Sometimes sensitive data needs to be sent via email and as it travels to its destination it can be intercepted by hackers, isps, the office i.t. geek or even a nosy government. In this tutorial, we’ll discuss how to use Apple’s Mail application to send secure emails that are signed and encrypted.
How does it work? Both parties get a free personal certificate from a trusted source and then we let Mail do the rest.
This tutorial is based on using Apple Mail on Mac OS X 10.4 (Tiger).
Step 1: Create a free Thawte account
From your browser, go to thawte.com and click on the Join button to create a free account. Follow the instructions to sign up and once completed, confirm your account through the email received.
Step 2: Request a Personal Email Certificate
Once your Thawte account is created and confirmed, you need to request a personal email certificate. Login to the Thawte website though your browser and click on the “Request a Certificate” link from the Certificates section of the menu. From there, select the X.509 format certificate and choose the default settings on the next screens. Note that you will be asked to choose what browser you are using, if you are on safari, you can just select the Firefox option and proceed to the next screen until finished.
Step 3: Install Certificate
Once the certificate request form is completed, you will receive a confirmation email that should have a link to download the certificate. If by any chance your email is lost, you can download it from the “View Certificate Status” section of the Thawte site. Keep note that a certificate is good for the computer that it was issued from. Double clicking the downloaded file called “deliver.exe” should open it up in the Keychain Access Application and install automatically. You can quit Keychain access now since it’s not required to be open to use the certificate.
Step 4: Test Certificate
To test the certificate just open a New Message window in Mail. As long as the email you certified is the one selected in the Account pulldown menu you will notice that there are now two new buttons on the right side of the window, a lock and a check-mark.
Signed Email
A signed email allows your recipient to verify your identity as the sender and also ensures that the message or it’s attachments have not been tampered with during transit. As long as your personal certificate is installed in your computer, you can send a signed email.
Encrypted Email
An encrypted message offers a higher level of security since the contents of the email are encrypted and can only be viewed when certificates for both the sender and the recipient are present. To send an encrypted message you must first send a signed email so that the recipient receives your certificate. The recipient then needs to send you an email so that both of you now have each other’s certificates, assuming the recipient has a personal email certificate.
When the email is received, Mail will show that it’s signed and encrypted by displaying it’s appropriate icon. For an encrypted message, if the recipient does not have the sender’s key, Mail will NOT display the message content. For example, if somebody sends me an encrypted email and I read it through my webmail, I will not be able to read it’s contents because it is an encrypted email. But if I read it through the Mail application and I have the sender’s key from a previews signed message then it will display properly.
Conclusion
Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.
UPDATE:
For those of you having problems getting it to work, Lisa seems to have found a workaround using Firefox. Here’s the exerpt from her comment.
- Fetch your certificate from Thawte’s site in Firefox (or another browser that will backup/export certificates). The certificate should be automatically installed.
- In Firefox (if that’s what you used), go to Preferences > Advanced > Encryption > View Certificates.
- Highlight your certificate and click the Backup button, save your p12 file, and choose a password for it.
- Go to Keychain Access and choose File > Import…, open the saved p12 file, and type your password when prompted.
- Your certificate should now appear in the ‘My Certificates’ section in Keychain. Then open Mail and give it another try — the buttons should be there, provided you have the correct account selected.
Hello, I am Melvin Rivera; creator of 
Follow me @
nice one, i’ve seen that in emails i’ve received at work before but never knew how to do it. as always i really enjoy the tutorials/hints!
thanks. It is wonderful entry. I had a question though. I followed the direction, and now I have the certificate. I installed the certificate and it is active. I can see it in my Address book, but when I compose new message, there is no check mark box in the window. Can anyone tell me what is going on? Please let me know. Thanks
After I finish this tutorial. Can I exchange encripted messages with Hushmail.com users?
Thanks for the clear directions. Like Jinesh, I’ve gone through the whole process and have checkmarks showing up in my Address Book entry next to me email addresses with certificates, but when I open Mail and compose a message, the sign and encrypt options aren’t there. Any suggestions welcome. Thanks.
If you’re in the Newark/NYC metro area, please visit my Thawte WOT page . . . we can notarize your Thawte certificates for free.
I’m with Drew and Jinesh – I’ve got it installed , OS 10.4, Mail 2.1.1 and no sign and encrypt options in Mail
I use Camino and when I get my email with the “deliever.exe” file, Keychain will not open and the certificate only gets installed in Camino. How do I get it into Keychain?
I have tried this procedure before, i.e. obtained certificate, etc. but mail still insists on NOT allowing me to send signed emails. The options are still greyed out for the email address for which I obtained certification.
However, on another of my email addresses I have a certificate which was issued by the government and when using this email address to send mails I can sign them.
Any suggestions anyone ?
Q: I have a certificate for my email address in my Keychain, why doesn’t Mail allow me to sign or encrypt email?
A: Verify that the email address in the certificate, and the one configured for the account in Mail, are typed exactly the same – including case. Even though the two addresses “John.Doe@mail.com” and “john.doe@mail.com” would most often be delivered to the same email account, Mail still treats them as separate identities while trying to match a certificate to an account (In order to comply with section 2.4 of RFC 2821 for SMTP).
I followed all the instructions and Thawte and my browser (Firefox 2.0.0.2) tells me the certificate is installed.
But I find no sign of it in my keychain and my Mail.app doesn’t show any new buttons on new emails.
I never did get to the point of having a file “deliver.exe” on my desktop.
Did I miss something?
Thanks for your help.