So, for over a year I had my personal certificate for signing/encrypting email working just fine in Mail, but today I got cute and tried to update my personal certificate to include my GMail account. When I deleted my old Thawte personal email certificate from Keychain Access, I screwed up and deleted the personal certificate ALONG with the X509Anchors entries for Thawte. This was crucial, because when I created the new/updated certificate at Thawte and went to import it back into Keychain Access, it imported fine, but Thawte didn’t replace my X509Anchors entries. Hence, when I fired up Mail, the padlock S/MIME icons weren’t appearing for signing and encrypting individual messages. After pulling my hair out for too much time wondering why the buttons weren’t showing up, I finally got smart and hopped on another Mac I have and I exported the Thawte certificates from the X509Anchors in Keychain Access and imported them back on to the machine that I impaired.

After doing this, my new/updated certificate now works flawlessly (and I switched to CACert now too, so we’ll see how this goes). Figuring out the X509Anchors deal helped me to get CACert certificates working as well. The signing/encryption buttons don’t show up in Mail unless you have corresponding entries in the X509Anchors keychain for the Certificate Authority you wish to add personal certificates for…