Use digital signatures for email on Android devices

On this page:


Before you begin

Note:
Android OS is an open system that vendors are able to modify with very little restriction on consistency; thus, functions are presented differently between models, versions, and even point versions of Android. These instructions will be appropriate for most Android devices, but will not be correct for all.

To view all the content available to you here, use the green Log in button at the top of this page to log into the Knowledge Base.

Note:

Due to enhanced security features in Exchange Online, digital signatures are no longer required at IU; however, digital signatures will continue to work as expected if you wish to continue using them.

At Indiana University, you can use S/MIME client certificates from the InCommon Certificate Service to digitally sign and/or encrypt email messages. For instructions on getting a client certificate, see Get an S/MIME client certificate for digital email signatures at IU. For information about potential issues affecting various applications and devices, see Known issues with using S/MIME client certificates to digitally sign or encrypt email at IU.

When you receive your client certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

Notes:

View a video about using digital signatures on Android devices.

Install your certificate

Note:

On Android devices, the following standard security notification may appear occasionally after installing new root certificates:

"A third party is capable of monitoring your network activity, including emails, apps, and secure websites. A trusted credential installed on your device is making this possible."

Option 1: Email the certificate files to yourself

  1. From your computer, send yourself an email message with your certificate.p12 or certificate.pfx file as an attachment.
  2. On your Android device, open the email message and tap the attached file to start the installation.
  3. Enter the PIN you used to encrypt the certificate file, and then tap OK.
  4. When prompted for a certificate name, enter a name to use as a label for your certificate, for example username@iu.edu.
  5. Next to "Credential use", make sure VPN and apps is selected.
  6. You should be prompted to finish installing the certificate by tapping OK or some other means.

When you are finished, your InCommon certificate should be listed among the trusted credentials in your device's security settings (on the Users tab at Settings > Security > Credential storage > Trusted credentials).

Option 2: Download the certificate files

If you tried installing the InCommon certificate by emailing the files to yourself and the InCommon certificate does not appear in your device's security settings, do the following:

  1. On your device's web browser, go to the site below and install the certificate:
    http://cert.incommon.org/InCommonRSAStandardAssuranceClientCA.crt
    
  2. On the "Install Profile" screen, you will see the "Verified" certificate file to install. Tap Install.
  3. If you have a fingerprint scan or passcode, use it to verify and proceed. Your device may alert you that installing the profile changes settings on your device. Tap Install when you're given the option.
  4. Tap Done.

Apply your certificate

To configure your device's mail app to digitally sign outgoing Exchange email using your certificate, try one of the following sets of instructions. You may need to modify slightly, depending on your device and version of Android.

Option 1

  1. In your email app, tap the Menu (usually three bars on the top left).
  2. Choose Settings (the cog wheel).
  3. Select your email account.
  4. Scroll down and tap Security options.
  5. Choose Email signing cert.
  6. Typically the cert (which you obtained by sending via email) will display. Tap Allow (not Install).
    Note:
    On some Android devices, you may need to tap Install again (even if you've already installed the certificate), and then tap Allow.
  7. If you wish to sign all messages, select Sign all outgoing messages. You can instead do this on a message-by-message basis, if you wish.
  8. Tap Done, and use your back arrow to get back to your Inbox.

Option 2

  1. Access the "Security settings" screen for your account:
    1. On your device, open Settings, select Accounts, and then select the icon for the email app that's associated with your IU Exchange account.
    2. Select Account settings, and then select your IU Exchange account (which should be displayed below General settings).
    3. Scroll down to the "Server settings" section, and then select Security settings.
  2. On the "Security settings" screen:
    1. Select Certificates to open the "Choose certificate" screen, make sure the InCommon certificate you imported is selected, and then select Allow.
      Note:
      On some Android devices, you may need to tap Install again (even if you've already installed the certificate), and then tap Allow.
    2. Under "Digital signature settings", check Default digital signature to digitally sign all IU Exchange account mail sent from your Android device. You can instead do this on a message-by-message basis, if you wish.

Digitally sign mail on a message-by-message basis

If you don't wish to digitally sign all your outgoing messages, you can do so on a message-by-message basis:

  1. Open a new message.
  2. In the upper right, tap the Settings menu (often three dots).
  3. Tap Security options, and the option to sign or remove signing from that message should be a radio button.

Configure optional encryption settings

Optionally, you can configure your device's mail app to encrypt outgoing IU Exchange account mail using your certificate. Android's default encryption setting will attempt to encrypt all mail sent from your account. If you do not have the public certificate belonging to the person to whom you are sending mail, that message will not be encrypted.

To enable encryption:

  1. If necessary, follow the steps in the previous section to return to the appropriate "Security settings" screen.
  2. Under "Encryption settings", check the Default encryption box.
Important:
Email clients not using S/MIME client certificates will not be able to view encrypted email. Clients that cannot use S/MIME client certificates include Outlook on the web through any browser except Edge on Windows; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Use a group account certificate

To use an S/MIME client certificate with a group account, install and enable the certificate as you would for a standard account.

Notes:
  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

Disable your certificate

Option 1

  1. In your email app, tap the Menu (usually three bars on the top left).
  2. Choose Settings (the cog wheel).
  3. Select your email account.
  4. Scroll down and tap Security options.
  5. Unselect Sign all outgoing messages.
  6. Tap Done, and use your back arrow to get back to your Inbox.

Option 2

  1. Access the "Security settings" screen for your account:
    1. On your device, open Settings, select Accounts, and then select the icon for the email app that's associated with your IU Exchange account.
    2. Select Account settings, and then select your IU Exchange account (which should be displayed below "General settings").
    3. Scroll down to the "Server settings" section, and then select Security settings.
  2. On the "Security settings" screen, under "Digital signature settings", uncheck Default digital signature to no longer digitally sign email.

This is document ahof in the Knowledge Base.
Last modified on 2022-07-28 14:45:25.