Using digital signatures for email on iOS devices

You can use S/MIME certificates, also called "S/MIME Certs" or "Personal Certificates", with most email clients to digitally sign and/or encrypt email messages. At Indiana University, S/MIME certificates are provided by the InCommon Certificate Service. For instructions on getting a certificate, see Getting an S/MIME certificate for digital email signatures at IU.

When you receive your certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

Also, for details about potential issues with various devices and applications when using digital signatures, be sure to refer to Known issues with digitally signed email at IU.

To use S/MIME certificates on an iPhone, iPad, or iPod touch, iOS 5.1 or later is required.

You should already have your certificate file from InCommon on your personal computer. If you are unable to find your certificate file, you can export it from the certificate management application for your computer. For export instructions, see Using digital signatures for email with Apple Mail and Outlook for OS X or Using digital signatures for email with Microsoft Outlook for Windows.

On this page:


Installing on iOS

Note:
If you have renewed your certificate, you should first remove your expired certificate before installing the new one; see In iOS and Mac OS X, how do I remove a configuration profile?
  1. Install the "InCommon Standard Assurance Client CA" certificate on your iOS device; this allows your own certificate to appear as "Verified":
    1. On your iOS device, use Safari to go to the sites below and install both certificates; the process is the same for each:
      
        http://cert.incommon.org/InCommonStandardAssuranceClientCA.crt
      
        http://cert.incommon.org/InCommonRSAStandardAssuranceClientCA.crt
      
      
    2. On the "Install Profile" screen, you will see the "Verified" certificate file to install. Tap Install.
    3. If you are using Touch ID or have a passcode set up, you'll have to verify that to proceed. You may also see a notice informing you that installing the profile will change settings on your device. Tap Install when you're given the option.
    4. Tap Done.
  2. From your computer, send yourself an email message with your certificate file as an attachment; it will be either a .p12 or .pfx file.
  3. On your iOS device, open the email message. Tap the attached file to start the installation.
  4. On the "Install Profile" screen, tap Install.
  5. If you are using Touch ID or have a passcode set up, you'll have to verify that to proceed. You may also see a notice informing you that installing the profile will change settings on your device. Tap Install when you're given the option.
  6. You may see a warning that the profile is not signed, but tap Install and then Install again.
  7. When prompted, enter the passphrase ("PIN") created when exporting the certificate. Tap Next, and then Done.

To check your profile, open the Settings app, then tap General, followed by Profiles. The certificate should have your name, and it should be checked as "Verified". If it's not, you may not have successfully installed the "InCommon Standard Assurance Client CA" certificate above.

Using client certificates in iOS Mail

Enabling these options will allow you to digitally sign all email sent from your device. You also have the option to send encrypted email.

Note:
You will only be able to digitally sign messages you send directly from the Mail app. Should you send a message using the share to mail function in a different app, such as Photos, it will not be signed.
  1. Access your account settings:
    • iOS 11: Go to Settings > Accounts & Passwords.
    • Earlier versions: Go to Settings > Mail > Accounts.
  2. Select the email account associated with your certificate.
  3. Tap the Account button with your IU email address.
  4. On the "Account" screen, tap Advanced Settings, then switch the "S/MIME" setting on. The "Sign" and "Encrypt" options are off by default.
    • To enable digital signing, tap Sign, and then slide "Sign" to the on position. If your name is listed more than once under "Certificates", then you have installed multiple certificates on this device. Ensure the checkmark is next to the certificate with the most distant expiration date; to verify, tap the right arrow to view the certificate details.
    • The encryption option will attempt to encrypt all correspondence from your device. If you do not have the public certificate for a recipient, the email message will not be encrypted.

      To enable encryption, tap Encrypt, then slide "Encrypt by Default" to the on position. Make sure there's a check mark next to your name under "Certificates". If you do not want to encrypt all email you send from your device, do not enable encryption.
      Important:
      Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Using a group account certificate

To use an S/MIME certificate with a group account, install and enable the certificate as you would for a standard account.

Notes:
  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

This is document bcsu in the Knowledge Base.
Last modified on 2017-10-02 14:29:14.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.