Getting a sensible S/MIME Cert

What the shait this has been annoying…

Well, here is the bottom line:

Issue Your Own Self-Signed S/MIME Certs with OpenSSL by using these two shell scripts:

# Run this once to create a new cert authority if you don't have an own CA already
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Run this for each email account.  The system must install the CA cert and the resulting p12 file in order to be happy.

# Borrowed from who borrowed from

# First adjust $EMAIL below to whatever email you're creating a cert for


openssl genrsa -des3 -out $EMAIL.key 4096
openssl req -new -key $EMAIL.key -out $EMAIL.csr
openssl x509 -req -days 365 -in $EMAIL.csr -CA rootDevCA.pem -CAkey rootDevCA.key -set_serial 1 -out $EMAIL.crt -setalias "Self Signed SMIME for $EMAIL" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
openssl pkcs12 -export -in $EMAIL.crt -inkey $EMAIL.key -out $EMAIL.p12