Using a Comodo Free Email Cert In macOS Sierra

Comodo offer free email certificates, which is awesome as email is an inherently insecure method of communication. So, if you were toying with the idea of playing around with email encryption and signing, you have no more excuses now.

Getting the free cert to work on macOS, however, might be tricky if you don’t pay attention to a couple of things. Here are the pitfalls I have encountered in the process and how I was able to fix them.

Comodo’s documentation on this is outdated, so it doesn’t cover all potential issues you might find when trying to make this work. You are going to run into a bunch of issues that are not covered in that page, here are the ones I have personally encountered.

Do not use Firefox to request and download the certificate

For some reason, if you use Firefox to request and download your Comodo certificate, your cert will be missing the private key portion when you add it to Keychain Access. I am at a loss as to why this could even happen, but that’s just how things are.

Instead, use Safari to do this. This includes requesting the certificate here and clicking on the collection link in the email Comodo will send you after you have completed this form.

Use the same browser for both the certificate request and the collection

The title of the section says it all. If your default browser is something other than Safari, do not click on the link in the email Comodo sends you, instead copy the link and open it in Safari.

Disregard error -26276 when importing the certificate

After double clicking on the CollectCCC.p7s file which you can download from the link included in the email from Comodo, you will be prompted to choose where to import this certificate in Keychain (you can leave the default options selected). After importing it, however, you will be greeted by error code -26276:

Error code -26276 will appear when importing the Comodo certificate to your Keychain

Error code -26276 will appear when importing the Comodo certificate to your Keychain

According to Apple’s code, this error message means:

errSecInternal = -26276, /* An internal error occured in the Security framework. */

Which means absolutely nothing, of course.

If you try to import it with the CLI instead:

security import Downloads/CollectCCC.p7s -k /Library/Keychains/login.keychain

You will get this error message:

security: SecKeychainItemImport: The specified item already exists in the keychain

Which means that the certificate was imported after all. So even if you see error code 26276, don’t worry, your certificate has been imported already.

Check your Certificates category, not My Certificates

The Comodo documentation tells you that your imported certificate will end up inside your My Certificates category in Keychain, but this is not true. Your email cert will be inside the Certificates category instead:

Allow Mail.app to access this certificate

Navigate to Keychain Access > Certificates and expand your email certificate so that your Key from secure.comodo.com becomes visible:

Now double click on this key, select the Access Control tab, and add Mail.app to the list of apps that are allowed to access this key:

Add Mail.app to the list of apps allowed to access this key in Access Control

Add Mail.app to the list of apps allowed to access this key in Access Control

You are good

You should be all sorted now. If you quit and reopen Mail.app, you should now see buttons allowing you to sign and encrypt emails using the email address you requested the email certificate for:

A couple of useful resources that brought me closer to a solution:

14 Comments

  1. Thanks for this! Explained things perfectly.

  2. Have you tried this recently? I just tried to get an email certificate in this way and, even though I used Safari (11.0 on Sierra) both to request and collect the certificate, I ended up with the private key missing. I also tried to collect the certificate with Chrome and with older versions of Safari (8.0.8 on Yosemite and 9.0 on El Capitan) with identical results. (Strange enough, the old versions of Safari call the resulting file CollectCCC.p7s as you mention, while the new Safari calls it CollectCCC.crt.p7s…)

    I also tried to ask Comodo to generate the certificate from one of the old versions of Safari, but it refuses on the grounds that it already issued a certificate for that email… Given that StartCom is dead, does this mean that the days of free S/MIME certificates are gone for Mac users?

    • The last time I tried this was when I wrote this post, back in April 2017. However, a couple of things:

      1. You mentioned using Safari 11.0, are you by chance running Safari Technology Preview? My Safari version on Sierra is currently at Version 10.1.2 (12603.3.8), I haven’t tested it with Technology Preview.

      2. Even if Comodo tells you that a certificate was already issued for your email address, you can revoke it to generate a new one and try the process again. I have had to do this a bunch of times myself while I was trying to get this working. In the email you received from them, you should have a link that says “Revoke Comodo Email Certificate”

  3. You are right, I am on the beta distribution channel for Safari, but this still indicates that Comodo’s system is likely to break soon since they don’t seem to be inclined to keep it up to date. Thanks for the tip regarding revocation, that’s good to keep in mind. Anyway, I have now successfully obtained a free S/MIME cert from Actalis.

  4. Changed your solutions to «security import Downloads/CollectCCC.p7s -k ~/Library/Keychains/login.keychain» and it worked. (just a ~ that was missing) Thanks

    • Ah, that’s interesting, it works for me even if I just use /Library. Thanks for posting this though, maybe other folks will find it useful too ;)

  5. thank for that blog post. Interesting but what to do to renew the cert after a year? Can this then only be done after is due? So I can not add the new cert parallel?

  6. Good post on this strange error!
    Trying to get mail to mail app to use it in the correct way (and not using SHA1). My first idea was that this happened due to the -26276 error. Guess I need to look further!
    Any way thanks for this answer, I can now move on to solving the other issues…

    • Thanks Martin! I’m curious: what do you mean exactly by “Trying to get mail to mail app to use it in the correct way (and not using SHA1)”?

Leave a Reply

© 2017 Daniel's TechBlog

Theme by Anders NorénUp ↑

%d bloggers like this: