The Gmail S/MIME API provides programmatic access to manage S/MIME email certificates for users in a Google Workspace domain.
An administrator must enable S/MIME for the domain in order for the certificates to work.
The S/MIME standard provides a specification for public key encryption and signing of MIME data. Configuring S/MIME certificates in a user's account causes Gmail to use that certificate in the following ways:
- Gmail uses the user's certificate and private key to sign outgoing mail.
- Gmail uses the user's private key to decrypt incoming mail.
- Gmail uses the recipient's certificate and public key to encrypt outgoing mail.
- Gmail uses the sender's certificate and public key to verify incoming mail.
You generate individual S/MIME certificates and upload them using the API. Each S/MIME certificate is for a specific alias for a user email account. Aliases include the primary email address as well as custom "Send As" addresses. A single S/MIME cert is marked as the default for each alias.
Authorizing API access
There are two forms of authorizing access to the API:
- You can use a service account with domain-wide delegation of authority. For an explanation of these terms, refer to Authentication and authorization overview terms. For information on enabling this option, refer to Create a service account with domain-wide delegation of authority
- You can use a standard OAuth2 flow requiring end-user consent to obtain an Oauth2 access token. For further information, refer to the Authentication and authorization overview To use this option, the domain admin must enable the "S/MIME API end user access enabled" checkbox in the Domain control panel.
ACL scopes
This API relies on the same ACL scopes as the Gmail sendAs methods:
- gmail.settings.basic
- This scope is required for updating the primary SendAs S/MIME.
- gmail.settings.sharing
- This scope is required for updating custom from S/MIME.
Using the API
The users.settings.sendAs.smimeInfo resource provides the methods that you use to manage S/MIME certificates. Each certificate is associated with one send-as alias for a user.
Upload an S/MIME key
Use the smimeInfo.insert() method to upload a new S/MIME key for an alias belonging to a user. You identify the target alias using the following parameters:
- userId
- The user's email address. You can use the special value
me
to indicate the currently authenticated user. - sendAsEmail
- The alias for which you're uploading the key. This is the email address that appears in the "From:" header for mail sent using this alias.
The S/MIME certificate and private key should
be present in the pkcs12
field in that format; no other fields should be set
in the request. The PKCS12 field is expected to contain both the user S/MIME key
and the signing certificate chain. The API performs standard validations on this
field before accepting it, verifying the following:
- The subject matches the specified email address.
- Expirations are valid.
- The issuing certificate authority (CA) is in our trusted list.
- The certificates match Gmail's technical constraints.
If the key is encrypted then the password should be in encryptedKeyPassword
field. Successful insert() calls will return the smimeInfo's ID that can be
used to refer to the key in the future.
List a user's S/MIME keys
Use the smimeInfo.list() method to return the list of S/MIME keys for the given user for the given alias. You identify the target alias using the following parameters:
- userId
- The user's email address. You can use the special value
me
to indicate the currently authenticated user. - sendAsEmail
- The alias for which to list keys. This is the email address that appears in the "From:" header for mail sent using this alias.
Retrieve the S/MIME keys for an alias
Use the smimeInfo.get() method to return the specific S/MIME keys for a specific send-as alias for a user. You identify the target alias using the following parameters:
- userId
- The user's email address. You can use the special value
me
to indicate the currently authenticated user. - sendAsEmail
- The alias for which you're retrieving the keys. This is the email address that appears in the "From:" header for mail sent using this alias.
Delete an S/MIME key
Use the smimeInfo.delete() method to delete the specified S/MIME key from an alias. You identify the target alias using the following parameters:
- userId
- The user's email address. You can use the special value
me
to indicate the currently authenticated user. - sendAsEmail
- The alias for which you're retrieving the keys. This is the email address that appears in the "From:" header for mail sent using this alias.
- id
- The immutable ID for the SmimeInfo.
Set the default S/MIME key for an alias
Use the smimeInfo.setDefault() method to mark the specified S/MIME key as the default for the specified alias. You identify the target alias using the following parameters:
- userId
- The user's email address. You can use the special value
me
to indicate the currently authenticated user. - sendAsEmail
- The alias for which you're retrieving the keys. This is the email address that appears in the "From:" header for mail sent using this alias.
- id
- The immutable ID for the SmimeInfo.
Sample code
The following code samples demonstrate using the API to manage S/MIME certificates for an organization with multiple users.
Creating an SmimeInfo resource for an S/MIME certificate
The following code sample demonstrates reading a certificate from file, encoding
to a base64url string, and assigning it to the pkcs12
field of the smimeInfo
resource:
Java
Python
Uploading an S/MIME certificate
To upload a certificate, call
smimeInfo.insert
,
and supply the smimeInfo
resource in the body of the request:
Java
Python
Examples for managing many users' certificates
You may want to manage certificates for many users in the organization at once. The following examples show how to manage certificates for multiple users in one batch call.
Inserting certificates from a CSV file
Suppose you have a CSV file that lists user IDs and the path to each user's certificate:
$ cat certificates.csv
user1@example.com,/path/to/user1_cert.p12,cert_password_1
user2@example.com,/path/to/user2_cert.p12,cert_password_2
user3@example.com,/path/to/user3_cert.p12,cert_password_3
Java
You can make use of the createSmimeInfo
and insertSmimeInfo
calls
from earlier to upload the certs as specified in the CSV file:
Python
You can make use of the create_smime_info
and insert_smime_info
calls
from earlier to upload the certs as specified in the CSV file:
Certificate management
This example combines several calls from the smimeInfo
API to show how you
might manage certificates for your organization. It lists the certs for the
user and if the default cert is expired or not set, it uploads the cert found in
the specified file. Then it sets the cert whose expiration is furthest into the
future as the default.
This is then called from a function that processes a CSV file as in the previous example.