Setting Up S/MIME in Gmail
Sarah MitchellShare
Gmail supports Secure/Multipurpose Internet Mail Extensions (S/MIME) through a feature Google calls hosted S/MIME, and the single most important thing to know is where it is available. Hosted S/MIME is a Google Workspace capability on the higher business and education editions, switched on by an administrator, and the free consumer Gmail does not offer it at all.
Everything below follows from that distinction.
Enabling Hosted S/MIME in Google Workspace
An administrator enables the feature in the Admin console under the Gmail settings for users, within the organizational units that should have it. Once enabled, each user gains the ability to upload their own E-Mail Certificate from within Gmail, and the change can take a little while to reach every account.
The E-Mail Certificate itself comes from your order, issued against the e-mail address it will protect after a mailbox validation step confirms control of the address. Learn About S/MIME Mailbox Validated E-Mail Certificates 🔗
Uploading Your E-Mail Certificate
Gmail accepts the E-Mail Certificate as a PKCS12 file, the password protected container holding the E-Mail Certificate and its Private Key together, also known as a Personal Information Exchange (PFX) file.
In Gmail on the web, open the settings and locate the sending account, where an upload option for a personal E-Mail Certificate appears once hosted S/MIME is enabled for your account. Provide the file and its password, and Gmail stores the material for both signing and decryption.
Google then handles the cryptography server side, which is what the hosted part of the name means, and the padlock indicator in the compose window reflects the encryption level available for each recipient.
Note : Encrypting to a recipient requires their public E-Mail Certificate, which Gmail learns when they send you a signed message. A grey or missing padlock for a recipient means Gmail has not yet seen a usable E-Mail Certificate from them, not that yours is faulty.
That covers accounts with the feature. The rest of the Gmail world has a different path.
Without Hosted S/MIME
Accounts on consumer Gmail or lower Workspace editions still have a path, just not inside the Gmail web interface. A desktop client such as Mozilla Thunderbird or Microsoft Outlook connected to the same mailbox performs Secure/Multipurpose Internet Mail Extensions (S/MIME) signing and encryption in the client itself, with Gmail simply carrying the messages.
The same E-Mail Certificate works in any of these clients, since the standard is client independent by design. Learn About S/MIME E-Mail Certificates 🔗
Troubleshooting
An upload rejected over its password means the password does not match this specific PKCS12 file, and these passwords cannot be recovered. Rebuild the file from the original material with a fresh export when the password is lost.
An upload accepted but never used for signing usually means the e-mail address inside the E-Mail Certificate does not match the sending address exactly, including aliases. The E-Mail Certificate must name the address it protects, and a mismatch needs a replacement issued for the correct address. Learn About Reissuing Your Certificate 🔗
Recipients reporting your signature as untrusted are usually missing the Intermediate Certificates on their side, a client configuration matter rather than a fault in your E-Mail Certificate. Learn About Intermediate Certificates 🔗
