Sometimes sensitive data needs to be sent via email and as it travels to its destination it can be intercepted by hackers, isps, the office i.t. geek or even a nosy government. In this tutorial, we’ll discuss how to use Apple’s Mail application to send secure emails that are signed and encrypted.
How does it work? Both parties get a free personal certificate from a trusted source and then we let Mail do the rest.
This tutorial is based on using Apple Mail on Mac OS X 10.4 (Tiger).
Step 1: Create a free Thawte account
From your browser, go to thawte.com and click on the Join button to create a free account. Follow the instructions to sign up and once completed, confirm your account through the email received.
Step 2: Request a Personal Email Certificate
Once your Thawte account is created and confirmed, you need to request a personal email certificate. Login to the Thawte website though your browser and click on the “Request a Certificate” link from the Certificates section of the menu. From there, select the X.509 format certificate and choose the default settings on the next screens. Note that you will be asked to choose what browser you are using, if you are on safari, you can just select the Firefox option and proceed to the next screen until finished.
Step 3: Install Certificate
Once the certificate request form is completed, you will receive a confirmation email that should have a link to download the certificate. If by any chance your email is lost, you can download it from the “View Certificate Status” section of the Thawte site. Keep note that a certificate is good for the computer that it was issued from. Double clicking the downloaded file called “deliver.exe” should open it up in the Keychain Access Application and install automatically. You can quit Keychain access now since it’s not required to be open to use the certificate.
Step 4: Test Certificate
To test the certificate just open a New Message window in Mail. As long as the email you certified is the one selected in the Account pulldown menu you will notice that there are now two new buttons on the right side of the window, a lock and a check-mark.
Signed Email
A signed email allows your recipient to verify your identity as the sender and also ensures that the message or it’s attachments have not been tampered with during transit. As long as your personal certificate is installed in your computer, you can send a signed email.
Encrypted Email
An encrypted message offers a higher level of security since the contents of the email are encrypted and can only be viewed when certificates for both the sender and the recipient are present. To send an encrypted message you must first send a signed email so that the recipient receives your certificate. The recipient then needs to send you an email so that both of you now have each other’s certificates, assuming the recipient has a personal email certificate.
When the email is received, Mail will show that it’s signed and encrypted by displaying it’s appropriate icon. For an encrypted message, if the recipient does not have the sender’s key, Mail will NOT display the message content. For example, if somebody sends me an encrypted email and I read it through my webmail, I will not be able to read it’s contents because it is an encrypted email. But if I read it through the Mail application and I have the sender’s key from a previews signed message then it will display properly.
Conclusion
Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.
UPDATE:
For those of you having problems getting it to work, Lisa seems to have found a workaround using Firefox. Here’s the exerpt from her comment.
- Fetch your certificate from Thawte’s site in Firefox (or another browser that will backup/export certificates). The certificate should be automatically installed.
- In Firefox (if that’s what you used), go to Preferences > Advanced > Encryption > View Certificates.
- Highlight your certificate and click the Backup button, save your p12 file, and choose a password for it.
- Go to Keychain Access and choose File > Import…, open the saved p12 file, and type your password when prompted.
- Your certificate should now appear in the ‘My Certificates’ section in Keychain. Then open Mail and give it another try — the buttons should be there, provided you have the correct account selected.
Hello, I am Melvin Rivera; creator of 
Follow me @
Thanks for the Tutorial and for permitting me to post a link to it on my blog.
I’d like to ask two questions:
Q1 : I have a dotMac account and I have an encryption certificate for iChat, what happens if I do create one with Thawte too?
Q2: If I back up my Keychain and switch to another computer, will I lose the Certificate?
Thanks
If things look right in Address Book but the buttons aren’t showing up in Mail for you, try this (sorry if I’m a bit off somewhere; I just figured this out yesterday and only went through it once):
- Fetch your certificate from Thawte’s site in Firefox (or another browser that will backup/export certificates). The certificate should be automatically installed.
- In Firefox (if that’s what you used), go to Preferences > Advanced > Encryption > View Certificates.
- Highlight your certificate and click the Backup button, save your p12 file, and choose a password for it.
- Go to Keychain Access and choose File > Import…, open the saved p12 file, and type your password when prompted.
- Your certificate should now appear in the ‘My Certificates’ section in Keychain. Then open Mail and give it another try — the buttons should be there, provided you have the correct account selected.
Lisa: Thanks, that did the trick!
Great tutorial. I ended up having to use the procedure from lisa since I am using firefox 2.0. I would also recommend putting in the opt-out link http://www.thawte.com/ucgi/gothawte.cgi?a=w179750802002000
Thank you very much Lisa, I’ve been trying for hours to get my 2nd addresses to work with this. Doing it the way you discribed finally did it.
Brilliant tutorial Melvin, thank you very much. My certificate only appeared in Mail after following Lisa’s instructions, so thanks to you too Lisa!
Actually, Lisa’s procedure works, but not always.
In my case it did not.
How to see whether a certificate can be used in your Mail.app:
it has to appear in Keychain Access not just under “Certificates” but under “My certificates”.
If it does not, then do the following:
1. back up the Thawte certificate you obtained;
2. from the Finder click twice the backup file;
3. supply the backup password.
After these steps, I guarantee it will appear in Keychain Access” under “My certificates”.
From then on, no problem whatsoever.
This applies to Mac OS X 10.4 (Tiger) only.
When I double click on deliver.exe, it opens in TextMate rather than Keychain Access. Can anyone tell me how to get around that?
I’ve got things working, but with one problem. I can’t view encrypted items I have sent in my sent box (they are there but can’t be decrypted). I understand that I don’t have the recipients private key, but I would think that it would encrypt a copy with my public key for local storage. This seems to be what Entourage does on my work computer.
Any workaround?
This was a very helpful article. Thanks for it!