Question: How to create S/MIME certificates

[SimFre]

I'd like to use XCA to create an S/MIME-certificate to be used on iOS Mail (and probably others...), but even with what I think are the right key usages, it's not showing up as a certificate for encryption. Can someone please share some experience on this process?

[nulluserid]

You need to make sure to import the Self Signed CA you created to the device, and trust it. Then your user cert should show up for signing.

On Apr 12, 2022, at 04:13, Simon Fredriksson @.***> wrote:

 I'd like to use XCA to create an S/MIME-certificate to be used on iOS Mail (and probably others...), but even with what I think are the right key usages, it's not showing up as a certificate for encryption. Can someone please share some experience on this process?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[Andy-2639]

Certificates I use for persons look like this:

X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
9F:***:CD
X509v3 Authority Key Identifier:
keyid:D7:***:0B
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, Code Signing, E-mail Protection, Microsoft Individual Code Signing, Microsoft Encrypted File System, Microsoft EFS File Recovery, IPSec User, Microsoft Smartcard Login, EAP over PPP, EAP over Lan
X509v3 Subject Alternative Name:
email:a***9@2***n.io
X509v3 CRL Distribution Points:
Full Name:
URI:http://2***n.io/2***0.crl
Authority Information Access:
CA Issuers - URI:http://2***n.io/2***0.crt

That's working with Thunderbird and K-9 Mail - but it allows more than just S/MIME encrypted/signed e-mails.

I guess that for e-mails alone, X509v3 Extended Key Usage: E-mail Protection would be sufficient, but I would still add at least TLS Web Client Authentication to allow TLS client authentication just for the case that might be needed in the future.