česky | english
HowTo: e-Mail Client Software
This HowTo tells you how you can manually import the CAcert Root Certificate, and *.p12 / *.pfx files containing your client certificates with your corresponding private keys), in your e-mail client software.
Expected Result: You can use S/MIME or PGP/GPG siganture and encryption using CAcert-issued certificates.
HowTo: e-Mail Client Software
- iOS (iPhone, iPad)
- MacOS (Macintosh)
DJIGZO has two separate key stores: "Certificates & Keys" for your personal keys (and intermediary certificates). But CA root certificates go into "Root certificates". So when your CA certificate is a (self-signed) root certificate, you have to add it to "Root certificates", choosing "Store to import to: root". This is in contrast to your (intermediary or end-user) certificates which are signed by a CA; they go into "Certificates & Keys" by choosing "Store to import to: certificates".
For S/MIME encryption and/or signing, there is the Android app R2Mail2, which is a fully functional e-mail client. Unfortunately, it costs 4,80 Euros (for the license; otherwise you only see 5 messages per folder for demo). R2Mail2 is still being developed and further improved. I already find it much better than the default Android mail client. It does not have as many features as K-9 mail, but it fully supports S/MIME (and to some more limited degree also PGP).
This client is available on Google Play and is able to sign and encrypt messages. The program supports both S/MIME and PGP.
However, the encrypted mail sending function belongs to paid functions to be purchased for about € 7.35 (2021)
The client needs you to install your certificate with the corresponding private key, preferably from the backup file *.p12 / *.pfx (file icon: fingerprint) and, certainly, to install CAcert root certificates (these may also be in the same file).
Installing these files into the Android system of higher versions (5+) is described elsewhere; links are presented at the beginning of this article. If you receive mail from the same source on multiple devices, you must ensure that your *.p12 / *.pfx file contains the same private key and the corresponding certificate you are using in email clients elsewhere. Certificate and private key are installed automatically, when you download or open the file. If you have more than one (private key & certificate) in Android system installed, you will need to select, which one the client should use to encrypt a message to send.
To decrypt the received message, you may need to press the lock icon in the header.
As with other email clients, it is also necessary to receive one unencrypted, but signed message from the person with whom you want to exchange encrypted messages. Signature (Scribar Icon) is marked in the message header and the client saves it automatically. After pressing the icon, FairEmail shows you who signed the message and other details.
iOS (iPhone, iPad)
The advantage of S/MIME is that it's built into Mail in iOS. To enable this feature, you have to go into the Settings > Account > Advanced for each e-mail account, and then enable S/MIME.
PGP/GPG in (Apple) Mail
Mail accesses the public key certificate using one of two methods, depending on whether the recipient is in the Exchange environment.
If the recipient is a user in the same Exchange environment, iOS will retrieve the necessary certificate for message encryption. iOS will consult the global address list (GAL) and your contacts. Notice the lock and Encrypted designation at the top. When Mail finds a certificate, a lock icon appears to the right of the recipient's contact name, highlighted in blue.
If the intended recipient is outside the sender's Exchange environment or if the sender is not using an Exchange account, the recipient's certificate must be installed on the device. Click on the link above for details.
PGP/GPG in Thunderbird
S/MIME in Thunderbird
Mac OS X includes Keychain, a built-in key and password manager, which stores user passwords, user and server certificates, and keys. Certain applications use this centralized Keychain for storing and retrieving certificate information in lieu of maintaining their own, separate certificate repositories.
The advantage of S/MIME is that it's built into Mail on the Mac.
To import your certificate-key pair:
Open the Keychain Access utility (Applications -> Utilities)
Choose File -> Import items…
- Browse to the location of your CAcert certificate and click Open. You will be prompted for your key pair's export password.
Once imported, your certificate-key pair will appear under both the Certificates and Keys categories in the Keychain Access utility.
install the "Mac GNU Privacy Guard" from here: http://macgpg.sourceforge.net/de/index.html#files and copy the GPG keychain into the Applications folder.
- Launch the GPG Keychain.app and import the certificate.
download and install the GPGMailPlugin from here: http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html#Download
S/MIME in (Apple) Mail
S/MIME in Entourage
Outlook for OS X
From the Outlook menu, select Preferences > Accounts. Select your email account, click Advanced, and then select the Security tab.
- In the "Digital signing" section, select your certificate from the drop-down menu.
- For "Signing algorithm", the default value of SHA-256 is appropriate for most situations.
- For the best usability enable all three checkbox options:
- Sign outgoing messages
- Send digitally signed messages as clear text
- Include my certificates in signed messages
- In the "Encryption" section, select your certificate from the drop-down menu.
- Click OK to save your changes and exit Outlook Preferences.
S/MIME in Outlook 2003
S/MIME in Outlook 2007
S/MIME in Outlook 2010