ARCHIVED: Use digital signatures for email on Android devices
On this page:
- Before you begin
- Install your certificate
- Apply your certificate
- Configure optional encryption settings
- Use a group account certificate
- Disable your certificate
Before you begin
To view all the content available to you here, use the green log into the Knowledge Base.
button at the top of this page toDue to enhanced security features in Exchange Online, digital signatures are no longer required at IU; however, digital signatures will continue to work as expected if you wish to continue using them.
At Indiana University, you can use ARCHIVED: S/MIME client certificates from the InCommon Certificate Service to digitally sign and/or ARCHIVED: encrypt email messages. For instructions on getting a client certificate, see ARCHIVED: Get an S/MIME client certificate for digital email signatures at IU. For information about potential issues affecting various applications and devices, see ARCHIVED: Known issues with using S/MIME client certificates to digitally sign or encrypt email at IU.
When you receive your client certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12
or .pfx
), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.
- To use S/MIME client certificates on an Android device, you must be running Android OS 4.4 or later; still, your device may not support S/MIME client certificates. You may wish to use a paid app such as Nine, available from the Google Play Store.
- You need to set a lock screen PIN or password on your Android device before you can use credential storage; for instructions, see the Setting or changing a screen lock pattern, PIN, or password section of Secure your Android OS device.
- To use these instructions, you must have an InCommon certificate file (in
.p12
or.pfx
format) saved to your personal computer and remember the PIN you used to encrypt it (as described in ARCHIVED: Getting an S/MIME client certificate at IU). If you are unable to locate the certificate file on your computer, you can use a certificate management application to export it; refer to the following instructions for Windows or macOS systems:
View a video about using digital signatures on Android devices.
Install your certificate
On Android devices, the following standard security notification may appear occasionally after installing new root certificates:
"A third party is capable of monitoring your network activity, including emails, apps, and secure websites. A trusted credential installed on your device is making this possible."
Option 1: Email the certificate files to yourself
- From your computer, send yourself an email message with your
certificate.p12
orcertificate.pfx
file as an attachment. - On your Android device, open the email message and tap the attached file to start the installation.
- Enter the PIN you used to encrypt the certificate file, and then tap .
- When prompted for a certificate name, enter a name to use as a label for your certificate, for example
username@iu.edu
. - Next to "Credential use", make sure is selected.
- You should be prompted to finish installing the certificate by tapping or some other means.
When you are finished, your InCommon certificate should be listed among the trusted credentials in your device's security settings (on the
tab at ).Option 2: Download the certificate files
If you tried installing the InCommon certificate by emailing the files to yourself and the InCommon certificate does not appear in your device's security settings, do the following:
- On your device's web browser, go to the site below and install the certificate:
http://cert.incommon.org/InCommonRSAStandardAssuranceClientCA.crt
- On the "Install Profile" screen, you will see the "Verified" certificate file to install. Tap .
- If you have a fingerprint scan or passcode, use it to verify and proceed. Your device may alert you that installing the profile changes settings on your device. Tap when you're given the option.
- Tap .
Apply your certificate
To configure your device's mail app to digitally sign outgoing Exchange email using your certificate, try one of the following sets of instructions. You may need to modify slightly, depending on your device and version of Android.
Option 1
- In your email app, tap the (usually three bars on the top left).
- Choose (the cog wheel).
- Select your email account.
- Scroll down and tap .
- Choose .
- Typically the cert (which you obtained by sending via email) will display. Tap Note:On some Android devices, you may need to tapagain (even if you've already installed the certificate), and then tap .
(not ).
- If you wish to sign all messages, select . You can instead do this on a message-by-message basis, if you wish.
- Tap , and use your back arrow to get back to your Inbox.
Option 2
- Access the "Security settings" screen for your account:
- On your device, open , select , and then select the icon for the email app that's associated with your IU Exchange account.
- Select , and then select your IU Exchange account (which should be displayed below ).
- Scroll down to the "Server settings" section, and then select .
- On the "Security settings" screen:
- Select Note:On some Android devices, you may need to tapagain (even if you've already installed the certificate), and then tap .
to open the "Choose certificate" screen, make sure the InCommon certificate you imported is selected, and then select .
- Under "Digital signature settings", check to digitally sign all IU Exchange account mail sent from your Android device. You can instead do this on a message-by-message basis, if you wish.
- Select
Digitally sign mail on a message-by-message basis
If you don't wish to digitally sign all your outgoing messages, you can do so on a message-by-message basis:
- Open a new message.
- In the upper right, tap the Settings menu (often three dots).
- Tap , and the option to sign or remove signing from that message should be a radio button.
Configure optional encryption settings
Optionally, you can configure your device's mail app to encrypt outgoing IU Exchange account mail using your certificate. Android's default encryption setting will attempt to encrypt all mail sent from your account. If you do not have the public certificate belonging to the person to whom you are sending mail, that message will not be encrypted.
To enable encryption:
- If necessary, follow the steps in the previous section to return to the appropriate "Security settings" screen.
- Under "Encryption settings", check the box.
Use a group account certificate
To use an S/MIME client certificate with a group account, install and enable the certificate as you would for a standard account.
- If the profile you are using in your email client is the group account, there should be no issues.
- If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.
Disable your certificate
Option 1
- In your email app, tap the (usually three bars on the top left).
- Choose (the cog wheel).
- Select your email account.
- Scroll down and tap .
- Unselect .
- Tap , and use your back arrow to get back to your Inbox.
Option 2
- Access the "Security settings" screen for your account:
- On your device, open , select , and then select the icon for the email app that's associated with your IU Exchange account.
- Select settings, and then select your IU Exchange account (which should be displayed below "General settings").
- Scroll down to the "Server settings" section, and then select .
- On the "Security settings" screen, under "Digital signature settings", uncheck to no longer digitally sign email.
This is document ahof in the Knowledge Base.
Last modified on 2023-05-18 10:28:27.