IOS doesn't see the cert and Android will only sign the message, not encrypt. Any thoughts? If I come up with a solution, I'll post here.

@defaultusername1152

This comment has been minimized.

Copy link

commented Jun 14, 2017

I'm using OpenSSL Win32, v.1.01.e and can't get this to work. Here are the steps I'm using if someone would please help out. I need to be able to sign/encrypt mail between Outlook 360 & 2016 and Android. Also, if you could please provide the .CNF file contents as well that would be awesome.

openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -set_serial 1152 -days 100000 -config email.cnf -key ca.key -out ca.crt
openssl genrsa -aes256 -out email.key 4096
openssl req -new -key email.key -out email.csr -config email.cnf
openssl x509 -req -sha256 -days 100000 -in email.csr -CA ca.crt -CAkey ca.key -set_serial 1153 -out email.crt -setalias MyEmailKey -clrtrust -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -aes256 -in email.crt -inkey email.key -out email.p12 -name MyEmailKey -passout 79112779

Thanks!

@sm5050

This comment has been minimized.

Copy link

commented Nov 16, 2018

Similar issues as nils-tekampe, the certs (even with the 3 extensions above) are not recognized by IOS. Android and IOS can decrypt the messages, but cannot encrypt. IOS doesn't see the cert and Android will only sign the message, not encrypt. Any thoughts? If I come up with a solution, I'll post here.

A year later but what I did:

Used modified instructions from https://www.dalesandro.net/create-self-signed-smime-certificates/

It appears that the critical step for ios/iphone/ipad is a proper config file.

Did this on my raspberry pi using root:

Add a file called smime.cnf to root/etc/ssl with the contents:

``[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = email:copy
extendedKeyUsage = emailProtection

I then followed everything exactly from https://www.dalesandro.net/create-self-signed-smime-certificates/

I copied the output files to my google drive then downloaded and installed the profiles to my iphone and it worked.

As usual once you figure out how to do it it takes about 5 minutes!!!

@jakeunltd

This comment has been minimized.

Copy link

commented Feb 23, 2019

Thanks so much @sm5050 !!

https://www.dalesandro.net/create-self-signed-smime-certificates/

That was the perfect guide and now I can do a self signed S/MIME cert on my Mail.app on macOS 10.14.3.

@chinsyo

This comment has been minimized.

Copy link

commented May 9, 2019

Thanks so much @sm5050 !!

https://www.dalesandro.net/create-self-signed-smime-certificates/

That was the perfect guide and now I can do a self signed S/MIME cert on my Mail.app on macOS 10.14.3.

I have step by step follow the post above, and could not encrypt mail with smime.
Generate certificates successful but there is no lock display in the mail receiver.
Could you please describe the steps you've done?

@chinsyo

This comment has been minimized.

Copy link

commented May 9, 2019

Thanks so much @sm5050 !!

https://www.dalesandro.net/create-self-signed-smime-certificates/

That was the perfect guide and now I can do a self signed S/MIME cert on my Mail.app on macOS 10.14.3.

I’m not able to get Mail on macOS(10.14.4) or Mail on iOS(12.2) to cooperate with me.

I’ve create ca and test user(test@gmail.com for example), install test user’s p12 on my iphone, and Login test user on iOS Mail.

Turn on the settings for sign and encrypt in account/mail/advanced.

Finally, go to mail and send mail to my self. Nothing happend (no lock as describe in many other tutorials), login to webpage and the mail is plain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.