Configuring your Mac for secure email

Get an X.509 certificate

If you are at Georgetown, ask UIS by sending an email to If you are not at Georgetown, ask your IT support people for an X.509 S/MIME signing and encryption certificate. If getting your institution to issue a certificate is not an option, my favorite place to get a free email certificate is Actalis.

Install the certificate and enjoy

If you get the certificate from Actalis, just follow their instructions, restart, and check off the seal (signing) or padlock (encrypting) on the right hand side of the message composition window. Note that to encrypt, you need the recipient’s public key. If they send you a signed or encrypted email, MacOS will automatically store it for you. You can see that in your address book. If you have someone’s public email key, there will be a little certificate icon next to their email address in the address book.

If you get the certificate from UIS, import it into Keychain, and you will be ready to encrypt or sign messages.

Apple Support

A not bad, but not great resource is

Don’t forget PGP

After all that, if you have taken any of my courses, you will know there are fatal flaws in X.509, some of which require certificate pinning to mitigate. So, the next best thing is PGP. Where do you get that from? Check out GPGtools.