S/MIME Email Certificates: Sign and Encrypt Email

How to create S/MIME certificates for email signing and encryption. Generate test certificates with getaCert.com, configure Outlook, Apple Mail, and Thunderbird, and understand the trust model.

What Is S/MIME?

S/MIME (Secure/Multipurpose Internet Mail Extensions) lets you digitally sign and encrypt email. A signed email proves you sent it and that it wasn't altered in transit. An encrypted email can only be read by the intended recipient.

S/MIME uses X.509 certificates -- the same technology behind HTTPS -- but with extensions specific to email.

Certificate Requirements for S/MIME

An S/MIME certificate needs three things beyond a normal SSL certificate:

  1. Key Usage: digitalSignature and keyEncipherment
  2. Extended Key Usage: emailProtection (OID 1.3.6.1.5.5.7.3.4)
  3. Subject Alternative Name: Your email address as an RFC822 (email) entry

Without these extensions, email clients will reject the certificate for signing or encryption.

Generate an S/MIME Certificate with getaCert.com

getaCert.com automatically adds S/MIME extensions when you include an email address in your certificate. Here's how:

Self-Signed (for testing)

  1. Go to getaCert.com/selfsign
  2. Fill in:
  3. Common Name: Your name (e.g., David McCulloch)
  4. Email Address: Your email (e.g., david@example.com)
  5. Organization: Optional
  6. Choose your key type and validity period
  7. Click Generate Certificate
  8. Download the .p12 (PKCS#12) file -- this is what email clients import

The generated certificate will include: - extendedKeyUsage: clientAuth, serverAuth, emailProtection - subjectAltName: email:david@example.com - emailAddress=david@example.com in the subject

CA-Signed (for testing trust chains)

  1. Go to getaCert.com/casign
  2. Fill in the same fields with your email address
  3. Download both the .p12 file and the getaCert CA certificate
  4. Install the CA certificate as a trusted root on any machines that need to verify signatures

Import into Email Clients

Apple Mail (macOS / iOS)

  1. Double-click the .p12 file to open it in Keychain Access
  2. Enter the password: password (getaCert.com default)
  3. The certificate appears in your login keychain
  4. Open Mail, compose a new message -- you'll see a lock icon (encrypt) and a checkmark icon (sign) in the toolbar
  5. If the certificate email matches your Mail account email, signing is automatic

Microsoft Outlook (Windows)

  1. Go to File > Options > Trust Center > Trust Center Settings > Email Security
  2. Click Import/Export
  3. Browse to your .p12 file, enter the password
  4. Under Encrypted email, click Settings
  5. Choose your imported certificate for both Signing Certificate and Encryption Certificate
  6. Click OK -- new emails will show Sign and Encrypt buttons

Microsoft Outlook (macOS)

  1. Double-click the .p12 file to add it to Keychain Access
  2. In Outlook, go to Tools > Accounts, select your account
  3. Click Security and select your certificate for signing and encryption

Mozilla Thunderbird

  1. Go to Account Settings > End-to-End Encryption
  2. Under S/MIME, click Manage S/MIME Certificates
  3. Click Import and select your .p12 file
  4. Enter the password
  5. Back in the account settings, select the certificate for Digital Signing and Encryption
  6. New emails will have S/MIME sign/encrypt options in the compose window

Gmail (Web)

Gmail's web interface does not support S/MIME for personal accounts. S/MIME is only available with Google Workspace Enterprise plans. You can use a desktop client like Thunderbird with your Gmail account to send S/MIME-signed email.

The Trust Problem

Here's the important caveat: getaCert.com certificates are not trusted by default. Recipients will see an "unknown signer" or "untrusted certificate" warning unless they install the getaCert CA certificate.

This makes getaCert.com certificates perfect for: - Testing S/MIME workflows before buying a commercial certificate - Internal teams where everyone installs the getaCert CA - Development of email systems that handle S/MIME - Learning how S/MIME works hands-on

For production email signing without warnings, you need a certificate from a publicly trusted CA.

Free Trusted S/MIME Certificates

Provider Free Tier Trust Level Notes
Actalis Yes (1 year) Publicly trusted One of the few remaining free options
SSL.com Basic (limited) Publicly trusted Free basic email cert
Let's Encrypt No S/MIME N/A Only issues server certificates
getaCert.com Yes Requires CA install Unlimited, great for testing

How S/MIME Signing Works

When you sign an email:

  1. Your email client computes a hash of the message body
  2. The hash is encrypted with your private key (from the .p12 file)
  3. The encrypted hash (signature) and your public certificate are attached to the email
  4. The recipient's email client decrypts the hash using your public key from the certificate
  5. It computes its own hash of the message and compares -- if they match, the signature is valid
  6. It checks the certificate chain to see if your certificate is trusted

How S/MIME Encryption Works

Encryption requires the recipient's public certificate (not yours):

  1. You need the recipient's S/MIME certificate (usually received when they send you a signed email)
  2. Your email client encrypts the message with the recipient's public key
  3. Only the recipient's private key can decrypt it
  4. This means even you can't read the sent email afterward (unless you encrypt to yourself too)

For two-way encrypted communication, both parties need S/MIME certificates.

Verify Your Certificate Has S/MIME Extensions

After generating a certificate, use the Certificate Decoder to verify it has the right extensions. Paste your PEM certificate and look for:

X509v3 Extended Key Usage:
    TLS Web Client Authentication, TLS Web Server Authentication, E-mail Protection
X509v3 Subject Alternative Name:
    DNS:..., email:you@example.com

Or from the command line:

openssl x509 -in cert.pem -noout -text | grep -A2 "Extended Key Usage"
openssl x509 -in cert.pem -noout -text | grep -A2 "Subject Alternative Name"

Generate via API

Portal key holders can generate S/MIME certificates programmatically:

curl -X POST https://getacert.com/api/v1/self-signed \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer gac_YOUR_PORTAL_KEY" \
  -d '{
    "cn": "David McCulloch",
    "email": "david@example.com",
    "key_type": "rsa2048",
    "days": 365
  }'

The email field triggers S/MIME extensions automatically -- no extra configuration needed.

Troubleshooting

"Certificate not valid for email signing"

The certificate is missing the emailProtection extended key usage. Make sure you entered an email address when generating the certificate on getaCert.com.

"Email address doesn't match"

The email in the certificate must exactly match the email account you're sending from. Check the Subject Alternative Name and the emailAddress in the subject.

"Untrusted certificate" / "Unknown signer"

The recipient doesn't trust the getaCert CA. Either: - Send them the CA certificate to install - Use a certificate from a publicly trusted CA like Actalis for production

Can't find the certificate in Outlook/Mail

Make sure you imported the .p12 file (not the .pem or .cer). The .p12 contains both the certificate and private key, which is required for signing.

Next Steps

More in Guides
TLS Certificates in Kubernetes: Complete Guide

How to configure TLS in Kubernetes using Secrets, Ingress termination, and cert-manager. Includes step-by-step instructions for using getacert certificates in your cluster.
Let's Encrypt: Complete Setup Guide

How to get free SSL certificates with Let's Encrypt. Covers certbot setup, automatic renewal, HTTP-01 and DNS-01 validation, wildcard certificates, and common issues.
Mutual TLS (mTLS): Client Certificates Step by Step

A practical guide to mutual TLS authentication using client certificates. Covers the mTLS handshake, certificate generation, and server configuration for nginx and Envoy.
Installing SSL Certificates on Nginx

How to configure SSL/TLS on nginx with proper cipher suites, HSTS, and security headers. Includes a production-ready config and testing instructions.
Installing SSL Certificates on Apache

Step-by-step guide to configuring SSL/TLS on Apache with mod_ssl. Covers virtual hosts, cipher suites, HSTS, OCSP stapling, and common pitfalls.
SSL/TLS Certificates in Docker Containers

How to configure SSL certificates in Docker containers. Covers self-signed certs for development, mounting certificates as volumes, Docker Compose TLS, and Traefik/nginx reverse proxy patterns.
SSL Certificates in Java: Keystores, Truststores, and keytool

How to configure SSL/TLS in Java applications. Covers keytool, PKCS#12 keystores, truststores, Spring Boot TLS, Tomcat SSL, and common Java SSL errors.
Essential OpenSSL Commands for SSL Certificates

The most useful OpenSSL commands for generating certificates, inspecting certs, converting formats, and debugging SSL connections. Copy-paste ready examples.
S/MIME Email Certificates: Sign and Encrypt Email

How to create S/MIME certificates for email signing and encryption. Generate test certificates with getaCert.com, configure Outlook, Apple Mail, and Thunderbird, and understand the trust model.
On This Page
Try It Yourself

Generate real certificates right now — no signup required.

Self-Signed CA-Signed
Resources