mutt and S/MIME by Wessel Dankers Don't even try to use mutt 1.5.9 (e.g. mutt 1.5.9-2 as shipped with Debian sarge) with S/MIME: such a mutt won't be able to decrypt some valid S/MIME messages. Use e.g. (a backport of) 1.5.11-4. To get Mutt from Debian sarge (1.5.9-2) to deliver some of the needed S/MIME functionality, I had to coerce it a little. Two configvars needed changing: (Debian Bug #315319) set smime_encrypt_command="openssl smime -encrypt %a -outform DER -in %f %c" (or, alternatively, do set smime_encrypt_with=des3 ) and: set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -outform DER" Setting up the keys: % openssl genrsa -out wsl.key 2048 % cat wsl.cfg [ req ] default_bits = 2048 default_keyfile = wsl.key distinguished_name = req_distinguished_name attributes = req_attributes prompt = no [ req_distinguished_name ] C = NL O = Universiteit van Tilburg OU = IT Services CN = Wessel Dankers emailAddress = wsl@uvt.nl [ req_attributes ] % openssl req -new -newhdr -config wsl.cfg -key wsl.key -days 3650 -sha1 -verify -out wsl.csr Have this csr signed by your favourite CA. Ours is Fruit CA. You can create your own CA using the tools in CA/. Assuming the certificate of Fruit CA is called fruit.crt and ours is called wsl.crt: 1) $ smime_keys init 2) $ smime_keys add_root fruit.crt (or equivalent: $ cat fruit.crt >~/.smime/ca-bundle.crt ) 3) $ smime_keys add_chain wsl.key wsl.crt fruit.crt (yes, you have to specify the root ca again!) 4) optionally add a certificate of someone you'd like to communicate with: $ smime_keys add_cert joostvb.crt There's also something fishy going on with its key handling: cd ~/.smime && for i in */*.0;do ln -sf ${i#*/} ${i%0};done Now you should be able to send and receive S/MIME signed+encrypted messages.