Apple-focused shortcut
Need the easiest Apple-focused workflow?
Learn the concepts here, then use SMIME Toolkit to generate keys on-device, build the CSR, export a .p12 identity, and complete the manual Apple setup path.
One of the most frustrating S/MIME problems is when the certificate appears to exist but still does not work for signing or decryption. In many cases, the missing piece is exactly what the error suggests: the private key.
Why the private key matters
The private key is what allows the identity to:
- sign outbound mail
- decrypt messages encrypted to that identity
Without it, the certificate is more like a public description of the identity than a full working identity.
How this usually happens
- the wrong file was imported
- the
.p12did not contain the private key - the export step was incomplete
- the identity was separated from the key during movement
Why it feels misleading
Users often assume that because the certificate is visible somewhere on the device, the full identity is installed. Unfortunately, visible certificate presence and usable key-backed identity are not always the same thing.
What to do
Go back to the export and import path:
- confirm the source identity included the private key
- confirm the
.p12was the correct file - confirm the import process used the correct password and target path
Practical takeaway
If signing or decryption is unavailable and the certificate seems present, do not stop at “the file imported.” Ask whether the private key came with it.
Apple-focused shortcut
Ready to move from theory to setup?
If you are working through S/MIME on iPhone or iPad, use the app-specific workflow and Apple guides next.