openssl and mail.app
apple October 31st, 2003while surfing the mac hint sites yesterday i saw a posting about how-to set up mail.app to use a thawte certificate to send signed and encrypted email messages. i was pretty geeked, but then i wasn’t sure if i wanted to give thawte my information, just to get a cert (big brother and all). why couldn’t i create my own certificate authority and sign my own certs. there really was no technical reason, trust reason yes, technical no … so i did just that …
first i went to google and did a search on “open ssl cert generation” and turned up this very useful page. i followed the directions in the “setting up your openssl ca” section. in short i created my ca keypair ( openssl genrsa -des3 -out CA.key <key_size> ) with a key size of 1024. i then created my ca certificate ( openssl req -new -key CA.key -x509 -days 1095 -out CA.crt ) with the 1095 days as my validity time. this is straight out of that webpage, nothing different yet. once your there be sure to do as the author said and secure your files with the proper permission, i used ( chmod 400 <filename> ) to protect each of the generated files.
now is where the directions vary from the origional thawte directions because we have to get our cert as a trusted authority before we can import it into our keychain. to do this open up the finder application and goto the directory where you stored your certs. double click the .crt file that was generated in the above steps, this should launch keychain access application and ask you where you want to import this cert into. choose the x509 anchors from the list and click ok. this will add your cert to the trusted x509 authorities. you should be prompted at that step for your administrator password.
now that we have the cert trusted we have to generated a p12 certificate like the thawte directions did. to do this you need to run another openssl command to generate it (openssl pkcs12 -export -inkey CA.key -certfile CA.crt -in CA.crt -out mycert.p12). once this was generated double click on the mycert.p12 file in finder and imported it into your login keychain. once it’s imported into keychain access you need to give mail.app permission to access this certificate.
after that your done, just quit mail.app and restart it. you should have all of the features defined in the thawte posting and can send signed and encrypted email messages.
as a note, if you want to print out your x509 fingerprint for your cert you can use this command ( openssl x509 -fingerprint -noout -in CA.crt ). also, if you want to view your x509 anchors you can import this keychain into the keychain access application by going to file -> add keychain and selecting it from the /system/library/keychains directory. you should see your generated cert in that trusted list now. enjoy and let me know if you have any questions.
November 17th, 2003 at 6:40 pm
The problem with creating a cert yourself is that there is no web-of-trust that ties the cert to a party that’s trusted on the recipient’s machine.
I don’t know how mail will handle this but it will likely label the signed message as being from an untrusted party.
November 19th, 2003 at 2:00 pm
it works just fine (with no warning, maybe because the web of trust is implicit?) if i send it to myself. i haven’t tested it with someone else. Thanks for the info though, Sean !
January 21st, 2004 at 10:53 pm
This looks great, but only thing is, I don’t have an x509 anchors list available in my keychain. I only have one for my username and another one called System. In other tutorials, x509 anchors exists in addition to these two, but I can’t get it to show up.
Do I need to be logged in as root or something to make it show up?