Comodo offer free email certificates, which is awesome as email is an inherently insecure method of communication. So, if you were toying with the idea of playing around with email encryption and signing, you have no more excuses now.
Getting the free cert to work on macOS, however, might be tricky if you don’t pay attention to a couple of things. Here are the pitfalls I have encountered in the process and how I was able to fix them.
Comodo’s documentation on this is outdated, so it doesn’t cover all potential issues you might find when trying to make this work. You are going to run into a bunch of issues that are not covered in that page, here are the ones I have personally encountered.
Do not use Firefox to request and download the certificate
For some reason, if you use Firefox to request and download your Comodo certificate, your cert will be missing the private key portion when you add it to Keychain Access. I am at a loss as to why this could even happen, but that’s just how things are.
Instead, use Safari to do this. This includes requesting the certificate here and clicking on the collection link in the email Comodo will send you after you have completed this form.
Use the same browser for both the certificate request and the collection
The title of the section says it all. If your default browser is something other than Safari, do not click on the link in the email Comodo sends you, instead copy the link and open it in Safari.
Disregard error -26276 when importing the certificate
After double clicking on the CollectCCC.p7s file which you can download from the link included in the email from Comodo, you will be prompted to choose where to import this certificate in Keychain (you can leave the default options selected). After importing it, however, you will be greeted by error code -26276:
According to Apple’s code, this error message means:
errSecInternal = -26276, /* An internal error occured in the Security framework. */
Which means absolutely nothing, of course.
If you try to import it with the CLI instead:
security import Downloads/CollectCCC.p7s -k /Library/Keychains/login.keychain
You will get this error message:
security: SecKeychainItemImport: The specified item already exists in the keychain
Which means that the certificate was imported after all. So even if you see error code 26276, don’t worry, your certificate has been imported already.
Check your Certificates category, not My Certificates
The Comodo documentation tells you that your imported certificate will end up inside your My Certificates category in Keychain, but this is not true. Your email cert will be inside the Certificates category instead:
Allow Mail.app to access this certificate
Navigate to Keychain Access > Certificates and expand your email certificate so that your Key from secure.comodo.com becomes visible:
Now double click on this key, select the Access Control tab, and add Mail.app to the list of apps that are allowed to access this key:
Importing this certificate on your iOS device
Reader John Emerson was kind enough to share a PDF with instructions on how to import this certificate to your iOS device as well. You can find the document here.
You are good
You should be all sorted now. If you quit and reopen Mail.app, you should now see buttons allowing you to sign and encrypt emails using the email address you requested the email certificate for:
A couple of useful resources that brought me closer to a solution:
- Loading a Comodo free email cert into the Mac OSX Mail.app and iOS
- How to issue email certificate for Mac OS users