How to Apply for and Use S/MIME Email Signature Certificates

As a developer, secure communication is crucial. S/MIME is a widely adopted email security standard that enables you to digitally sign and encrypt the emails you send. With digital signatures, recipients can verify that an email genuinely came from you and was not tampered with. Encryption ensures that only the recipient possessing the correct private key can read the email contents, thus protecting sensitive information from being leaked.

This guide will walk you through the process of requesting and using S/MIME email signature certificates in ServBay—a powerful local web development environment featuring built-in certificate management—so you can quickly enhance your email security.

Introduction to S/MIME Email Signature Certificates

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email security protocol based on Public Key Infrastructure (PKI). It utilizes digital certificates (S/MIME certificates) to provide email digital signatures and encryption.

Key Functions of S/MIME Certificates:

• Digital Signature: Uses your private key to generate a digest and sign the email content. The recipient can use your public key (provided in your certificate) to verify the signature, confirming the sender’s identity and the integrity of the email content. This ensures authenticity and integrity of your emails.
• Email Encryption: Uses the recipient's public key (from their certificate) to encrypt email contents. Only the recipient with the corresponding private key can decrypt and read the email. This guarantees confidentiality and prevents email content leaks.
• Enhanced Trust: Valid digitally signed emails are typically marked as trusted in email clients that support S/MIME, helping recipients recognize legitimate messages and reducing the risk of phishing emails.

For developers, S/MIME is a reliable solution for protecting email exchanges containing code, project details, API keys, or other sensitive information.

Prerequisites

Before starting, please make sure you meet the following requirements:

• You have successfully installed and are running the ServBay local development environment (this guide is based on macOS).
• You have a valid email address that will be associated with your S/MIME certificate.

Applying for an S/MIME Email Signature Certificate with ServBay

ServBay offers an easy-to-use certificate management interface, allowing you to quickly issue S/MIME certificates for local development, testing, or personal use with the built-in ServBay CA.

1. Open the SSL Certificate Management Panel: Launch the ServBay application. In the sidebar of the ServBay main interface, click "SSL Certificates." This will open the certificate management panel.
2. Click the Add Button: In the top right corner of the SSL Certificates page, find and click the "+" (Add) button.
3. Fill in Certificate Information: In the "Request Certificate" pop-up, fill in the following key details:
   • Common Name: Enter your name or the display name you want in the certificate, e.g., ServBay Demo User.
   • Usage Purpose: Choose the purpose for the certificate. Be sure to select S/MIME (E-mail Signing).
   • Request Method: Select the certificate request method. Choose ServBay CA to use ServBay’s built-in certificate authority.
   • Issuer: Choose the issuing authority. For S/MIME certificates, generally select ServBay User CA, which is dedicated to issuing personal, non-publicly trusted certificates.
   • Algorithm: Select the encryption algorithm. It’s recommended to choose the modern and secure ECC (Elliptic Curve Cryptography), or the traditional RSA.
   • Key Length: Set the key length. For ECC, 384 bits or above are recommended; for RSA, at least 2048 bits to ensure sufficient security.
   • Password: [Extremely Important!] Set a strong password to protect your private certificate key. This password is used when exporting or importing the certificate into your email client. Be sure to remember this password, as ServBay does NOT store it, and if lost, you cannot recover your private key—you will have to reissue the certificate. The default password is ServBay.dev, but it is highly recommended to set a more secure custom password.
   • E-Mail Address: Enter the email address to associate with this certificate. This is a core identifier for the S/MIME certificate.
4. Click the "Request" Button: After double-checking all information, click "Request" at the bottom of the pop-up. ServBay will immediately issue the S/MIME certificate using the built-in ServBay User CA.

(Illustration: Interface for filling out the S/MIME certificate application form)

Once issued, your new S/MIME certificate will appear in the SSL Certificates management list.

Exporting and Using the Certificate

After successfully requesting a certificate, you’ll need to export it in a format recognized by email clients and then import it.

1. Open the SSL Certificate Management Panel: Click "SSL Certificates" in the ServBay sidebar.
2. Locate the Issued S/MIME Certificate: Find your newly issued S/MIME certificate in the list (you can identify it by the Common Name or Email Address).
3. Click the Action Button: Click the export icon on the right side of the certificate entry (usually a right-pointing arrow).
4. Choose Export Folder and Save: In the file save dialog, select the local directory and file name for your certificate. The exported certificate file is typically in .p12 or .pfx format, which is an encrypted file containing both the public certificate and private key.
5. Import into Email Client: Launch your preferred email client (such as Apple Mail, Microsoft Outlook, Mozilla Thunderbird, etc.). Find the section in its settings or preferences related to "Account," "Security," or "Certificates." Select the option to import a certificate, then choose the .p12 file you just exported. During the import process, you will be prompted to enter the certificate private key password. Enter the correct password and, once completed, your certificate will be imported and linked to your email account.

(Illustration: Selecting the S/MIME signing or encryption option when composing an email in the client)

Once the certificate is imported, your email client will generally provide options to digitally sign and/or encrypt outgoing messages. You can choose to sign or encrypt emails as needed. Note: To send encrypted emails, you must have the recipient’s S/MIME certificate (i.e., their public key).

(Illustration: What recipients see when a message is signed or encrypted in their email client)

Certificate Renewal

S/MIME certificates issued by ServBay User CA are valid for 800 days by default. To maintain certificate validity, you’ll need to renew before expiry.

1. Open the SSL Certificate Management Panel.
2. Find the S/MIME Certificate to Renew.
3. Click the Renewal Button: On the right side of the certificate entry, click the renewal icon (usually a circular arrow).
4. Confirm Renewal: ServBay will prompt for confirmation. After confirming, the certificate’s validity will be extended by 800 days from the current date. Remember to re-export and re-import the certificate into your email client after renewing.

Certificate Deletion

If you no longer need a particular S/MIME certificate, you can delete it from ServBay.

1. Open the SSL Certificate Management Panel.
2. Find the Certificate to Delete.
3. Click the Action Button: On the right side of the certificate listing, click the delete icon (usually a trash bin).
4. Confirm Deletion: In the pop-up menu, select "Delete" and follow the prompts to confirm. Note that once deleted, ServBay no longer has a copy of the certificate. If the certificate was previously imported into an email client, deleting from ServBay will not remove it from the email client—you’ll need to delete or disable it in the client manually.

Notes & Precautions

• Private Key Security: The security of your S/MIME certificate depends on the safety of its private key. Always use a strong password to protect your private key and never share .p12 files containing private keys.
• Trust Issues with ServBay User CA: Certificates issued by ServBay User CA are private and not publicly trusted. If you send signed emails to external recipients using such certificates, their clients may display a "signature not trusted" warning. This is acceptable for internal teams or testing, but if you need broad external trust, you should purchase S/MIME certificates from a public CA. Currently, ServBay’s ACME feature only supports obtaining public SSL certificates for websites, not for S/MIME email certificates.
• Certificate-Email Address Binding: S/MIME certificates are strictly tied to a particular email address. If you change your email address, you’ll need to request a new S/MIME certificate for it.
• Password Loss: As mentioned above, private key passwords cannot be recovered if forgotten. Please keep your password safe and secure.

Frequently Asked Questions (FAQ)

Q1: What if I forget the private key password for my S/MIME certificate?

A: Unfortunately, ServBay does not store your private key password and cannot help retrieve it. If you forget the password, the private-key-containing certificate file is unusable. You must delete the certificate record in ServBay, then apply for a new S/MIME certificate.

Q2: Why do recipients see a “signature not trusted” warning when I send emails signed with an S/MIME certificate issued by ServBay?

A: This is because ServBay User CA is a private certificate authority and is not publicly recognized. Unless the recipient also trusts your ServBay User CA (for example, by installing the CA certificate organization-wide), their email client will not automatically trust certificates issued by it. This is normal—the signature is valid, but the issuing authority is not publicly trusted.

Q3: If I change my email address, can I still use my previous S/MIME certificate?

A: No. S/MIME certificates are tied to the specific email address entered during application. If you change your email, you need to apply for a new S/MIME certificate using your new address.

Summary

With ServBay’s SSL certificate management features, applying for and managing S/MIME email signature certificates is straightforward and efficient. By leveraging S/MIME, you can easily add digital signatures to your important messages to verify your identity and ensure integrity, or encrypt sensitive emails to safeguard your privacy and data.

Start the process of applying for your S/MIME certificate in ServBay today to secure and protect your email communications! If you encounter any issues during the process, refer to the official ServBay documentation or contact the support team for assistance.