<p>In case the certificate chain is incorrect, you can tap on the little info button to show the all certificates. After the certificate details the issuer or “selfSign” is shown. A certificate is self signed when the subject and the issuer are the same. Certificates from a certificate authority (CA) are marked with “<ahref="https://tools.ietf.org/html/rfc5280#section-4.2.1.3">keyCertSign</a>”. You can find the description of other key usage bits, like <em>cRLSign</em>, via this same link. Certificates found in the Android key store are marked with “Android”.</p>
<p>A valid chain looks like this:</p>
<pre><code>Your certificate > zero or more intermediate certificates > CA (root) certificate marked with "Android"</code></pre>
<p>Note that a certificate chain will always be invalid when no anchor certificate can be found in the Android key store, which is fundamental to S/MIME certificate validation.</p>
<p>Note that a certificate chain will always be invalid when no anchor certificate can be found in the Android key store, which is fundamental to S/MIME certificate validation. This means that your private key should include all intermediate certificates (but not the root certificate). This command might be useful for that:</p>
<p>Please see <ahref="https://support.google.com/pixelphone/answer/2844832?hl=en">here</a> how you can import certificates into the Android key store.</p>
<p>The use of expired keys, inline encrypted/signed messages and hardware security tokens is not supported.</p>
<p>If you are looking for a free (test) S/MIME certificate, see <ahref="http://kb.mozillazine.org/Getting_an_SMIME_certificate">here</a> for the options. Please be sure to <ahref="https://davidroessli.com/logs/2019/09/free-smime-certificates-in-2019/#update20191219">read this first</a> if you want to request an S/MIME Actalis certificate.</p>
M66B
7 months ago