Generating Self-Signed S/MIME Certificates for Email Encryption: OpenSSL Guide for Developers


1 views

Yes, you can absolutely create your own S/MIME certificate without relying on a Certificate Authority (CA). While CA-issued certificates provide trust validation in the broader ecosystem, self-signed certificates work perfectly for personal use or testing environments. Here's how to do it with OpenSSL:

Before we begin, ensure you have:

  • OpenSSL installed (comes pre-installed on macOS)
  • Terminal access
  • Basic understanding of PKI concepts

First, let's generate a private key (we'll use 2048-bit RSA for compatibility):

openssl genrsa -out private.key 2048

Next, create a certificate signing request (CSR):

openssl req -new -key private.key -out cert.csr \
-subj "/CN=Your Name/emailAddress=your@email.com/O=Your Organization"

Now generate the actual certificate (valid for 365 days):

openssl x509 -req -days 365 -in cert.csr -signkey private.key -out certificate.crt

Most email clients (including Apple Mail) require certificates in PKCS#12 format:

openssl pkcs12 -export -inkey private.key \
-in certificate.crt -out smime.p12

1. Double-click the smime.p12 file
2. Enter the export password you set
3. Add to your login keychain
4. In Mail > Preferences > Accounts, select your account
5. Go to Advanced and select your certificate

Send an encrypted email to yourself to verify everything works. Remember that recipients using your self-signed certificate will need to import your public key to decrypt messages.

  • Self-signed certificates will show security warnings in most clients
  • Not suitable for business communications where trust validation is required
  • You'll need to manually exchange certificates with correspondents
  • Consider setting up a simple CA if you need certificates for multiple devices

If you need certificates for multiple devices, here's a minimal CA setup:

# Create CA key and cert
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt \
-subj "/CN=My Personal CA"

# Create and sign user cert
openssl genrsa -out user.key 2048
openssl req -new -key user.key -out user.csr \
-subj "/CN=Your Name/emailAddress=your@email.com"
openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out user.crt -days 365

When GPG/PGP solutions aren't viable (like with legacy Snow Leopard systems), S/MIME becomes the practical alternative for email encryption. Many developers don't realize they can create functional S/MIME certificates without involving Certificate Authorities (CAs). Here's how to achieve this using OpenSSL - the Swiss Army knife of cryptography.

While CA-issued certificates provide third-party validation, self-signed certificates are perfectly adequate for:

  • Personal email encryption between your own devices
  • Testing email security implementations
  • Internal team communications where you control all endpoints

First, ensure OpenSSL is installed. On macOS, it's typically pre-installed. Here's the complete process:

# Generate private key (2048-bit RSA recommended)
openssl genrsa -out private.key 2048

# Create certificate signing request (CSR)
openssl req -new -key private.key -out cert.csr -subj "/emailAddress=your@email.com/CN=Your Name/O=Your Organization"

# Generate self-signed certificate (valid for 365 days)
openssl x509 -req -days 365 -in cert.csr -signkey private.key -out certificate.crt

# Combine into PKCS#12 format for email clients
openssl pkcs12 -export -out smime.p12 -inkey private.key -in certificate.crt

After generating the certificate:

  1. Double-click the smime.p12 file to import into Keychain
  2. Open Mail → Preferences → Accounts
  3. Select your account → Account Information
  4. Choose the certificate under "Signing Certificate" and "Encryption Certificate"

When using self-signed certificates:

  • Always securely exchange certificates with recipients beforehand
  • The first email will trigger a certificate trust dialog - this is normal
  • Consider setting up a simple internal CA if scaling beyond personal use
  • Monitor certificate expiration dates (set in the -days parameter)

If you encounter problems:

# Verify certificate contents
openssl x509 -in certificate.crt -text -noout

# Check PKCS#12 file integrity
openssl pkcs12 -info -in smime.p12

Remember that some email providers may block or flag self-signed certificates in their spam filters.