Help for Alpine - S/MIME
You are in Home > Miscellaneous > S/MIME


  1. Introduction
  2. Configuration Options Related to S/MIME
  3. Configuration Variables Related to S/MIME
  4. Starting the Set Up
  5. Installing your Certificates
  6. Managing Certificates
  7. Creating Self Signed Certificates
  8. Trusting Self Signed Certificates


S/MIME is standard technology for e-mail which allows you to communicate with other people privately, allows for verification that the message received from the sender is the message that was actually written, or gives you assurances that your message will not be modified after it is sent by you, and the recipient will read what you actually intended you send.

If you have heard that you should never send by e-mail what you would not write in a postcard, S/MIME is the equivalent of putting your message in a box, under a key, which only you and the recipient of the message have, and sending the box with your message to the intended recipient.

The basis of encrypting a message is the use of certificates (also called keys) that allow a person to verify that they are who they claim to be. These are the equivalents to a government issued ID that shows who you are. Certificates contain information about your name, location and other personal information used to identify you. Information in these certificates is used to encrypt or decrypt a message and to verify its authenticity (that is was sent by the person that claims to to have sent it.) In symmetric key cryptography users that receive your encrypted messages need a piece of your certificate (called the public key) to verify that a message was sent by you and to send you encrypted messages. Users need the other part of the certificate (called the private key) to decrypt messages sent to them and to sign messages that were sent by them.

Configuration Options Related to S/MIME

Configuration Variables Related to S/MIME

If your version of Alpine is compiled with S/MIME support, then you can configure some of the variables using the Alpine interface. From the main screen press S (for setup) and M (for S/Mime). You will be taken to a screen where you can configure a number of options and variables. The following are the variables that can be configured

  1. Public Cert Directory This is the directory where public certificates are stored. The default directory is ~/.alpine-smime/public. Your public certificate should be stored here. Files in this directory have names that look like email addresses with extension crt. It looks like
  2. Private Key Directory This is the directory where you store your personal keys for each of your e-mail addresses. You are not supposed to share your key with anyone. The default location is ~/.alpine-smime/private. Your certificate should be called
  3. Cert Authority Directory This is the place where you will save certificate authorities certificates. For example, if you can not install in your machine the certificate of the authority that signed your certificate, then you would copy it here. The default location is ~/.alpine-smime/ca. If you have a self-signed certificate, then you would copy it here. Certificates in this directory must have extension .crt, their name is not important, only their extension; however, you should use a name that helps you remember what certificate you have saved in that file. For self-signed certificates, you can just copy your public/ certificate to this directory, there is not need to change its name.
  4. About Containers You can have Alpine save your certificates in an IMAP server, in special folders called containers. There are commands in the S/MIME configuration screen to move certificates between directories and containers. There are options that allow you to specify the location of the containers (for certificate authorities, public and private keys). Using a container puts your information at risk. First, your information is probably managed by another administrator who can see your certificates, in particular your private and public keys, and so you would have to trust that your administrator will not misuse them. Even if your administrator is an honest person, hackers might be trying to get access to the IMAP server, and so, when they do, they might get that information, and compromise your identity.

Starting the Set Up

Before you can send encrypted and/or signed messages, you must be able to prove that you are who you claim to be. After all, the system is based in the trust that when you send a signed message, it was actually you who signed the message, and no one else can do that.

In order to prove that you are who you claim to be, you must be in possession of a certificate. This certificate is just a file. Just like your government gives you an id card so that you can prove who you are, someone must be willing to say that you are who you claim to be. In this case, there are many certificate authorities that can help you prove your online identity. Many of them offer free certificates, and a search in the internet will find many of them. Some universities offer free certificates for their students and staff, or maybe your company can give you one.

For purposes of S/MIME, the level of certification is very low. A certificate for S/MIME certifies the validity of your e-mail address. This is not to certify that you are who you are, just that the e-mail address is yours. Most certificates contain information such that the country, state, company name, etc. While this information is included in certificates, for purposes of S/MIME you do not need to prove that this data is true, only that the e-mail address is yours.

The main idea about certification is that others can check that you are who you claim to be, and the certificate is your proof. This means you want others to be able to see your id (certificate), at the moment they need, but you do not want them to have full control of it, so that they can not use it to impersonate you. This is done by creating two certificates, one private (yours) and one public (for everyone else to see). It goes without saying that your private certificate should not be shared with anyone else. The private certificate is the one that you would use to sign messages, while the public certificate is used by others to check the signature of messages sent from your e-mail address (and hence when validated, it is proof that the message was sent by you.) In addition, a public certificate can be used by other people to send encrypted messages to you, so that others can not read them.

You can share your public key with other correspondents by sending them a signed message. When you receive a signed message from a sender, Alpine imports the certificate needed to verify your signature, and to encrypt messages to that sender, so by sending a signed message, you are sharing the key needed to encrypt messages to you and verify the you are the sender of that message.

Installing your Certificates

Once you have your public key and your private key, they must be copied to the directory ~/.alpine-smime/public and ~/.alpine-smime/private, respectively. If the certificate of the signer of your public key is not in the list of certificates that openssl recognizes, you must install that certificate in your machine. There are two ways to do this.
  1. You can install it for all users of the system if you have administrator rights in that system. In order to do so, download the certificate to a file, which we will call CompanyCertificate.pem, then copy such file to where openssl expects to find them. This is machine dependent, but for purposes of this example let us assume that that directory is /etc/ssl/certs. Then you execute
    cp CompanyCertificate.pem /etc/ssl/certs
    cd /etc/ssl/certs
    chmod 644 CompanyCertificate.pem

    Now you need to figure out a hash from the certificate, to do this execute the command

    openssl x509 -hash -noout -in CompanyCertificate.pem

    This command will give you an output, it is a combination of letters and numbers such as b24ac8f4. With this information execute the following command

    ln -s CompanyCertificate.pem b24ac8f4.0

    Now the certificate is installed for all users of the system.

  2. If it is not possible and/or desirable to install a certificate system-wide, you can install it so that it will be used only by you. In this case you need to copy such certificate to the ~/.alpine-smime/ca directory. You do not need to create a symbolic link, but it must be readable and have the .crt extension, so you would execute
    cp CompanyCertificate.pem ~/.alpine-smime/ca/CompanyCertificate.crt

    Notice that the name of the file is not relevant, only its extension. It could be an email address, or a company name, or a silly name like MashedPotatoes.crt, really, anything you want. Only the extension matters.

Managing Certificates

Starting in version 2.20, one can use the smime configuration screen to manage certificates. This means to import, delete and trust certificates from other users. These can be stored in containers or in directories.

In the case of Public certificates, commands to import, delete, undelete and expunge certificates are available. While in the list of available certificates, placing the cursor on an individual certificate, and pressing RETURN gives you information on that certificate. The last line of this text gives you information on the validity of such certificate. If you wish to trust a self-signed certificate, the T Trust command will be available to you.

The situation is very similar for the Private Key management screen. In this screen a key is listed if there is a public certificate with the same name.

Finally, in the Certificate Authorities management screen, certificates that are trusted by the user are listed. Commands to import, delete, undelete, and expunge certificates are available.

Any changes made in this screen are carried over immediately in the same session of Alpine, so it is not necessary to restart Alpine once changes to the list of certificates is made.

Creating Self Signed Certificates

You can create your own self signed certificates, that is, you are the only person attesting to the fact that you claim to be the owner of the certificate. Creating self signed certificates is a great idea when testing, but lacks the backing of a serious company, or entity for its validity and it could be a problem in business relationships.

I used to follow a three step process to create a self signed certificate, but Andreas Schamanek reported that there was an even simpler one line command that accomplished the same purpose. The directions come from a post in In order to create a self-signed certificate use the command

openssl req -x509 -newkey rsa:2048 -keyout -out -days 1095

Now you can install your certificates:

cp ~/.alpine-smime/private
cp ~/.alpine-smime/public
cp ~/.alpine-smime/ca

Trusting Self Signed Certificates

Once you receive a signed message from another person, Alpine will import the signature of that person automatically and save it in the .alpine-smime/public/ directory. However, if the certificate was self-signed, then Alpine will fail to validate such message because it does not have installed the certificate necessary to validate such signature. In order to validate the signature in the future, you must copy the certificate from the public/ directory to the ca/ directory. For example, one could execute the command
cp ~/.alpine-smime/public/ ~/.alpine-smime/ca
to install such certificate. Please note that this will install the certificate, but Alpine must be restarted so that it reads the certificate from the ca/ directory, and sees that you trust it now. Do not forget that certificates in the ca/ directory must have the .crt extension.

Starting in version 2.20, you can use the management certificate screen to trust selft signed certificates. From the screen that lists the certificates that are available, place the cursor on the certificate that you wish to trust, press RETURN to confirm that this certificate is self-signed, and finally press T to trust such certificate.
You are in Home > Miscellaneous > S/MIME