Tuesday, December 16, 2014

iPhone 5c S/MIME and openssl

I just got an iPhone 5c (my very first iOS product) and wanted to send emails with key signing and possibly encryption.  Unfortunately it looks like Apple decided against using PGP or GPG and instead went with S/MIME.  Oh well, I had to create a  new pair of keys, but that is where my problems started.

The iOS platform is very particular when it comes to using S/MIME keys for signing and encrypting.  I shall outline the steps I went through to get this working on my device.

** As a side-note I will add that I spend about 3 hours online with Apple tech support, speaking to three separate managers and one person that works with enterprise.  They were all very 'Amazed' that I was able to figure this out, because they really had no idea how to help me out since I do not own any other Apple products. **

Step one:
Set up your email account on the iOS device and make sure it is working (sending and receiving email).

Step two:  edit your openssl.cnf file
  %: su
  %: vi /etc/ssl/openssl.cnf

Scroll down to where it says [ usr_cert ] and make sure your section looks like mine:

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=email:copy
extendedKeyUsage = emailProtection

Step three: Create your S/MIME keys (follow all prompts)
On slackware linux open a terminal session and create a new directory
  %: mkdir ~/smime
  %: cd ~/smime
  %: openssl genrsa -des3 -out cert.key 4096
  %: openssl req -new -key cert.key -out cert.csr
  %: openssl x509 -req -days 36500 -in cert.csr -signkey cert.key -out client.crt -extfile /etc/ssl/openssl.cnf -extensions usr_cert
  %: openssl pkcs12 -export -in cert.crt -inkey cert.key -out client.pfx -name "Your Name" -CAfile client.crt -caname "Your CA Name"

Step four:
Email the client.pfx file to yourself (preferably to the email address that you can access on your iOS device)

Step five:
Open the email on your iOS device and click on the client.pfx file.  Follow the on screen instructions to install your key which you can view at Settings --> General --> Profiles

Step six:
On your iOS device go to Settings --> Mail, Contacts, Calendars --> --> Account --> Advanced

Scroll to the bottom and enable S/MIME
Click on Sign
Slide Sign to Green for enabled.

If you get a message that says "No valid certificates found" you probably missed a step in your key creation.  Please go back and try again.  It took me about 4 hours to figure out how to get my iPhone to realize I do in fact have a valid certificate.

** Note **
You do not need to slide the 'encrypt by default' to green in order to send an encrypted email.  When you compose a new email, if you click on the persons name you wish to send to, there will be a lock key icon.  Clicking that icon to close it will attempt to send an encrypted message but YOU MUST HAVE A COPY OF THEIR KEY TO SEND AN ENCRYPTED MESSAGE TO THEM.  You do not need anyone else's key to sing an email, but you do need their public key to send them an encrypted message.  If you do not have their key you will be given an error message.