Using digital signatures for email on Android devices

You can use S/MIME certificates, also called "S/MIME Certs" or "Personal Certificates", with most email clients to digitally sign and/or encrypt email messages. At Indiana University, S/MIME certificates are provided by the InCommon Certificate Service. For instructions on getting a certificate, see Getting an S/MIME certificate for digital email signatures at IU.

When you receive your certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

Also, for details about potential issues with various devices and applications when using digital signatures, be sure to refer to Known issues with digitally signed email at IU.

Notes:

On this page:

Note:
Android OS is an open system that vendors are able to modify with very little restriction on consistency; thus, functions are presented differently between models, versions, and even point versions of Android. These instructions will be appropriate for most Android devices, but will not be correct for all.

Installing your certificate

  1. From your computer, send yourself an email message with your certificate.p12 or certificate.pfx file as an attachment.
  2. On your Android device, open the email message and tap the attached file to start the installation.
  3. Enter the PIN you used to encrypt the certificate file, and then tap OK.
  4. When prompted for a certificate name, enter a name to use as a label for your certificate, for example username@iu.edu.
  5. Next to "Credential use", make sure VPN and apps is selected.
  6. You should be prompted to finish installing the certificate by clicking OK or some other means.

When you are finished, your InCommon certificate should be listed among the trusted credentials in your device's security settings (on the Users tab at Settings > Security > Credential storage > Trusted credentials).

Note:

On Android devices, the following standard security notification may appear occasionally after installing new root certificates:

"A third party is capable of monitoring your network activity, including emails, apps, and secure websites. A trusted credential installed on your device is making this possible."

Applying your certificate

To configure your device's mail app to digitally sign outgoing IU Exchange email using your certificate, try one of the following sets of instructions. You may need to modify slightly, depending on your device and version of Android.

Option 1:

  1. In your email app, click the Menu (usually three bars on the top left).
  2. Choose Settings (the cog wheel).
  3. Select your email account.
  4. Scroll down and click Security options.
  5. Choose Email signing cert.
  6. Typically the cert (which you obtained by sending via email), will display. Click Allow (not Install).
  7. If you wish to sign all messages, select Sign all outgoing messages. You can instead do this on a message-by-message basis, if you wish.
  8. Click Done, and use your back arrow to get back to your Inbox.

Option 2

  1. Access the "Security settings" screen for your account:
    1. On your device, open Settings, select Accounts, and then select the icon for the email app that's associated with your IU Exchange account.
    2. Select Account settings, and then select your IU Exchange account (which should be displayed below General settings).
    3. Scroll down to the "Server settings" section, and then select Security settings.
  2. On the "Security settings" screen:
    1. Select Certificates to open the "Choose certificate" screen, make sure the InCommon certificate you imported is selected, and then select Allow.
    2. Under "Digital signature settings", check the Default digital signature box to digitally sign all IU Exchange mail sent from your Android device. You can instead do this on a message-by-message basis, if you wish.

Digitally signing mail on a message-by-message basis

If you don't wish to digitally sign all your outgoing messages, you can do so on a message-by-message basis:

  1. Open a new message.
  2. In the upper right, click the Settings menu (often three dots).
  3. Click Security options, and the option to sign or remove signing from that message should be a radio button.

Configuring optional encryption settings

Optionally, you can configure your device's mail app to encrypt outgoing IU Exchange mail using your certificate. Android's default encryption setting will attempt to encrypt all mail sent from your account. If you do not have the public certificate belonging to the person to whom you are sending mail, that message will not be encrypted.

To enable encryption:

  1. If necessary, follow the steps in the previous section to return to the appropriate "Security settings" screen.
  2. Under "Encryption settings", check the Default encryption box.
Important:
Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Using a group account certificate

To use an S/MIME certificate with a group account, install and enable the certificate as you would for a standard account.

Notes:
  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

This is document ahof in the Knowledge Base.
Last modified on 2017-10-02 14:29:16.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.