Select certificate for encrypted eMail

Similar Messages

• A certificate for encryption??

  I had a tag come down on my screen last night about a certificate.. for encryption signatures etc.. it wouldn't let me shut down or do anything except click ok.. I don't know what this is.. or if it is safe.. I have tried to call several Apple support places but I have exceeded my 90 days from purchase and was never told about the support for my apple that I could only have if I purchased it when I purchased my computer.. so.. I'm throwing it out there.. could anyone enlighten me?!?!  thanks

  Just send him a signed email message. He will receive your public key and can install it in his keychain.

• Mail uses wrong certificate for encrypting S/MIME messages

  Encrypted email I send using Mail Version 4.2 (1077) under OS X 10.6.2 to my work account cannot be decrypted. It appears that Mail is using the signing certificate, rather than the encryption certificate, to encrypt the email.
  The internal Certificate Authority at my employer has issued two certificates to me: A signing and an encryption certificate. Both certificates are properly stored in my keychain.
  The encryption certificate carries a 0x20 in the key usage field to designate the certificate to be used for encipherment purposes. The signing certificate carries a 0x80 in the key usage field to designate the certificate to be used for digital signatures.
  I understand that the S/MIME standard stipulates that for encrypting messages, the certificate with 0x20 in the key usage field should be used by the mail application.
  However, messages I sent are encrypted using the signing certificate (0x80 in the key usage field) and therefore cannot be decrypted on the receiving end. I examined the encrypted email using an [application|http://www.eriugena.org/blog/?p=57] to extract the serial number of the certificate used for encryption.
  We are using Outlook 2003 as our mail application at work.
  Has anybody ever come across this problem? Am I missing something - is there a way to tell Mail what certificate to use for encryption?
  Thanks,
  -Michael.

  I'm have a problem that sounds related.
  Both my wife and I created self signed mail certificates, and sent email to each other and trusted each others certificates. We were then able to send encrypted emails back and forth and our emails showed up as having trusted digital signatures.
  Then, we both purchased Verisign email certificates, and installed them in our keychains, deleting the old self-signed certificates, and repeated the process of establishing a chain of trust.
  This worked fine for me running Snow Leopard but did not work for her on Leopard. Her emails to me appear to be signed by both the old self-signed certificate and to include the new verisign certificate. Looking at the message source there is only one application/pkcs7-signature block, but in the UI it is showing both certificates.
  I don't understand how the self-signed certificate is showing up at all, since it has been deleted from her keychain.

• Unable to select Certificate for Remote Desktop Connection

  Hi,
  I have created a certificate with below parameter in inf file through a local Standalone 2008 r2 CA & imported it into Computer personal certificate store but unable to see this certificate entry while trying to select it under Remote desktop connection.
  Somewhere saw we should have the private key in personal certificate store but didn't get how/where to get that key. Is that the reason, m unable to select this certificate or there is something missing in the input parameter used in inf file. Kindly suggest
  what could be the problem.
  [NewRequest]
  Subject="CN=Server.Domain.com"
  Exportable=TRUE
  KeyLength=2048
  KeySpec=1
  KeyUsage=0xf0
  MachineKeySet=TRUE
  [EnhancedKeyUsageExtension]
  OID=1.3.6.1.5.5.7.3.1
  OID=1.3.6.1.5.5.7.3.2
  OID=1.3.6.1.4.1.311.54.1.2
  Regards,
  Dhiraj

  Hi,
  Problem is resolved now. i have done below two changes.
  --> used KeyUsage=0xA0 in inf file.
  --> imported certificate through certreq -accept. Earlier i was importing cert from mmc.
  I think second point resolved my problem. i even didn't think that mmc & command can make this difference.
  Dhiraj

• How do I get a personal certificate in order to send and receive encrypted emails?

  How do I get a personal certificate in order to send and receive encrypted emails on my MacBook Pro, iPad mini and iPhone 4S?

  This Apple document tells how to use them: Mail (Mavericks): Use personal certificates in Mail
  You need to get the certificate from a certificate authority (CA) like:
  Sign Up now for Free Secure Email Certificate with Digital Signature
  Digital Certificate Signing | Free Email Certificate
  Symantec Digital IDs for Secure Email – Digital Signature | Symantec
  Email SSL | SSL Certificates for Secure Email Encryption and Digital Signatures
  OT

• Certificate for E-mail

  Hello,
  I am using Windows 2003 certificate server to create an internally signed certificate to use with outlook. My understanding is that I will need the public and private keys to build my PKI and send encrypted e-mail.
  I have created an x.509 certificate with the following usage Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
  My questions are: what is the next step? How can I import this into outlook?
  I have  imported it into IE successfully and manually placed it in several stores. So from what I've read outlook should see it in the store, but instead, outlook prompts me with:
  " No certificates meet the application criteria".
  Also, how to I get the private Key? When I export the certificate, the Wizard ends with
  Export Keys "No"
  Exclude All Certificates in the Certification Part "No"
  So can I I build my PKI?
  Thanks for any help on this...
  Miguel Fra / Falcon ITS
  Computer & Network Support , Miami, FL
  Visit our Knowledgebase Sharepoint Site

  Miguel,
  You seem to be having some trouble understanding some of the concepts involved in deploying a PKI solution here, and the information you have provided in your post isn't really enough to help troubleshoot any problem you're having.
  Here are the basic steps you need to follow to get a certificate issued that can be used for S/MIME:
  1. Install Certificate Services as an Enterprise CA.
  2. Duplicate the User certificate template.
  3. On the Extensions tab, select Application Policies and click Edit.
  4. Remove the Client Authentication and Encrypting File System policies, leave the Secure Email policy.
  5. Assign the appropriate Read and Enroll permission on the Security tab.
  6. Save the new template with a descriptive name.
  7. Publish the template at the CA.
  8. Enroll for a new certificate.
  9. Configure Outlook to use the certificate.
  You shouldn't have to manually install the certificate as the process of enrollment itself should be sufficient. Its really hard to anwer your questions since I've got no idea how you performed the enrollment in the first place, what application policies are included in the certificate, etc. As far as your question about exporting the keys, if you want to be able to export the private key, you need to ensure that option is selected on the Request Handling tab of the template prior to enrolling for the certificate.
  Some other things you need to consider are:
  1. If this certificate is going to be used for encrypting email as well as signing, have you configured one or more key recovery agents? If you haven't and the user loses their certificate, they will no longer be able to access encrypted email they've sent that is stored in their Sent Items folder.
  2. I've mentioned this in one of the other threads you have on this topic but it is worth mentioning again, no one outside of your organization is going to trust your PKI so unless you distribute your root certificate and any intermediate certificates any signed email that gets sent to someone outside your org will show that there's a problem with the signature which kind of defeats the purpose of using signed email in the first place.
  3. You also have to consider the fact that no one outside of your organization will be able to retrieve a Certificate Revocation List (CRL) which will also cause problems with the signature.
  Standing up a PKI is not a trivial task and standing one up to simply issue a few S/MIME certificates especially without fulling understanding how a PKI works, nor how to properly design, deploy, and support one is both overkill and a recipe for disaster. I know that you mentioned in one of the other threads that your customer is insisting on standing up Certificate Services to issue these certificates, however, if I were in your shoes, I'd continue to strongly discourage them from going down this path and strongly encourage them to simply purchase the required certificates from an external vendor. And I've been working with Certificate Services for years and do large scale, enterprise wide deployments for a living. You aren't doing your customer any favours by bowing to their wishes and even if they get everything up and running, how in the world are they going to be able to properly maintain and administer the PKI after you've completed the deployment and are no longer around?
  Sorry for the long winded response but IMO you really need to reconsider the whole approach here. Sometimes, the best solution is to simply tell the customer they're wrong and that you won't participate and what is bound to be a failed deployment.
  Paul Adare
  CTO
  IdentIT Inc.
  ILM MVP

• Sending encrypted emails from the iPad is not working

  I can't get sending encrypted emails working on my iPad3 running iOS 8.0.2
  Let me explain what I did:
  1. I created S/MIME certificates for 2 email addresses on my iMac in Keychain Access. One email address exists only on the iMac the other only on the iPad.
  2. I set "When using this certificate" to "Always Trust" in both certificates.
  3. I exported 1 S/MIME certificate (p12) and installed it on the iPad. Then I deleted this certificate and its private&public keys in iMac Keychain Access
  4. I exchanged public certificates between the 2 devices. I installed one certificate in iMac Keychain Access and the other in iPad/Settings/General/Profiles.
  5. On the iMac in the iPad certificate I set "When using this certificate" to "Always Trust"
  6. I tested whether I can send and receive signed and/or encrypted emails
  Results:
  1. From the iMac I can send signed and/or encrypted emails to the iPad.
      On the iPad I can read the encrypted emails. The signature is not trusted
  2. On the iPad I can send signed messages to the iMac. On the iMac the signature is trusted.
      I cannot send encrypted emails from the iPad to the iMac. The iPad doesn't know about the public certificate in iPad/Settings/General/Profiles
  So much for the straight forward part. Now it gets a bit more complicated and confusing.
  1. I deleted the iMac certificate in the iPad/Settings/General/Profiles. Then in iPad Mail I opened the signed mail coming from the iMac.
      I viewed the untrusted certificate in Mail and installed it. From this point on all signed emails from the iMac are trusted.
      Strangely the by this method installed certificate doesn't appear in iPad/Settings/General/Profiles.
      Furthermore I still cannot send encrypted messages to the iMac. This certificate installation seems to be used only to check trust worthiness of the signature.
      Installing on top the iMac public certificate in iPad/Settings/General/Profiles doesn't enable to send encrypted messages from the iPad either.
  To be sure that this problem relates to the iPad certificate management and is not related to an error by me I did the following:
  1. I transferred a p12 file for a certificate that I created in my iMac to a PC running Windows7.
  2. I transferred a p12 file plus its public key (.pem) that I created in my iMac to another iMac into Keychain Access. (I have not tested if the pem is needed).
  3. On the other iMac and the PC I made sure that the certificates are trusted.
      On the PC that means in the Certificate Manager the p12 needs to be in the "Personal" folder and in the "Trusted Root Certification Authorities" folder.
      The public keys need to be in the "Trusted People" folder and the "Other People" folder. One can just copy/paste the certificates.
  4. In both cases I deleted the certificate and public/private keys on my iMac.
  5. I exchanged public certificates between the devices.
  6. I tested exchanging signed and/or encrypted emails between my iMac and the PC and my iMac and the other iMac.
  Result:
  1. I can send signed and/or encrypted emails to the other iMac and the PC
  2. The PC and the other iMac trust the signature from my iMac and can read the encrypted emails
  3. My iMac can read encrypted emails from the PC and the other iMac
  4. My iMac trusts emails with signatures from the PC and the other iMac.
  Everything is working as it should.
  After the above test I wanted to see whether I can set up encrypted email exchange between the iPad and the PC. Strangely iPad Mail recognized the public certificate from the PC installed in iPad/Settings/General/Profiles and allowed me to send an encrypted email to the PC. However, on the PC I was unable to read the encrypted email. And the other way around, encrypted emails send from the PC to the iPad cannot be read on the iPad.
  My conclusion from all this testing is that iPad mail encryption is still "under construction".

  I was able to resolve the above described problem to some degree. Setting up sending and receiving encrypted emails between iOS and OSX I have working.
  What is still not working is reading encrypted emails on the iPad/iOS8 received from Windows 7 PC. And sending encrypted emails to Windows 7 PC.
  The details about how I solved part of the problem are described here.

• Select certificate - 403 Forbidden: Access is denied in Safari

  Safari is asking to 'Select Certificate' for a website.
  It shows two certificates the old one which expired in Feb last year and the current one which is set to expire in 3011!
  Regardless which one you choose it comes back with....
  Server Error
  403 - Forbidden: Access is denied.
  You do not have permission to view this directory or page using the credentials that you supplied.
  p.s. This is the current version on Windows Vista and have replicated it on another computer. Have tried uninstalling (and deleteing all Apple's hidden updaters/helpers and all folders in the setting/program files areas). Then re-installed and exactly the same problem comes back.
  Tried it on a Mac too with the same problem.
  The website is www.amplicon.com and the certificate is issued by 'COMODO CA Limited'

  Your right, it works fine from my home. Just tried it on the Mac here. But it was a client that first informed us of the problem and trying it from the office on both Mac and PC Safari fialed but all other browsers were fine.
  At the office everything is synced to the network time clock, and I can tell you we would know if the time was wrong...
  But as it was fialing on both the Mac and PC versions in the same building it seems like it's not a OS issue, maybe it's our DNS server or something on the windows network that Safari is not dealing with that well, but other browsers seem to have no problems with.
  We did change SSL supplier recently, maybe it's only a problem with browsers that have had the old and new certificate running in the browser.
  I would just think it was an internal issue, but as it was reported by a regular client it is obviously replicable in more than one location.
  Is there any hidden places Safari hides the certificate info that would not get removed when you uninstall Safari? Like in the registry or in windows somewhere, if so is there a way to clear it. Or could it be getting it from a cache somewhere on the network?
  It's not really a big issue as we don't have many Safari users, but we do like to make sure Safari is supported and works on the site.

• Sharing a self-signed certificate for email encryption

  Hi,
  I know how to create a certificate in Keychain Access. And once I do that I can sign and (when sending to myself) encrypt email messages. But I'd like to give this certificate to a friend, so he can import it to his Keychain and receive messages from me. I see "export" in the File menu (of Keychain Access), but it seems like that is saving the whole certificate. Isn't there a "public key" portion of the certificate, which is the only part I should export to give to others? How do I do that?
  thanks,
  Rob

  Just send him a signed email message. He will receive your public key and can install it in his keychain.

• How to list all trusted certificates that I selected to trust from email recipients

  Hi,
  I'm happy Mac user for not very long, and recently I have bought iPhone 4S, and I'm very happy with it (except the battery life, but this is another question )
  When I'm sending mail I like to use certificates in order to sign and encrypt messages with my friend and colleagues. I use this this feature on my Macs and it works great.
  I've purchased iPhone, and decided to use this nice feature here as well, and must to say, it also works great. On both (Mac OS X and iOS) you have to install your certificate first, then  you can send signed emails. The only difference between Mac OS and iOS regarding this is that if I want to send encrypted messages to my recipients in Mac OS you have just to receive signed e-mail, but in iOS additionally I have to install their certificates manually (receive signed e-mail->tap on sender in Mail->select View certificate->Install certificate). That is additional task, but not too annoying.
  Now the question: how can I list all my certificates that I have chosen to trust (i.e. installed certificates)? In Mac OS X I can open Keychain and find all certificates there, but in iPhone I cannot. Even more - if I installed a certificate for the person that is in my contacts, I can view and/or remove certificate only by selecting the e-mail message (not contact from my address book - there is nothing about certificates associated to contact).
  Thanks in advance!
  BR,
  Justas
  Make mail safer! Install certificate - it's free!

  Start by defining "display". Then continue by reading this:
  http://forum.java.sun.com/help.jspa?sec=formatting

• Encoding configuration for signed and encrypted emails

  I have a 8820 device (no BES server)  - I have certificates downloaded and trust on the device.  I can attach the requisite certificates to the message, but I do not have the option to select signing or encrypting encoding.  the menu does not give me this option.  I have the S/MIME package installed.  Any thoughts / pointers?

  The S/MIME support package is only supported with a BES. You might try Djigzo for BlackBerry. Djigzo for BlackBerry is an add-on to the Djigzo Email Encryption Gateway which can be used to send and receive S/MIME digitally signed and encrypted email from a BlackBerry smartphone. An installation of the Djigzo gateway is required.
  Djigzo for BlackBerry and the Djigzo gateway is open source and can be freely used.
  For more information see www.djigzo.com
  Djigzo open source email encryption

• GPO For Outlook Certificates Used For Encryption and Digital Signatures?

  How can we configure a group policy to distribute certificates to Outlook 2010 users so they can digitally sign and encrypt messages without requiring much effort on their end?
  The users will become confused and make mistakes if we ask them to follow instructions on how to download and import certificates into Outlook 2010 manually.  Can we automate this with Group Policy?

  Would a certificate "autoenrollment" GPO work for these types of certificates?
  Yes. Here's a good guide. The user will still need to choose to sign, or encrypt, unless you want to enforce that in some way. If you are sending signed or encrypted email outside of your AD, you will need to solve how the recipients will get your root cert,
  etc.
  http://davidmtechblog.blogspot.com.au/2013/06/exchange-2010-security-smime-part-1.html
  http://davidmtechblog.blogspot.com.au/2013/07/exchange-2010-security-smime-part-2.html
  http://davidmtechblog.blogspot.com.au/2013/07/exchange-2010-security-smime-part-3.html
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Every time I try to open a new web page a window pops up saying the certificate for the page is invalid?? It won't let me on my emails or Facebook

  Every time I try to open a new web page a window pops up saying the certificate for the page is invalid?? It won't let me on my emails or Facebook

  This could be a complicated problem to solve, as there are several possible causes for it.
  Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
  Step 1
  From the menu bar, select
             ▹ System Preferences... ▹ Date & Time
  Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
  Check the box marked 
            Set date and time automatically
  if it's not already checked, and select one of the Apple time servers from the menu next to it.
  Step 2
  Start up in safe mode and log in to the account with the problem.
  Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.
  Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.
  The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
  If the problem is not reproducible in safe mode, then it's caused by third-party "anti-virus" or "security" software. If you know what that software is, remove it as directed by the developer after backing up all data. If you don't know what it is, ask for instructions.
  Step 3
  Triple-click anywhere in the line below on this page to select it:
  /System/Library/Keychains/SystemCACertificates.keychain
  Right-click or control-click the highlighted line and select
            Services ▹ Show Info
  from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
  Repeat with this line:
  /System/Library/Keychains/SystemRootCertificates.keychain
  If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
  Step 4
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad and start typing the name.
  In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
  In the Keychains list, there should be items named System and System Roots. If not, select
            File ▹ Add Keychain
  from the menu bar and add the following items:
  /Library/Keychains/System.keychain
  /System/Library/Keychains/SystemRootCertificates.keychain
  Open the View menu in the menu bar. If one of the items in the menu is
            Show Expired Certificates
  select it. Otherwise it will show
            Hide Expired Certificates
  which is what you want.
  From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
            Secure Sockets Layer (SSL)
  select
            no value specified
  Close the inspection window. You'll be prompted for your administrator password to update the settings.
  Now open the same inspection window again, and select
            When using this certificate: Use System Defaults
  Save the change in the same way as before.
  Revert all the certificates with non-default trust settings. Never again change any of those settings.
  Step 5
  Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
  Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
            Help ▹ Keychain Access Help
  from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
  Step 6
  From the menu bar, select
            Keychain Access ▹ Preferences... ▹ Certificates
  There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to  CRL.
  Step 7
  Triple-click anywhere in the line of text below on this page to select it:
  /var/db/crls
  Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
  A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
  Restart the computer, empty the Trash, and test.
  Step 8
  Triple-click anywhere in the line below on this page to select it:
  open -e /etc/hosts
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in the same way you launched Keychain Access.
  Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
  # Host Database
  # localhost is used to configure the loopback interface
  # when the system is booting.  Do not change this entry.
  127.0.0.1                              localhost
  255.255.255.255          broadcasthost
  ::1                                        localhost
  fe80::1%lo0                    localhost
  If that's not what you see, post the contents of the window.

• Update Secure Certificate for Mail (Identification and Encryption)

  Hello...
  Can you help?
  I have several email addresses; all of which have valid secure certificates (stored by default automatically in Key Chain).
  Whereas previously the certificates did not feature my name, new ones have been issued which do.
  So... my question is as follows:
  How do I point Mail to use the new certificates that have my name engrained within, opposed to the older ones which do not?
  Thank you, in advance.
  A

  Hi ... I have been struggling with exactly this point, too. Try out the new Leopard feature called "New preferred Identity". For this open keychain, go to my certificates and control-click on each certificate individually as choose "new preferred identity". Here you can type the e-mail address and choose one of your certificates to be used "preferably". This is the official Apple way of doing it and you may read further information in the support section. Please let me know if it works with you!
  In any case, it hasn't worked for me. I had to delete all old certificates for the same e-mail address and keep only the most recent one with my real-life name in it (you can delete right in keychain). After restart mail.app only uses the new certificate for signing e-mails.
  You would expect that deleting the old certificate destroys your ability to read the older encrypted e-mails. But the good news is that everytime you open an e-mail with your old certificate mail.app will add the old certificate back to keychain and you can again read your encrypted e-mails which used the 'public' key from the old certificate. Although mail.app will add the old certificates again it will continue to use the new certificate. I call this a work-around because really the "new identity preference" should have worked.
  I hope I helped you.
  Valentin.

• Can't get Mail to recognize Thawte certificate for signing and encrypting

  I got a certificate from Thawte and double clicked on the p12 file. This installed the certificate in the login section of the Keychain. I read in several places that it must be in the X509Anchors chain in order to work. However, whenever I try to import it or copy it there I can't get past the authentication screen. I give it the password to decrypt the p12 file and that works, but then it asks for a password for the X509Anchors keychain. I'm giving it my login password, but that doesn't work. What am I doing wrong?

  You shouldn't have to do anything with the X509Anchors keychain. The X509Anchors keychain contains certificate authority (CA) certificates, i.e., certificates associated with CA's that sign certificates. In it you'll find various CA certificates for thawte among others.
  After you've successfully imported your thawte cert into your login chain, restart mail (I don't think you need to restart keychain access, but it wouldn't hurt).
  Now when you compose a message, you should see encrypt and sign buttons to the right and below the subject line. This of course assumes the email address configured in mail is the same as the one in the thawte certificate.