openssl and mail.app

Feb 4

SeanTechnology , 3 Comments

while surfing the mac hint sites yesterday i saw a posting about how-to set up mail.app to use a thawte certificate to send signed and encrypted email messages. i was pretty geeked, but then i wasn’t sure if i wanted to give thawte my information, just to get a cert (big brother and all). why couldn’t i create my own certificate authority and sign my own certs. there really was no technical reason, trust reason yes, technical no … so i did just that …

first i went to google and did a search on “open ssl cert generation” and turned up this very useful page. i followed the directions in the “setting up your openssl ca” section. in short i created my ca keypair ( openssl genrsa -des3 -out CA.key <key_size> ) with a key size of 1024. i then created my ca certificate ( openssl req -new -key CA.key -x509 -days 1095 -out CA.crt ) with the 1095 days as my validity time. this is straight out of that webpage, nothing different yet. once your there be sure to do as the author said and secure your files with the proper permission, i used ( chmod 400 <filename> ) to protect each of the generated files.

now is where the directions vary from the origional thawte directions because we have to get our cert as a trusted authority before we can import it into our keychain. to do this open up the finder application and goto the directory where you stored your certs. double click the .crt file that was generated in the above steps, this should launch keychain access application and ask you where you want to import this cert into. choose the x509 anchors from the list and click ok. this will add your cert to the trusted x509 authorities. you should be prompted at that step for your administrator password.

now that we have the cert trusted we have to generated a p12 certificate like the thawte directions did. to do this you need to run another openssl command to generate it (openssl pkcs12 -export -inkey CA.key -certfile CA.crt -in CA.crt -out mycert.p12). once this was generated double click on the mycert.p12 file in finder and imported it into your login keychain. once it’s imported into keychain access you need to give mail.app permission to access this certificate.

after that your done, just quit mail.app and restart it. you should have all of the features defined in the thawte posting and can send signed and encrypted email messages.

as a note, if you want to print out your x509 fingerprint for your cert you can use this command ( openssl x509 -fingerprint -noout -in CA.crt ). also, if you want to view your x509 anchors you can import this keychain into the keychain access application by going to file -> add keychain and selecting it from the /system/library/keychains directory. you should see your generated cert in that trusted list now. enjoy and let me know if you have any questions.