In case the certificate chain is incorrect, you can tap on the little info button to show the all certificates. After the certificate details the issuer or “selfSign” is shown. A certificate is self signed when the subject and the issuer are the same. Certificates from a certificate authority (CA) are marked with “keyCertSign”. You can find the description of other key usage bits, like cRLSign, via this same link. Certificates found in the Android key store are marked with “Android”.
A valid chain looks like this:
Your certificate > zero or more intermediate certificates > CA (root) certificate marked with "Android"Note that a certificate chain will always be invalid when no anchor certificate can be found in the Android key store, which is fundamental to S/MIME certificate validation.
+Note that a certificate chain will always be invalid when no anchor certificate can be found in the Android key store, which is fundamental to S/MIME certificate validation. This means that your private key should include all intermediate certificates (but not the root certificate). This command might be useful for that:
+openssl pkcs12 -export -in certificatechain.crt -inkey private.key -out certificate.pfxPlease see here how you can import certificates into the Android key store.
The use of expired keys, inline encrypted/signed messages and hardware security tokens is not supported.
If you are looking for a free (test) S/MIME certificate, see here for the options. Please be sure to read this first if you want to request an S/MIME Actalis certificate.