<li><em>Memory allocation failed</em>: Android supports keys up to 4096 bits only (Android <ahref="https://issuetracker.google.com/issues/199605614">issue 199605614</a>)</li>
<li><em>message-digest attribute value does not match calculated value</em>: the signature doesn’t match the message, possibly because the message was changed, or because an incorrect or key was used</li>
</ul>
<p>In case the certificate chain is incorrect, you can tap on the little info button to show the all certificates. After the certificate details the issuer or “selfSign” is shown. A certificate is self signed when the subject and the issuer are the same. Certificates from a certificate authority (CA) are marked with “<ahref="https://tools.ietf.org/html/rfc5280#section-4.2.1.3">keyCertSign</a>”. Certificates found in the Android key store are marked with “Android”.</p>
<p>In case the certificate chain is incorrect, you can tap on the little info button to show the all certificates. After the certificate details the issuer or “selfSign” is shown. A certificate is self signed when the subject and the issuer are the same. Certificates from a certificate authority (CA) are marked with “<ahref="https://tools.ietf.org/html/rfc5280#section-4.2.1.3">keyCertSign</a>”. You can find the description of other key usage bits, like <em>cRLSign</em>, via this same link. Certificates found in the Android key store are marked with “Android”.</p>
<p>A valid chain looks like this:</p>
<pre><code>Your certificate > zero or more intermediate certificates > CA (root) certificate marked with "Android"</code></pre>
<p>Note that a certificate chain will always be invalid when no anchor certificate can be found in the Android key store, which is fundamental to S/MIME certificate validation.</p>
<p>Please see <ahref="https://support.google.com/pixelphone/answer/2844832?hl=en">here</a> how you can import certificates into the Android key store.</p>
<p>The use of expired keys, inline encrypted/signed messages and hardware security tokens is not supported.</p>
<p>If you are looking for a free (test) S/MIME certificate, see <ahref="http://kb.mozillazine.org/Getting_an_SMIME_certificate">here</a> for the options. Please be sure to <ahref="https://davidroessli.com/logs/2019/09/free-smime-certificates-in-2019/#update20191219">read this first</a> if you want to request an S/MIME Actalis certificate.</p>
<p>S/MIME certificates can for example be purchased via <ahref="https://www.xolphin.com/">Xolphin</a>.</p>
<p>How to extract a public key from a S/MIME certificate:</p>
<p>If a message could not be sent to the recipient, you’ll in most cases receive a non-delivery notification message, a special email, indicating the reason, like user (email address) unknown. FairEmail will decode non-delivery notification messages, so you can see all the details.</p>
<p>Basically, an outgoing message is either in the draft messages folder, the outbox, or the sent messages folder.</p>
<p><br></p>
<p><aname="faq204"></a><strong>(204) How do I use Gemini?</strong></p>
<oltype="1">
<li>Check if your country <ahref="https://support.google.com/gemini/answer/13575153">is supported</a></li>
<li>Get an API key via <ahref="https://ai.google.dev/tutorials/setup">here</a></li>
<li>Enter the API key in the integration settings tab page</li>
<li>Enable Gemini integration in the integration settings tab page</li>
</ol>
<p>For usage, please see <ahref="#faq190">this FAQ</a></p>