Installing digital certificates on iOS 5 (for iPhone, iPad, and iPod Touch)
Note: Because installing your digital certificate gives anyone with access to your iOS device the ability to decrypt your encrypted emails, enabling a secure passcode to protect your device is extremely important. Please, at a minimum, implement steps 1-7 from the Apple iOS Hardening Checklist before installing digital certificates on your iOS device.
Installing the certificate
Transfer the certificate to your iOS 5 device. You can email the encrypted p12 file to yourself or download the p12 file directly from Stache.
Select the p12 file once you have access to it. iOS will automatically attempt to install the p12 file as a profile.
Click the Install button. You will get a warning that the profile is unsigned, but click OK.
Enter your device's passcode, then enter the password for the p12 file, and click Next.
Click Done on the final screen to complete the profile installation.
Configuring your device to read encrypted email
Go to the Mail, Contacts, Calendars control panel, then select your Exchange account under Accounts.
Select the Account setting at the top. Scroll down to the S/MIME section and make sure the S/MIME option is set to ON. This allows you to read encrypted emails sent to you.
Note: If you are using an existing ActiveSync Exchange profile provided by ITS, the S/MIME button will be grayed out and you will not be able to change it. Uninstall the current ActiveSync profile and set up your account manually. Alternatively, you can also create your own ActiveSync profile with your certificates already included by following the instructions on the ISO Wiki.
Turning on email signing
Select the Sign setting and make sure the Sign option is set to ON. Your certificate will likely already be listed with a check mark next to it. If you have multiple certificates installed, select the appropriate one.
Note: This will digitally sign all outbound emails from this account. Messages cannot be signed on a per-message basis.
Encrypting outgoing email
Go to the Account settings and then select the Encrypt setting.
Make sure that the Encrypt option is set to ON. Your certificate should already be listed with a check mark next to it. If you have multiple certificates installed, select the appropriate one.
Note: This will encrypt all outbound emails from this account to users for whom you have a certificate. Messages cannot be encrypted on a per-message basis.
Go back to the Account setting and click Done.
Sending encrypted emails
If you attempt to send an email to someone for whom a certificate does not exist, either in the global directory on Exchange or locally installed on your device, that address will appear in red with an unlocked lock.
You can select the address to get more information on the certificate problem.
If you attempt to send an email to someone for whom you have a certificate, either in the global directory on Exchange or locally installed on your device, their address will show in blue with a closed lock. Again, you can select the address to get more information on their certificate.
Certificates for other users can be obtained in several ways:
- The Exchange Global Address List (GAL)
- If they send you a signed email and include their certificate.
- If you obtain their certificate through another means, such as getting it from http://www.utexas.edu/directory/.
If you obtain a user's certificate via the third option, you will have to install it on your device:
Click the link to, or the file for, the certificate. This will launch an installation dialog.
Click Install to install the certificate.
If you are prompted because the profile is unsigned/unverified, click Install Now to continue.
Last updated January 6, 2015 @ 3:04 pm