How do I create a S/MIME certificate for my email address

An S/MIME certificate is a digital certificate (X.509-based) that enables you to:

Email encryption and decryption
Protecting message confidentiality by ensuring only the intended recipient can read the content.

Email and documenent signing
This ensuring message or documents integrity (no tampering) and authenticity (verifying identity).

Unlike TLS (which only protects email while in transit), S/MIME ensures end-to-end security between you and your recipient. Certificates can be self-signed, but using a trusted Certificate Authority (CA) makes validation easier and improves trustworthiness

The Key Pair we will create can then be used to sign, verify, encrypt, and decrypt email.

smime
View Script

Step 1: Generate your private key

This creates a encrypted and password protected RSA private 4096 bit key.

Keep password safe in your favorite password manager (do not share it).

Recommendation: New and uniqe password (not used elsewhere), 20 characters or more, local random password generators creates better password than humans.


openssl genrsa -aes256 -out myemailaddress.key 4096

tipsTip: Never use online services to create Private Key or the CSR. The service may save a copy of your key.

Step 2: Generate a Certificate Signing Request (CSR)

Use your private key (password needed) to generate a Certificate Request (CSR), which you’ll submit to a CA or use for self-signing.

The only thing you need to add is Common Name (CN) and Email. Use dot (.) on all the others.


openssl req -new -key myemailaddress.key -out myemailaddress.csr

Step 3: Verify the Certificate Signing Request (CSR)

This is just verificatio step to make sure everything lock correct before sending to CA for signing.

If not correct remove the csr file and do step 2 again.


openssl req -new -key myemailaddress.key -out myemailaddress.csr

Step 4: Get your certificate

You have two options:

  • Trusted CA: Recommended for interoperability; easier for recipients to trust your certificate.
  • Self-signed: Works for personal use, but recipients must manually trust your certificate.

Step 5: Create a PKCS12 with your certificate and private key.

This example is for Outlook email client. You need to create a bundle of the certificate and private key (password needed) in PKCS12 format.

You do NOT need to add the CA chain.


openssl pkcs12 -export -in myemailaddress.pem -inkey myemailaddress.key -out myemailaddress.pfx

Step 6: Install the certificate in your email client

Once issued, install the certificate along with your private key:

  • Outlook: File → Options → Trust Center → Email Security → Import/Export
  • Thunderbird: Settings → Privacy & Security → Certificates → Manage Certificates
  • Apple Mail: Double-click the certificate file to add it to Keychain, then enable it in Mail preferences

Step 7: Create a copy of your certificate in DER format.

If you want to publish your certficate or share with someone before communicating DER format makes it easy import for example on Windows platform.

PEM vs DER, the difference is the encoding format (text/Base64 vs binary)

  • PEM (Privacy-Enhanced Mail)
    • Encoding: Base64 (ASCII) with header/footer lines like -----BEGIN CERTIFICATE-----
    • Use case: Human-readable, easy to copy/paste into text files or configs. Common on Unix/Linux systems.
    • File extensions: .pem, .crt, .cer, .key
  • DER (Distinguished Encoding Rules)
    • Encoding: Binary (ASN.1 DER format)
    • Use case: Compact, not human-readable. Often required by Windows systems and Java keystores.
    • File extensions: .der, .cer

openssl x509 -in myemailaddress.pem -out myemailaddress.der -outform DER

Share the certificate file with the .der extension.

Step 8: Test Signing and Encryption

Start by sending a digitally signed email — this shares your public certificate with the recipient. Once you receive their certificate, you can send encrypted emails.