Seems nobody has documented how to use step-ca to create certificates for S/MIME (e-mail)? OK. I guess I will have to go down that road unprepared and write it down as a gist or blog entry myself :) (Will take a few days, depending on when I find enough time to go through everything)
1/6
It shouldn't be complicated (famous last words ;). Just a x509 certificate with `keyUsage = contentCommitment, digitalSignature, keyEncipherment` and `extendedKeyUsage = emailProtection` and of course the `commonName` and `emailAddress` set ...
UPDATE: first little mystery solved. https://social.wildeboer.net/@jwildeboer/114964253139353077
2/6
Attached: 1 image TIL (Today I Learned): While openssl uses the identifier `nonRepudiation` for the 2nd bit in the keyUsage field in x509 certificates, the correct identifier since at least 2008 is `contentCommitment` according to the ITU TR and RFCs and so that is what step-ca uses. A bit (pun intended) confusing, but now I know :) https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 #NerdTalk
If you want to play with free S/MIME certs for e-mail signing and encryption, https://acme.castle.cloud does that letsencrypt style with ACME and certbot :) Made and operated by the Centre Tecnològic de Telecomunicacions de Catalunya (CTTC). A non-profit research institution based in Castelldefels (Barcelona).
3/6
After some help from @ben and some swearing about PKCS12 (add a password when you package the .p12 file so that Android and iOS will be able to import it) and Keychain on MacOS, it’s working. S/mime signed and encrypted mails with certificates from my own CA.
4/6
If I understand the whole s/mime stuff correctly, I can send you a signed email and your mail client should be able to extract my public key from that. You reply with a signed mail, I can extract your public key. Now we can send encrypted emails :) Your mail client/operating system won't trust my certificate as it is signed by my CA (Certificate Authority), but it should still work.
5/6
I have brain dumped the process at https://codeberg.org/jwildeboer/gists/src/branch/main/2025/20250803SmimeCertStepCA.md and will work on an extended version as blog post in the next few days. Big shoutout to @ben again for getting the process up and running in the first place!
If you want to get a signed email from me to see what happens in your mail client, DM me an email address and I will send a s/mime signed email to you :)
6/6
@jwildeboer to spare anyone else the false hope: it seems they’re not trusted by anyone else. At least they said this in 2020 [1] and there is no newer post about this changing. Still cool ofc.
Today we start this adventure. Following the specs defined in the Email-Reply-00 ACME challenge, we implemented a whole and automatized system to deploy S/MIME certificates without user interaction. This would help to secure email communications by incorporating a unique signature. Users can also use this signature to encrypt their messages and ensure that any intruder… Read More »Welcome!
@jwildeboer that sounds awesome. Just the other day I thought to myself: "Someone would need to do to Mails what Let's Encrypt did for Webservers".
Now the question is: What hinders the widespread adoption?
Jan Wildeboer 😷
Fabian Ising
Tekknovator
Matthew Booth
Marcus Bointon
DJ-Bauer
Bruhein
aurorus
Kristof
Carsten Hoffmann
🆘Bill Cole 🇺🇦