Use digital signatures for email on Android devices

On this page:

Android OS is an open system that vendors are able to modify with very little restriction on consistency; thus, functions are presented differently between models, versions, and even point versions of Android. These instructions will be appropriate for most Android devices, but will not be correct for all.

Before you begin

You can use S/MIME certificates, also called "S/MIME Certs" or "Personal Certificates", with most email clients to digitally sign and/or encrypt email messages. At Indiana University, S/MIME certificates are provided by the InCommon Certificate Service. For instructions on getting a certificate, see Get an S/MIME certificate for digital email signatures at IU.

For details about potential issues with various devices and applications when using digital signatures, be sure to refer to Known issues with digitally signed email at IU.

When you receive your certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.


View a video about using digital signatures on Android devices.

Install your certificate


On Android devices, the following standard security notification may appear occasionally after installing new root certificates:

"A third party is capable of monitoring your network activity, including emails, apps, and secure websites. A trusted credential installed on your device is making this possible."

Option 1: Email the certificate files to yourself

  1. From your computer, send yourself an email message with your certificate.p12 or certificate.pfx file as an attachment.
  2. On your Android device, open the email message and tap the attached file to start the installation.
  3. Enter the PIN you used to encrypt the certificate file, and then tap OK.
  4. When prompted for a certificate name, enter a name to use as a label for your certificate, for example
  5. Next to "Credential use", make sure VPN and apps is selected.
  6. You should be prompted to finish installing the certificate by tapping OK or some other means.

When you are finished, your InCommon certificate should be listed among the trusted credentials in your device's security settings (on the Users tab at Settings > Security > Credential storage > Trusted credentials).

Option 2: Download the certificate files

If you tried installing the InCommon certificate by emailing the files to yourself and the InCommon certificate does not appear in your device's security settings, do the following:

  1. On your device's web browser, go to the site below and install the certificate:
  2. On the "Install Profile" screen, you will see the "Verified" certificate file to install. Tap Install.
  3. If you have a fingerprint scan or passcode, use it to verify and proceed. Your device may alert you that installing the profile changes settings on your device. Tap Install when you're given the option.
  4. Tap Done.

Apply your certificate

To configure your device's mail app to digitally sign outgoing Exchange email using your certificate, try one of the following sets of instructions. You may need to modify slightly, depending on your device and version of Android.

Option 1

  1. In your email app, tap the Menu (usually three bars on the top left).
  2. Choose Settings (the cog wheel).
  3. Select your email account.
  4. Scroll down and tap Security options.
  5. Choose Email signing cert.
  6. Typically the cert (which you obtained by sending via email) will display. Tap Allow (not Install).
    On some Android devices, you may need to tap Install again (even if you've already installed the certificate), and then tap Allow.
  7. If you wish to sign all messages, select Sign all outgoing messages. You can instead do this on a message-by-message basis, if you wish.
  8. Tap Done, and use your back arrow to get back to your Inbox.

Option 2

  1. Access the "Security settings" screen for your account:
    1. On your device, open Settings, select Accounts, and then select the icon for the email app that's associated with your IU Exchange account.
    2. Select Account settings, and then select your IU Exchange account (which should be displayed below General settings).
    3. Scroll down to the "Server settings" section, and then select Security settings.
  2. On the "Security settings" screen:
    1. Select Certificates to open the "Choose certificate" screen, make sure the InCommon certificate you imported is selected, and then select Allow.
      On some Android devices, you may need to tap Install again (even if you've already installed the certificate), and then tap Allow.
    2. Under "Digital signature settings", check the Default digital signature box to digitally sign all IU Exchange account mail sent from your Android device. You can instead do this on a message-by-message basis, if you wish.

Digitally sign mail on a message-by-message basis

If you don't wish to digitally sign all your outgoing messages, you can do so on a message-by-message basis:

  1. Open a new message.
  2. In the upper right, tap the Settings menu (often three dots).
  3. Tap Security options, and the option to sign or remove signing from that message should be a radio button.

Configure optional encryption settings

Optionally, you can configure your device's mail app to encrypt outgoing IU Exchange account mail using your certificate. Android's default encryption setting will attempt to encrypt all mail sent from your account. If you do not have the public certificate belonging to the person to whom you are sending mail, that message will not be encrypted.

To enable encryption:

  1. If necessary, follow the steps in the previous section to return to the appropriate "Security settings" screen.
  2. Under "Encryption settings", check the Default encryption box.
Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Use a group account certificate

To use an S/MIME certificate with a group account, install and enable the certificate as you would for a standard account.

  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

This is document ahof in the Knowledge Base.
Last modified on 2021-09-21 15:59:10.