Using a Comodo Free Email Cert In macOS Sierra

Comodo offer free email certificates, which is awesome as email is an inherently insecure method of communication. So, if you were toying with the idea of playing around with email encryption and signing, you have no more excuses now.

Getting the free cert to work on macOS, however, might be tricky if you don’t pay attention to a couple of things. Here are the pitfalls I have encountered in the process and how I was able to fix them.

Comodo’s documentation on this is outdated, so it doesn’t cover all potential issues you might find when trying to make this work. You are going to run into a bunch of issues that are not covered in that page, here are the ones I have personally encountered.

Do not use Firefox to request and download the certificate

For some reason, if you use Firefox to request and download your Comodo certificate, your cert will be missing the private key portion when you add it to Keychain Access. I am at a loss as to why this could even happen, but that’s just how things are.

Instead, use Safari to do this. This includes requesting the certificate here and clicking on the collection link in the email Comodo will send you after you have completed this form.

Use the same browser for both the certificate request and the collection

The title of the section says it all. If your default browser is something other than Safari, do not click on the link in the email Comodo sends you, instead copy the link and open it in Safari.

Disregard error -26276 when importing the certificate

After double clicking on the CollectCCC.p7s file which you can download from the link included in the email from Comodo, you will be prompted to choose where to import this certificate in Keychain (you can leave the default options selected). After importing it, however, you will be greeted by error code -26276:

Error code -26276 will appear when importing the Comodo certificate to your Keychain

Error code -26276 will appear when importing the Comodo certificate to your Keychain

According to Apple’s code, this error message means:

errSecInternal = -26276, /* An internal error occured in the Security framework. */

Which means absolutely nothing, of course.

If you try to import it with the CLI instead:

security import Downloads/CollectCCC.p7s -k /Library/Keychains/login.keychain

You will get this error message:

security: SecKeychainItemImport: The specified item already exists in the keychain

Which means that the certificate was imported after all. So even if you see error code 26276, don’t worry, your certificate has been imported already.

Check your Certificates category, not My Certificates

The Comodo documentation tells you that your imported certificate will end up inside your My Certificates category in Keychain, but this is not true. Your email cert will be inside the Certificates category instead:

Allow to access this certificate

Navigate to Keychain Access > Certificates and expand your email certificate so that your Key from becomes visible:

Now double click on this key, select the Access Control tab, and add to the list of apps that are allowed to access this key:

Add to the list of apps allowed to access this key in Access Control

Add to the list of apps allowed to access this key in Access Control

Importing this certificate on your iOS device

Reader John Emerson was kind enough to share a PDF with instructions on how to import this certificate to your iOS device as well. You can find the document here.

You are good

You should be all sorted now. If you quit and reopen, you should now see buttons allowing you to sign and encrypt emails using the email address you requested the email certificate for:

A couple of useful resources that brought me closer to a solution:


  1. Thanks for this! Explained things perfectly.

  2. Have you tried this recently? I just tried to get an email certificate in this way and, even though I used Safari (11.0 on Sierra) both to request and collect the certificate, I ended up with the private key missing. I also tried to collect the certificate with Chrome and with older versions of Safari (8.0.8 on Yosemite and 9.0 on El Capitan) with identical results. (Strange enough, the old versions of Safari call the resulting file CollectCCC.p7s as you mention, while the new Safari calls it CollectCCC.crt.p7s…)

    I also tried to ask Comodo to generate the certificate from one of the old versions of Safari, but it refuses on the grounds that it already issued a certificate for that email… Given that StartCom is dead, does this mean that the days of free S/MIME certificates are gone for Mac users?

    • The last time I tried this was when I wrote this post, back in April 2017. However, a couple of things:

      1. You mentioned using Safari 11.0, are you by chance running Safari Technology Preview? My Safari version on Sierra is currently at Version 10.1.2 (12603.3.8), I haven’t tested it with Technology Preview.

      2. Even if Comodo tells you that a certificate was already issued for your email address, you can revoke it to generate a new one and try the process again. I have had to do this a bunch of times myself while I was trying to get this working. In the email you received from them, you should have a link that says “Revoke Comodo Email Certificate”

  3. You are right, I am on the beta distribution channel for Safari, but this still indicates that Comodo’s system is likely to break soon since they don’t seem to be inclined to keep it up to date. Thanks for the tip regarding revocation, that’s good to keep in mind. Anyway, I have now successfully obtained a free S/MIME cert from Actalis.

  4. Changed your solutions to «security import Downloads/CollectCCC.p7s -k ~/Library/Keychains/login.keychain» and it worked. (just a ~ that was missing) Thanks

    • Ah, that’s interesting, it works for me even if I just use /Library. Thanks for posting this though, maybe other folks will find it useful too ;)

  5. thank for that blog post. Interesting but what to do to renew the cert after a year? Can this then only be done after is due? So I can not add the new cert parallel?

  6. Good post on this strange error!
    Trying to get mail to mail app to use it in the correct way (and not using SHA1). My first idea was that this happened due to the -26276 error. Guess I need to look further!
    Any way thanks for this answer, I can now move on to solving the other issues…

    • Thanks Martin! I’m curious: what do you mean exactly by “Trying to get mail to mail app to use it in the correct way (and not using SHA1)”?

    • Hi, have you been able to use your s/mime certificate in apple mail app with SHA 256 instead of SHA1 ? Have a nice day.

  7. Very handy post! This worked on one of my Macs running Sierra, but on another, running High Sierra, it did not work. There are no Keys, public or private, but the Certificate does exist as you said. Apple sure doesn’t make this easy.

    • And here I was, hoping that High Sierra would make things easier! I haven’t tested this on High Sierra yet, but renewal time will come pretty soon for me, so I’ll see what I can find and will update the post accordingly ;)

    • I had the same issue for one email address on High Sierra but not for a different email address. Weird. Maybe the one that didn’t work had vestigial data left over in Keychain Access from other attempts to get signed/encrypted email to work.

  8. One issue I’ve run into is that if the certificate is installed on 10.12 or later, any signed emails will be shown as untrusted on 10.11 and earlier. This is because the certificate is issued by “COMODO RSA Certification Authority”, which is a root certificate only since 10.12. If I migrate the private key to a 10.11 machine and install the certificate there, that issuer is installed as a standard certificate with an issuer of “AddTrust External CA Root”, which is already listed under System Roots, and so is trusted under both 10.11 and 10.12. Comparing the .p7s signature of outgoing signed emails from both systems confirms that only 10.11’s includes the additional AddTrust certificate.

    Not sure if this is Apple’s issue or Comodo’s… but Keychain Access is already known to be quite buggy.

    • Thanks for reporting this Eric! One question: on 10.11, do you mean there is an additional intermediate issuer, or is the root issuer completely different?

  9. I have extended this to work on iOS 11. This was a requirement for my family and I imagine would be for most others. When trying to get this to work, my wife sent herself an email from her laptop that contained her shopping list. When she got to the store, she realized she could not read her email (encrypted due to my testing) on her iPhone. Needless to say, she was a bit annoyed with me.

    I have screenshots to share for the following steps, but can’t share them in this reply:
    1. Export the root cert ‘COMODO RSA Client Authentication and Secure Email CA’ from KeyChain Access. Transmit to iOS via AirDrop. Import into iOS.
    2. Export the new email cert from KeyChain Access. Transmit to iOS via AirDrop. Import into iOS.
    3. Configure iOS mail to use s/mime. Turn on signing, turn on encryption. You should now be able to sign emails.
    4. To encrypt, you need to install certs for the addressee.
    a. On a signed email you received from the addressee, there should be an arrow on the right side of the ‘From’ line. Click on the arrow to display contact info.
    b. The contact info displayed includes a ‘View Certificate’ button. Click on ‘View Certificate’.
    c. Certificate detail is displayed. If the cert has not yet been installed, an ‘Install’ button is displayed (otherwise it’s a ‘Remove’ button). Click on the ‘Install’ button. You should now be able to encrypt email you send to addressee.

  10. Excellent writeup! Exactly what I learned myself. Too bad I found this article too late. But you saved me from writing down these findings by myself, thanks a lot!

  11. “Disregard error -26276 when importing the certificate”
    Shame on you Apple. Kudos to you Daniel.

    Still a problem in High Sierra.

    • Thank you for reporting this! It won’t be long until I have to renew my certificate, and I am on High Sierra too now, so I will make sure to update the blog post if the same thing still happens.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2018 Daniel's TechBlog

Theme by Anders NorénUp ↑

%d bloggers like this: