OpenSSL-Encrypting Tiger’s Mail

Updated July 5, 2007 to fix broken images.

Or: How to get encryption working in OS X 10.4 Tiger if you’re generating your own certificates using OpenSSL. (This does not work in Panther, Jaguar, Puma nor Cheetah… but it totally works on System 7, a.k.a “FuckingUglyStrayCat”… who knew?!)

It takes a bit of wrangling, but not too much… you just have to dick with it enough to get Keychain Access hooked up, and Mail falls in line auto-magically.

Note: If you want to encrypt email, but don’t have access to OpenSSL (or the desire to get into it), go get a cert from Thawte, and follow these O’Reilly instructions on how to get it to your Desktop using Firefox. Skip anything in those directions that deal with the Keychain Access application; they’re Panther-specific, and no longer apply in the newest (Tiger) version. Then, skip down to “Adding Your Certificate” below.

Adding the CA Cert

Before you can add your own personal cert to sign and encrypt email, you must add the Certification Authority certificate into your “trusted root database” (to use Apple’s parlance). Otherwise, your life will be hard and filled with jury-riggin’ pain… check it:


Get the ca.crt file from the admin responsible for generating your company’s certificates, or make your own using OpenSSL.

Double-click that file, which will open the Keychain Access app and ask “Do you want to add the certificate(s) from the file ‘ca.crt’ to a keychain?” In the Keychain pulldown, select the “X509Anchors” option, then click “OK”.

Enter your administrator password when prompted.

Next, locate the new certificate in the X509Anchors keychain. If you can’t see your keychains, click the “Show Keychains” button in the lower-left corner of the Keychain Access window, then click X509Anchors to view the certs therein. If you see warning message proclaiming that “This certificate is not in the trusted root database”:

… simply quit Keychain Access and relaunch it. Locate the cert again, and bickity-bam “This certificate is valid”, as expected:

Adding Your Certificate

To add your personal certificate that you’ll use in Mail, get your PKCS12 cert from the admin, or make one on your own. Most times, this has a .p12 file extension. Again, simply double-click that file. When asked where to add it (as above), choose your login keychain. Be sure to provide the password for the .p12 file (which was specified during its creation—ask the admin if necessary) when prompted, not your OS X password.

N.B.: I found that generating a .p12 file with no/blank password is unacceptable in Keychain Access (it throws errors)… so don’t do that.

After Keychain Access has imported your personal cert, you should see something like this:


Quit Mail if it’s already up. Then, launch it. Create a new email message. If everything worked as planned, you’ll see the small lock and seal icons in the message window:

Note that the lock icon is not yet activated.

At this point, you can digitally sign your emails with your personal cert’s public key, which others (those who have a digital signature—public key—to offer) will use to send you encrypted email. After someone sends you an email with their digital signature:

… Keychain Access will snag it from their message, and you can send them encrypted email back.

Sweeter than YooHoo.

Posted in Mac