Below you will find step-by-step instructions on how to request an S/MIME certificate, install it on your Mac and then transfer it to your iPhone or iPad.
Tested in Jan. 2025
on MacOS 15.3 Sequoia and iOS 18.3
Technical difficulty: Medium. – If you have any problems, please ask us.
What is the use of e-mail certificates?
An S/MIME certificate allows you to sign emails and send them encrypted if required. This increases the trust of your recipients in the authenticity of your messages and protects confidential content.
The validity period of an S/MIME certificate is one to two years. After this time, it must be renewed manually.
Prepare certificate request
- Open Keychain Management
Click Finder under “Applications” → “Utilities” on Keychain Management. Enter your Mac password to open this app. - Call up the certificate wizard
In the menu bar of the app, select “Keychain management” → “Certificate wizard” → “Request certificate from a certification authority …”. - Fill in the form
– Enter your e-mail address to be certified and your name. Leave the field below blank for the Cert.instance’s e-mail address.
Select the “Save to hard disk” option below and click “Continue”. - …and “Continue” to save
Save the generated CSR file (Certificate Signing Request) on the “desktop” of the Mac.
This file contains the public part of your key, which the certification authority will need later,
Order certificate
We recommend the German provider sslplus.de in combination with the inexpensive certificate provider Certum from Poland. Both are based in the EU in compliance with data protection regulations and are relatively uncomplicated. We do not make money from these recommendations, we are customers ourselves and are simply sharing our personal experience. Our instructions should also work with other providers.
- Visit the SSLplus website
Visit sslplus.de and log in or create a new account. - Search for S/Mime offers
Search under “New offer” → “Buy” for “S/MIME certificates” → “Class1” certificates, or a higher protection class if you have high requirements. The differences are described there. - Select the appropriate S/MIME certificate
Select the desired duration (e.g. up to two years). Select Certum as the provider. Then complete the order process. - Complete the order
Once you have placed your order, you will find your process under “Orders”. First enter the desired e-mail and then click on the button on the right. - Insert CSR in online form
Enter your e-mail address if it has not yet been entered automatically.
Now open the CSR file (the certificate request) previously saved on the “desktop”with a text editor (right mouse button > “Open with” > “other…” > “Textedit” or an alternative text editor app) and copy the entire contents of this file to the clipboard.
Paste the text you have just copied into the corresponding field on the website. If the input field appears red, remove any spaces at the beginning or end. If everything is correct, the field will appear green. - Wait for email confirmation
You should receive a confirmation email with the link to download your certificate within a few minutes. Click on this link in the e-mail.
Install certificate on the Mac
- Download main certificate
You will see 2 blue links at the top. Click on “PEM” and save the certificate file with the extension “.cer” on the “Desktop”. - Download Sub CA certificates
In addition to the personal certificate, Certum also provides so-called intermediate certificates (Sub CA) and, if necessary, a root certificate. To view these, open the lower part of the website using the arrow icon at the bottom right.
Download the “PEM” files to the “Desktop” here too. - Drag into the keychain management
Open the “Keychain management” app again and drag all downloaded certificate files (your personal certificate file and the sub-CA or root certificates, all with the extension “.cer”) into the main window of the app. - Check in “My certificates ”
Click on “My certificates” in the keychain management on the left.
If your certificate is installed correctly, a green tick appears at the top of the view on some macOS versions when you select the certificate in the list. - Red warning text “Trustworthiness”?
If a red warning text appears, you may need to install the missing previously downloaded intermediate and root certificates (with the extension “.cer”) in the same way. - Configure Apple Mail
Then open “Apple Mail” and navigate to the account settings for your email address. There you can now activate “Sign “* and (if required) “Encrypt”.
Important for e-mail encryption:
To send encrypted emails, you first need the certificate for the recipient’s email address. This means that the recipient must also have S/MIME installed and activated.
Simply have your contact send you a digitally signed e-mail. The contact’s certificate is automatically saved in your key ring when it is opened. You don’t have to do anything else.
You can now also send encrypted e-mails to this e-mail address of your contact.
You can recognize this by the fact that Apple Mail now offers the “Encryption” option when sending. Otherwise it remains hidden or inactive (gray).
Transfer certificate to iPhone or iPad
- Preparing the export from the keychain management
Open the keychain management on your Mac. Select “My certificates” and search for your newly installed S/MIME certificate; if necessary, open it with the small arrow to see the corresponding private key. - Exporting the private key as .p12
Right-click on the certificate or private key.
Select “[Name des Zertifikats].p12 export …”.
Set a secure password that you can remember and is easy to type on the iPhone (you will need it later on the iPhone or iPad). - Prepare iPhone
On your iPhone/iPad, open: Settings → General → VPN & Device Management.
(In older iOS versions, this menu item may be called “Profiles”.)
It is best to leave the iOS device unlocked and active so that the transfer of the certificate works smoothly. - Send certificate file to iOS device
Connect your iPhone/iPad to the Mac via cable or use AirDrop to transfer the exported .p12 file to the iOS device. Make sure that your iPhone/iPad is unlocked during reception.
Another method is to send the file to yourself by email, open it on your device and click on the attachment with the certificate. However, it should be noted that sending without encryption is less secure. - Installation on iOS
You are still in the “VPN & device management of the iPhone? You should see a pop-up when you receive the message? Select “Select device”: “iPhone”. Close the following message with “Close”.
Tap on the newly displayed profile/certificate.
Select “Install” (top right). If required, enter your device code (iPhone/iPad passcode).
Click on “Install” again.
Then enter the password that you assigned when exporting from the keychain management. This decrypts the private key. - Red warning “Trustworthiness”?
If you still see a red warning about the certificate not being trustworthy, the corresponding root and intermediate certificates with the extension “.cer” are still missing (as explained above for the Mac installation).
Install them in the same way (export, transfer, install) so that the S/MIME certificate is fully accepted. Here you do not need a private key, you will notice that some installation steps on the iPhone are omitted, it is very fast. - Configuring the Mail app
Open Settings → Mail (or Passwords & Accounts, depending on the iOS version).
Select the relevant email account.
Go to Advanced settings (or a similar sub-item).
Activate Sign and check that the correct certificate is selected for Encrypt. - Testing
Send a test signed e-mail to yourself or to a trusted contact person.
Make sure that the signature is displayed correctly and – if desired – that the encryption also works.Good luck!
Notes on the extension
S/MIME certificates have a limited term, usually 1 to 2 years. After expiry, an extension or new order is required.
Certificates with longer terms not only offer financial advantages through attractive discounts, but also make the renewal process less frequent.