Encrypted email on iOS5 / iPhone that works with Outlook and Exchange

So, like probably a few others, I use encrypted email on a typical Microsoft Outlook and Exchange system. And like probably many other office drones, I sometimes need to do work over the iPhone instead. Problem comes when you get encrypted emails with the title “ACT ON THIS ASAP” and your iPhone just shows you an encrypted attachment!

So iOS 5 supports reading and sending encrypted emails in the native email client. It works quite well, and here’s how you set it up!

For the iPhone to be able to decrypt and encrypt, it needs a certificate file with private key. This will be installed like other certificates in Settings > General > Profiles. To get a new certificate to the iPhone, there are multiple ways. It recognizes certificates in the P12 format, which has the file ending .p12 or sometimes .pfx. When any such file is opened in iOS, you are prompted to install it. So you can get the file to the phone like it was any other file – through file management apps, Dropbox, email or from a website. Of course, as you are sending a certificate with your private key, being very cautious is a good thing.

Now, the challenging part of this is not installing the certificate, but exporting it from wherever you currently have it. There are many settings and pitfalls if you export yourself. (If your email provider already provides you with a link or place to download a .p12 file, that will make things much easier). A lot of people have their encrypted email auto-configured in their office environment through the standard Exchange server. This means the secure email certificate is installed among other certificates on your computer. This is how you export them from Windows:

Open the certificate manager that Windows uses. This can be reached through the Internet Explorer > Internet Options > Content > Certificates. If you search for “Certificates” in Chrome settings, you’ll get to the same place. Now, you’ll sometimes find yourselves with multiple certificates and unsure on which one to export. This can be tricky and a long trial and error process if you don’t do it right. Here’s what works for me:

In the top, select “Intended Purpose” to “Secure Email”. This should reduce the list to one or a few certificates. If you have several to choose from, or if none is listed as Secure Mail, you can also try to go to Outlook and find your most recent encrypted email. Open it and click the padlock icon. Chose “Encryption Layer” and select “View Details”, and then “View Certificate”. This will identify the certificate, for example by expiry date or serial number. Use this to hunt down the right one in the list of certificates available. Before you export, you can double check on View, Details that the property “Key Usage” seem to allow encryption and decryption.

Finally, click Export on the selected certificate. Say yes to include the private key, and choose a password (any password, does not have to be the same as the one you use to encrypt email normally). Of course, you will need to use this password when installing the certificate in iOS. Select the format as P12. You do not need to choose any of the additional options offered. Make sure where you create the certificate file, however!

Then, transfer or email the PFX file over to your iOS device, and tap it. Choose Install and follow the guidelines. Then go to your email account settings, scroll down and activate S/MIME. That will allow you to read any incoming encrypted email.

If you enable either Sign or Encrypt, it will allow you to sign or encrypt your outgoing email as well. However, it will only work when your recipient’s public key can be looked up, e.g. through the Exchange server the mail account is associated with. If you add recipients outside of that (e.g. from another organisation) they will be marked red and the email will not be encrypted. Even if you are not going to enable outgoing encrypted email, it’s worth entering the Encrypt setting to make sure your recently installed certificate shows up, because if not, the installed certificate is wrong and will not allow you to even read encrypted email.

Now, go ahead and read and send encrypted email with your iOS5 device!

UPDATE: I wrote this article because I couldn’t find the right information myself, but here is at least one article that shows most of the steps – except the Outlook export step. http://feinstruktur.com/blog/2011/12/12/using-smime-on-ios-devices.html