With a S/MIME certificate, you can both sign and encrypt your e-mails. Those e-mail certificates are often used by businesses in order to increase their e-mail privacy and trust. But an e-mail certificate for personal use can be very useful as well – and can come across very professional – and it can be free as well.
Free S/MIME certificates
In the past, a number of certificate vendors offered free S/MIME certificates to the public (to personal e-mail addresses, that is). Perhaps the best known example was Comodo, who furthermore also had a very simple user interface to create, manage and renew an e-mail certificate. It also had to be renewed only once a year, in contrast with other offerings from different companies where a monthly renewal was required.
Unfortunately, after searching some time for free SMIME e-mail signing and encryption, I couldn’t find any solution that has no cost attached to it. It seems like all providers stopped offering this service: they either completely stopped offering this, or they stopped offering the free version.
Paid S/MIME certificates
While free S/MIME client certificates appear to be no longer offered by any company, there are still quite some companies offering a paid solution for signing and/or encrypting e-mails.
Here is a non-exhaustive overview of e-mail client certificates:
- SSL.com: Personal Basic Email and ClientAuth Certificate
- Sectigo.com: Secure Email Solutions (S/MIME)
- Globalsign.com: Secure Email – Digitally Sign & Encrypt Emails
Often, these certificates are not very costly, with even sometimes discounts when purchasing for multiple years.
Create your own S/MIME certificate
Given there are basically no providers of free S/MIME certificates today on the market, you may want to create your very own client certificate for your e-mails. This is completely free and you will learn more about encryption in creating your self-signed S/MIME certificate from scratch.
John Dalesandro has a great how-to blogpost for this. There are other guides available: ServerFault, Henry Todd. All these guides will help you create your own S/MIME cert in no time.
Hi, Still Actalis is providing free S/mime certificates.
Hi Nizwan, indeed, I didn’t check out Actalis before.
Here is the link for those who want to test: https://extrassl.actalis.it/portal/uapub/freemail?lang=en
Actalis will not use the browser to generate a private key, but instead will generate it themselves and send you the PFX. I cannot stress enough that this defeats the whole purpose of secure e-mail, as they have the private key!
That’s not true. Actalis do not retain the private key. That’s also clearly specified in the certificate policy document.
Wll, at least that is what they “claim”, you have no proof that they aren’t creating their own database of customer keys.
Not true. They definitely retain the private key because they let you download your private key later.
When you DON’T use some encryption, ANYONE can read the mail.
Besides, I only use it to sign my mail, not encrypt it.
This way people know I sent the mail and not some spoofer
Isn’t this true to all online services that create certificates?
Not really. Most good implementations use JavaScript to create the private key on the browser side.
FAKE NEWS Its a great company and simple cert for * F R E E * They send you a one time image (code) that opens on their website one time. After that it is forever gone.
Thank you for this. As of April 26, 2022 the process to get a certificate (2048 bit, RSA, trusted by Windows default root cert authority list) was very easy and done in 10 minutes.
Creating your own certificate is useless. No one is going to trust it.
I believe there are some valid use cases:
1. How about, I will trust my own certificate myself?
Sample use case: sending encrypted emails between work (where the organization has already an internal CA for S/MIME certificates set up) and my home mail addresses.
2. Or being able to send some file via encrypted mail from your home address to your phone, or vice-versa, between 2 email addresses you both own, without worrying that your provider can read your mail in transit?
3. Or exchanging encrypted emails with a friend with whom you are corresponding very frequently and who’s “stuck” on a client like Outlook which doesn’t support PGP?
Other use cases:
Using certificates for ESXI hosts that you control.
I also use personal certificates to allow access to certain sections of my website. I create the Certs with my own CA and then give them to trusted family members and associates. For example, some of my ‘smart home’ services can be controlled by my webserver, but I don’t want just anybody to be able to turn on computers, lights, change temp settings, etc. The only people that can do that are folks that have personal certificates signed by MY personal CA.
I think you are in a different planet, maybe UR-ANUS. I used the Actalis cert and it was accepted by my mortgage company, bank and title company. I think that suffices to say the Actalis certs are a good as gold. And FREE
Unless you use PGP, to the best of my knowledge ALL PGP Certificates are self generated unless you have your certificate signed by another PGP user
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Certificates
You can also run your own PKI CA to establish trust between friends and family, etc. I do that, I publish my CA’s certificate on my webserver. Anyone can then at least assume that my signed emails are valid at least to me.
Still another provider: WiseID from Switzerland. The free account includes an S/MIME certificate. See https://wiseid.com/pricing/
I’m always grateful for tips about other free mail certificate providers, so thank you for your post
Unfortunately they recently changed their terms of service to certificates only valid for 3 months. Another way to stop free service
I use WiseID, the procedere to get the free certificate is not as intuitive and easy as I would wish and unforatunately starting from april 2021 they give out only certificates that are valid for 3 months.
Actalis still provides free S mine
cacert.org is still offering free certificates…
Edge, Chrome, Brave, Firefox say invalid, not trusted. To have it show as trusted you have to import their root certs. So would anyone who wanted to trust you. That’s not going to happen. WISe worked like a champ, and so did Actialis
It is not trusted by most companies.
Anyone know which CAs allow certificate requests that generate the key locally? (Other than through Enterprise PKI contacts…)
Thats exactly what I need. I create my own keys on an offline system using an HSM. The key is PRIVATE so available to me only
Anyone tried out https://acme.castle.cloud/
The problem with Actalis is that they create the key and they save it. Just login afterwards and request the key and certificate again and they will give it to you. It doesn’t even matter if they delete. They still created it, so there is the possibility they have it somewhere OR somebody took it before it was deleted.
I want to use the certificate to prove, that I am the only one capable of sending you this message or decrypting anything you send to me. No rational person who is dealing with security is going to accept somebody else having your key.
If you just want a pretty red flag near your name just put a jpeg in your email signature…