How To Encrypt Mails With SSL Certificates (S/MIME) - Page 3

4.2 Evolution

The procedure is almost the same for the Evolution client. Go to Edit > Preferences:


4.2.1 Import a Self Signed Certificate

Open the Certificates section on the left, select the Your Certificates tab and click on Import.

Browse the certificate you need and import it. You will be asked for the certificate key:

And then for the export password of the .p12 file.

That's it for single certificates. You only need the next step if you created a certificate authority.


4.2.2 Import CA Signed Certificates

In the Preferences windows, go to the Authorities tab and click on Import.

Browse the CA .crt file that you want to import and do so. You'll be asked how far you want to trust it - since you're using it to verify emails, activate Trust the CA to identify email users and hit OK:


4.2.3 Assign the Certificate to an Account and Encrypt a Mail

Before you can sign and encrypt mails, you have to assign the certificate you just imported to an account - to do that, go to Edit > Preferences, Mail Accounts, select the account you want to assign a certificate to and click Edit:

Go to the Security tab and click Select... next to the Signing certificate and Encryption certificate fields in the Secure MIME (S/MIME) section:

On the appearing window, select the desired certificate from the dropdown-menu and hit OK:

If you compose a new email, you can now select the menu items S/MIME Sign and S/MIME Encrypt from the Options menu in the new mail window:

The indicator symbol for a signed mail looks as follows. An extra string is shown if the mail is also encrypted:


5 Links

Share this page:

4 Comment(s)

Add comment


From: Anonymous at: 2011-12-16 20:42:01

Many, many thanks. This article help me too much.

From: Anonymous at: 2011-12-16 20:48:45

Hi there,

Here are a couple notes regarding my experience with self-created Class1 certs for e-mail.

 1:  When you go to create the client cert, it is good practice to add the correct x509 extensions.  Create a file called client.conf and add the following:

[user@host]$ cat client.cnf 
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

Now we can sign the certificate:

openssl x509 -req -days 36500 -in your_client_cert.csr -signkey your_CA_private.key -out your_client.crt -extfile client.cnf -extensions ssl_client

 Now that you have a client cert and key pair, you want to import it into a P12.  It may be necessary to include the CA into the P12 so that recipients can add it to their CA truststore:

openssl pkcs12 -export -in your_client.crt -inkey your_client_private.key -out your_client.pfx -name "Your Name" -CAfile your_ca.crt -caname "Your CA Name" -chain

 One very important note:  "Your Name" and "Your CA Name" are the aliases used in the PKCS12 store.  These aliases MUST be greater than one character long, else Sun/Oracle will fail to find the certificates in the store (refer to the code for  Using aliases/names like "1" or "2"  will cause you random and insanely hard to resolve issues down the line.

From: Martin at: 2013-07-13 23:21:52

Thanks a lot for that article! I tried to give smime a try but I was not successful so far. Your article saved me a lot of time and worked perfectly on my first try!

From: Anonymous at: 2013-10-15 20:43:39



Second method generates p12  keys that has "00" as serial. I think that this is a problem