The button will be grayed out if you don't have a public key for any of the recipients you have entered.
You can see the public certificates you have on the system for email recipients using the Keychain Access utility, which can be found in Applications/Utilities. After opening the application, select a keychain, such as login. Under Category, click on Certificates. You will then see a list of all of the public certificates with the name of the person and the exipration date for the certificate listed that are in that keychain. You can right-click on an entry and choose Get Info to get details for an individual certificate.
When you enter a person's email address in the "to" field when composing a message, if the padlock icon remains greyed out, then his/her certificate may be missing from the certificates list. If your organization uses digital certificates for signing email messages and encrypting them and publishes user certificates to a directory repository such as Active Directory or Open Directory, you can use the Keychain Access application to retrieve the public certificate for an individual with Mac OS X 10.6 or later.
You can also determine if a certificate is available from the command
line using the security find-certificate command. E.g., if
I want to know whether a certificate is available for someone whose
email address is thomas.a.small@example.com, I could use the command
below. If the certificate is available, you will see information regarding the
certificate (the example below does not include the full output that would be
shown). The first line of output shows the keychain in which the certficate
was found; in the example below the certificate was found in the keychain
Microsoft_Entity_Certificates rather than the login keychain.
$ security find-certificate -e "thomas.a.small@example.com"
keychain: "/Users/jdoe/Library/Keychains/Microsoft_Entity_Certificates"
class: 0x80001000 attributes:
"alis"<blob>="thomas.a.small@example.com" "cenc"<uint32>=0x00000003
"ctyp"<uint32>=0x00000001
...
If a certificate isn't available, you will be informed it could not be found.
$ security find-certificate -e "thomas.h.small@example.com" security: SecCertificateFindByEmail: The specified item could not be found in the keychain.
You can specify the keychain to be searched at the end of the command. E.g.:
security find-certificate -e "thomas.a.small@example.com" Microsoft_Entity_Certificates
If no keychains are specified to search, the default search list is used.
You can get a list of the keychains using security list-keychains.
$ security list-keychains
""
"/Users/jdoe/Library/Keychains/Microsoft_Intermediate_Certificates"
"/Users/jdoe/Library/Keychains/Microsoft_Entity_Certificates"
"/Users/jdoe/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"The options for the security find-certificate command are
listed below:
find-certificate [-h] [-a] [-c name] [-e emailAddress] [-m] [-p]
[-Z] [keychain...]
Find a certificate item. If no keychain arguments are pro-
vided, the default search list is used.
Options:
-a Find all matching certificates, not just the
first one
-c name Match on name when searching (optional)
-e emailAddress
Match on emailAddress when searching
(optional)
-m Show the email addresses in the certificate
-p Output certificate in pem format. Default
is to dump the attributes and keychain the
cert is in.
-Z Print SHA-1 hash of the certificate
Examples
security> find-certificate -a -p > allcerts.pem
Exports all certificates from all keychains into a
pem file called allcerts.pem.
security> find-certificate -a -e me@foo.com -p & certs.pem
Exports all certificates from all keychains with
the email address me@foo.com into a pem file called
certs.pem.
security> find-certificate -a -c MyName -Z login.keychain |
grep ^SHA-1
Print the SHA-1 hash of every certificate in
'login.keychain' whose common name includes
'MyName'
To send someone an encrypted email, you will need to have a public certificate for the person in your keychain. If you don't have a cerrtificate for the person, but have Entrust software on the system, you can use its Find Recipients option.
Click on the Entrust icon at the top of the screen and select Log in, if you haven't already logged into Entrust.
After logging into Entrust, click on the Entrust icon again and select Find Recipients.
Put the person's name in the Name field of the Find Recipients window and click on Search. Note: you may have to select Bring to Front from the Entrust menu, if there is an occasion where you don't see the window.
When the individual is located, you will see information on the person under Recipient DN. Click on the entry for the person to select it, then click on Add to keychain When the certificate has been added, you should see a message stating "Operation complerted" and "The selected recipient's encryption certificate has successfully added to keychain."
You can click on OK to close that window and then OK again to close the Find Recipients window.
Afterwards, if you use the security find-certificate
command, e.g., security find-certificate -e
"john.a.doe@example.com", you should see information returned
regarding the certificate and you should also see the certificate
for the person if you open Keychain Access select login
and look under the Certificates category, or if you put the
person's last name in the search field with the magnifying glass
icon at the top right-hand side of the Keychain Access
window and then hit Enter.
You should also be able to click on the encrypt button, which has an image of an open padlock, when composing a mail message to the person, i.e., the button will no longer be greyed out if you add the person to the list of email recipients for the message and will display an image of a closed padlock when you click on it.
References
Created: Friday October 2, 2015