ARCHIVED: Use digital signatures for email on iOS devices

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

On this page:


Before you begin

Note:
These instructions are for the native iOS Mail program. S/MIME functionality in other apps is not currently supported at IU.

To view all the content available to you here, use the green Log in button at the top of this page to log into the Knowledge Base.

Note:

Due to enhanced security features in Exchange Online, digital signatures are no longer required at IU; however, digital signatures will continue to work as expected if you wish to continue using them.

At Indiana University, you can use ARCHIVED: S/MIME client certificates from the InCommon Certificate Service to digitally sign and/or ARCHIVED: encrypt email messages. For instructions on getting a client certificate, see ARCHIVED: Get an S/MIME client certificate for digital email signatures at IU. For information about potential issues affecting various applications and devices, see ARCHIVED: Known issues with using S/MIME client certificates to digitally sign or encrypt email at IU.

When you receive your client certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

To use S/MIME client certificates on an iPhone, iPad, or iPod touch, iOS 5.1 or later is required.

You should already have your certificate file from InCommon on your personal computer. If you are unable to find your certificate file, you can export it from the certificate management application for your computer. For export instructions, see ARCHIVED: Use digital signatures for email with Apple Mail and Outlook for macOS or Disable your client certificate.

View a video about using digital signatures on iOS devices.

Install on iOS

Note:
If you have renewed your certificate, you should first remove your expired certificate before installing the new one; see Remove a configuration profile in iOS or macOS
  1. Install the "InCommon RSA Standard Assurance Client CA" certificate on your iOS device; this allows your own certificate to appear as "Verified":
    1. On your iOS device, use Safari to go to the site below and install the certificate:
      
        http://cert.incommon.org/InCommonRSAStandardAssuranceClientCA.crt
      
      
    2. On the "Install Profile" screen, you will see the "Verified" certificate file to install. Tap Install.
    3. If you are using Touch ID or have a passcode set up, you'll have to verify that to proceed. You may also see a notice informing you that installing the profile will change settings on your device. Tap Install when you're given the option.
    4. Tap Done.
  2. From your computer, send yourself an email message with your certificate file as an attachment; it will be either a .p12 or .pfx file.
  3. On your iOS device, open the email message. Tap the attached file to start the installation.
  4. On the "Install Profile" screen, tap Install.
  5. If you are using Touch ID or have a passcode set up, you'll have to verify that to proceed. You may also see a notice informing you that installing the profile will change settings on your device. Tap Install when you're given the option.
  6. You may see a warning that the profile is not signed, but tap Install and then Install again.
  7. When prompted, enter the passphrase ("PIN") created when exporting the certificate. Tap Next, and then Done.

To check your profile, open the Settings app, then tap General, followed by Profiles. The certificate should have your name, and it should be checked as "Verified". If it's not, you may not have successfully installed the "InCommon Standard Assurance Client CA" certificate above.

Use client certificates in iOS Mail

Enabling these options will allow you to digitally sign all email sent from your device. You also have the option to send encrypted email.

Note:
You will only be able to digitally sign messages you send directly from the Mail app. Should you send a message using the share to mail function in a different app, such as Photos, it will not be signed.
  1. Access your account settings:
    • iOS 14: Go to Settings > Mail > Accounts.
    • iOS 12 and 13: Go to Settings > Password & Accounts.
    • iOS 11: Go to Settings > Accounts & Passwords.
    • Earlier versions: Go to Settings > Mail > Accounts.
  2. Select the email account associated with your certificate.
  3. Tap the Account button with your IU email address.
  4. On the "Account" screen, tap Advanced Settings, then switch the "S/MIME" setting on. The "Sign" and "Encrypt" options are off by default.
    • To enable digital signing, tap Sign, and then slide "Sign" to the on position. If your name is listed more than once under "Certificates", then you have installed multiple certificates on this device. Ensure the checkmark is next to the certificate with the most distant expiration date; to verify, tap the right arrow to view the certificate details.
    • The encryption option will attempt to encrypt all correspondence from your device. If you do not have the public certificate for a recipient, the email message will not be encrypted.

      To enable encryption, tap Encrypt, then slide "Encrypt by Default" to the on position. Make sure there's a check mark next to your name under "Certificates". If you do not want to encrypt all email you send from your device, do not enable encryption.

      Important:
      Email clients not using S/MIME client certificates will not be able to view encrypted email. Clients that cannot use S/MIME client certificates include Outlook on the web through any browser except Edge on Windows; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.
  5. Tap Advanced Settings.
  6. On the "Advanced Settings" page, tap Account to go back to the "Account" page.
  7. Tap Done to apply the settings.

Use a group account certificate

To use an S/MIME client certificate with a group account, install and enable the certificate as you would for a standard account.

Notes:
  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

Disable your certificate

  1. Access your account settings:
    • iOS 14: Go to Settings > Mail > Accounts.
    • iOS 12 and 13: Go to Settings > Password & Accounts.
    • iOS 11: Go to Settings > Accounts & Passwords.
    • Earlier versions: Go to Settings > Mail > Accounts.
  2. Select the email account associated with your certificate.
  3. Tap the Account button with your IU email address.
  4. On the "Account" screen, tap Advanced Settings.
  5. Tap Sign, and then slide "Sign" to the off position.
  6. On the "Sign" page, tap Back to go back to the "Advanced Settings" page.
  7. On the "Advanced Settings" page, tap Account to go back to the "Account" page.
  8. Tap Done to apply the settings.

This is document bcsu in the Knowledge Base.
Last modified on 2023-05-18 10:28:24.