With the release of OS X 10.7, Apple engineers brought a serious update to Apple Mail. When this happened I was finally able to cast Microsoft Outlook (formerly Microsoft Entourage) aside. Entourage was functional but slow. But when it was deprecated in favor of Outlook things went sideways. Microsoft went for a complete rewrite of the codebase and in doing so introduced significant issues into the product, any of which they have yet to fully resolve. So when Apple Mail turned out to be a truly impressive update, I made the switch and have not regretted the change.
One of my larger issues with Entourage and Outlook was their support for encrypted email. It worked, in the technical sense, but it never worked well… at least in my opinion. Conversely, Apple Mail just works. No qualification necessary, no messing around. It just works. The only tricky part is the initial configuration. Here we will configure Apple Mail (version 5.1 that is part of OS X 10.7.1) to send encrypted messages.
To start the process, we need an encryption certificate. Comodo.com offers a free certificate at the following address that is valid for one year. It seems to be issued instantly, which is also ideal. And the request process is much simpler than other services that I have used in the past. Visit Comodo’s free email certificate site and fill out the form.
Be sure to specify a key size of 2048 and make note of the revocation password that you come up with on this page. It’s unlikely but you might need it in the future. Once the form is complete and the agreement is marks as accepted, Comodo will email instructions to the email address you specify.
When Comodo sends the Certificate and Install Instructions to the specified email address, the message includes a link titled Click & Install Comodo Email Certificate. Before you do this, I strongly suggest setting Safari as the default web browser… at least for the moment. An error is thrown if Chrome is the default browser. I’m not sure what Firefox would do. Safari will be the safest way to make it through this process.
To set the default browser for the system, simply launch Safari and then select Preferences from the Safari menu. In the General tab, select Safari from the Default Web Browser menu. Exit the preferences window and your change is complete. If you don’t normally use Safari as your default browser, you can always return to Safari and change the default back once you are done installing the certificate.
Safari downloads the certificate to your downloads folder. I think it is supposed to add it to your Keychain automatically but this was not the case for me with OS X 10.7.1. I had to go to the Downloads directory and then double click on the download file titled CollectCCC.p7s. When I did, the system launched the Keychain Access application and showed a dialog requiring me to select the destination keychain for the certificate. I added the certificate to my Login keychain. Now quit out of Keychain Access. Quit Apple Mail and then reopen the App. This gets the app to take a fresh look at the data in the keychain.
Now when you create a new email message, makes sure the From menu has the email account selected that uses the encryption certificate. Notice the two icons at the far right. One is a lock the is likely grayed out. The other is a check mark they may or may not be grayed out.
Here’s what you need to know about the lock and check mark icons. The check mark means that the message has a digital signature attached to the message. The idea with the signature is that it represents to the recipient that the message has not been altered while in transit (no changes were made between the time you wrote the message and the time your recipient read it in their inbox). The lock icon means the message is encrypted.
In order to exchange encrypted email messages with another user, both of you must go through the process of setting up your email client for secure messaging. If only one of you has a certificate installed, it will not be possible to encrypt the message.
Before you can send an encrypted email to another user, you must first exchange signed emails. This means that you must send your contact a message that has been digitally signed (check mark active, not grayed out). Your recipient must then either respond to your message with a reply that has been digitally signed using a certificate on their end, or they can send you an entirely new message that has been digitally singed. In either case, the email client will use the exchange to store the public key portion of the other users certificate in your system. This is either stored in your system keychain or the address book. I believe that OS X stores the associated contacts public key in the address book so it may be necessary to add your associate to your address book if they are not already there.
Once the exchange of signed emails has taken place, it should now be possible to exchange encrypted email messages. When you create a new email message, the lock icon should now be available to click. If it is grayed out or shows as unlocked, the message will be unencrypted. With a click of the icon, the lock should become black and the padlock should become locked. This means that the message will be encrypted and thereby secure.
Since sending encrypted messages requires the exchange of the signed messages prior to the exchange of encrypted messages, everyone included in a message must be a recipient that you have done a signature exchange with previously. If you create a new email that includes a series of recipients, some of which you can send encrypted messages and some that you cannot, then your email client will not allow you to encrypt the message. Some sort of error will be thrown. The nature of the error will differ depending on the email client.
Encrypted email is not what I would refer to as simple or straightforward. The process will need to become far more intuitive before it becomes mainstream. Until then, only the technically adept will be able to secure their correspondence.
And for anyone looking to use encrypted email, there are a few additional points to keep in mind. Webmail interfaces cannot send or read encrypted messages. This includes popular web browser based email clients such as Gmail, AOL mail, and Yahoo. An encrypted message will appear in a webmail client. The sender will be displayed, as will the subject of the message. But the contents of the message will not be displayed in a readable format. To date, no webmail services has a facility for dealing with encrypted email messages. So keep in mind that any mail exchanges that contain secure email will be limited to modern desktop email programs like Apple Mail. This limits flexibility of options such as checking your mail from a web browser while on the road.
When Apple released iOS 5 for the iPhone, iPod Touch, and iPad, rudimentary support for encrypted email was added to both the operating system and the built-in mail client. Look for a followup post detailing how to configure iOS 5 to work with encrypted email.
UPDATE: 11/10/11 11:00am
I have some feedback from a couple of users that might help the rest of us. First of all, I want to underscore Safari as a requirement when requesting the certificate from Comodo. I had someone use Firefox by mistake and the certificate seemed to download without issue but for some reason it kept installing into the wrong part of the Keychain. And when it was in the wrong location in Keychain, Mail would never find it. So, please be 100% certain to use Safari when requesting and when downloading the .p7s key file from Comodo.
The second point worth clarifying is the proper location of the certificate within Keychain Access following import. As explained, with OS X 10.7, it should be possible simply to double click on the CollectCCC.p7s file after it has been downloaded from Comodo. Ideally the OS will open Keychain Access and import the certificate to the correct location. On the chance that your system does not run this process automatically, it should be possible to open Keychain Access (/Applications/Utilities) and the select Import Items from the File menu. Browse to the CollectCCC.p7s file and make sure the Destination Keychain is set to Login.
Once the certificate is imported into the Keychain, it is critical to be sure that it was saved in the correct location. There are two categories inside of Keychain that hold certificates. The correct location for email certs is labeled My Certificates. Once the certificate has been imported into Keychain, select the Login keychain, then select the My Certificates Category. On the right, there should be a certificate listened using your specified email address as its name. If it’s there, everything is set and ready for the Mail app to automatically locate the installed certificate.
If you have imported the certificate and you don’t see it listed under My Certificates, look for it under the Certificates category. If it is located there and has a name that is your email address, it means that the certificate imported into the wrong location. In the case of one user, his cert imported to this location every time because he had request the Comodo cert and downloaded it using Firefox by mistake. In order to correct the issue he had to delete the cert from the Certificates category and then go back to Comodo and revoke the initial cert using the password he provided when he first generated the file. Then he had to go back and create a new certificate using Safari.
There are a lot of things that can go wrong along the way. Making sure the certificate has been properly imported into the correct part of the OS Keychain is key. If the certificate with your email address is not located in the My Certificates category, there is no way Mail will be able to utilize it. Confirming the certificate’s import and proper location should be step one in any troubleshooting process.