NOTE: I’ve updated this post in a few places below today, 6/13/2011, based on help from commenters. Also see the follow-up article Sending and Receiving S/MIME Encrypted Email on iOS 5 (Beta).
During the 2011 Apple Worldwide Developer Conference keynote address, Scott Forstall indicated that iOS 5 would have support for S/MIME encrypted email. (Skip to 63:10 in the presentation.) This morning I successfully upgraded to the iOS 5 Beta and started being able to read my S/MIME encrypted email. Here is how I did it.
What you need:
– Xcode 4.2 and iOS SDK 5 beta (requires iOS Developer Program account)
– iOS 5 beta for your iOS device’s platform (requires iOS Developer Program account)
– iTunes 10.5 beta (requires iOS Developer Program account)
– Your S/MIME encryption and signature certificates exported in PKCS12 (.p12) format
(Note there is some discussion about not needing to pay for a developer program account to install iOS 5. I went the legitimate route.)
Click to read the whole walk-through of how I did it.
Installing iOS 5 Beta
To install the iOS 5 Beta, make sure you have a backup; this will wipe your device. I used Apple’s guide. First, install Xcode 4.2. Launch Xcode and plug in your iOS device. You should see a window similar to the following:
Click “Use for Development”. If it doesn’t automatically bring you to the device organizer, click Window->Organizer. Your device should appear there in a Summary view. Under “Software Version”, click Other Version… and then choose the .ipsw file relevant to your device. Once you see the 5.0 (9A5220p) choice under Software Version, click “Restore”. This will erase the contents of your iOS device including all pictures, music, videos, and apps. Make sure you have a backup. Allow the restore to complete. Once it is complete, Xcode will again display the “New Device Detected” dialog, and you should click “Use for Development”. To complete the installation, launch iTunes 10.5 beta and set up the device.
Once you’ve set up the device, and either synced your Mail settings or manually configured them, go ahead and try and open up an encrypted email message. Here’s one that Joey sent me:
As you might guess, going to Settings > General > Profiles doesn’t do you much good. On my system, the only profile installed was the Provisioning Profile put there via my Developer account. So, we need to create one.
Create and Install Configuration Profile
Note: If you don’t wish to deal with a configuration profile, you can also email yourself the .p12 file containing your certificate. Thanks to Oleg for the tip.
If you don’t already have it installed, install the iPhone Configuration Utility and launch it. Make sure your iOS device is plugged in.
On the left side of the iPhone Configuration Utility, click on “Configuration Profiles”. Then click the “New” button at the top.
In the general section, it would be good to give your configuration profile a name. You will definitely need to provide a unique identifier for your configuration profile, so they are not confused across devices. While you can set a number of other required configurations on the device using this tool, the important one for S/MIME is the “Credentials” configuration. On the left scroll down to “Credentials” and click it.
Click “Configure” on the right-hand side to add your encryption certificate to the device. You will be prompted with a file selection dialog where you can choose your PKCS12 file containing your encryption certificate and private key.
Once your certificate appears in the window, you can scroll down and enter the password used to protect the PKCS12 file, or not. If you enter it, you will not be prompted to enter it when inputting the certificate on the device, but there will be a copy of your password stored with the profile. I chose not to enter my password at this time.
You should repeat this process for your signing certificate as well; click the + button toward the upper right to add a second certificate. In my experience, I could not read signed and encrypted emails unless I put both my signing and encryption certificates into the profile.
To install the configuration profile on your device, click your device on the left-hand side of the window, and go to the “Configuration Profiles” tab.
You should see the profile you just created. Click “Install” and your iOS device will beep or click at you. Look at the screen and you will see:
Click the “Install” button on your iOS device. You will get a warning that it will change settings on your device, click “Install Now”. You will then be prompted to enter the password used to protect your PKCS12 file if you didn’t save it as part of the configuration profile. Enter it, click “Return” and then “Done”.
Now when I re-launch Mail I can read Joey’s message:
Hooray! I’m reading encrypted email on an iOS device!
Hopeful Future Improvements
First, there is no indication on this encrypted email that it had been encrypted. Note: See follow-up post for how to fully enable and see these UI changes, thanks to Allan for pointing this out. So, I don’t know if the sender thought it was sensitive. I think this will be changed in a future release. In the below still image I took from the keynote address, you can see a lock and the word “Secure” in the title bar of the message. Obviously it’s important that Apple provides this visual cue.
Second is of course sending encrypted and signed email. Note: Again, see follow-up post for how to fully enable S/MIME. Despite my best efforts (installing my CA as a root on the device, installing certificates for my co-workers, installing certificates for other email addresses of mine) I could not get the little lock icon to appear next to anyone’s name in the “To” field of any emails, nor could I get it to send encrypted emails.
I look forward to a future beta from Apple which has these features enabled. Stay tuned here, because once I figure them out I’ll document them.
Let me know if it worked for you, and please provide any other comments below!