Getting a Thawte Email Certificate with Windows XP, Mozilla Firefox, and Mozilla Thunderbird
This page will describe in a step-by-step manner how one can request a free Thawte X.509 certificate for use in digitally signing and securing email. In this example, I will be using Windows XP, Mozilla Firefox, and Mozilla Thunderbird, but the procedures should be similar for any system that can run Firefox and Thunderbird.
If you are using Windows XP and Internet Explorer, please see this page instead.
For some basic information about certificates and definitions of terms used here, please see this page.
Note for Windows Vista Users:
For reasons unknown, requesting a certificate using Firefox under Windows Vista results in a file named "mycert.spc" being downloaded to one's desktop, rather than having the certificate installed in Firefox.
There is a simple workaround: close all Firefox windows, run Firefox under Compatibility Mode for Windows XP, and then go back to the Thawte site to pick up your certificate. Once this is done, you can turn off Compatibility Mode -- it's only needed to pick up the certificate from Thawte, and is not needed for everyday operations.
Other han this minor quirk, the instructions should be exactly the same for Windows Vista as they are for Windows XP.
Creating a Thawte Account
If you already have a Thawte account, skip ahead to the next section.
- Visit Thawte's Personal Email Certificates page.
- Click on "Join" in the top-right corner of the page. A pop-up window should appear that has their license agreement. If you agree, click "Next".
- Enter your last name under "Surname or Family Name", your first name under "First Names or Names", your birthdate, and your nationality. If you need to change the character set for your language, you may do so using the "Charset for Text Input" menu. Normally, one should leave this menu at it's default setting. Click "Next".
- Enter your email address, then click "Next". This must be an actual, working email address that you have access to. You can change it after you log in, but you must be able to verify ownership of this address. Your currently primary address is your Thawte username that you'll use to log in later.
- If you need to change your default language or character set, you may do so here. Otherwise leave them at their default values. Click "Next" when ready.
- Enter a password that you wish to use for this acount. You will need this whenever you log in to Thawte's website. Enter it twice to ensure that you've typed it correctly. Click "Next".
- Confirm that all the listed information is correct, then click "Next".
- Read the instructions. Basically, Thawte has sent an email to your address. It contains information that will allow you to prove that you have access to that email address.
- Check your email. You should have an email from Thawte in your inbox (if not, wait a few minutes. If it still hasn't arrived, check your junk folder.). The email will contain a link at the top that you should open in your web browser. The email also contains two lines of random characters named "Probe" and "Ping". Copy and paste each of these into the appropriate field in the website you just opened, then click "Next". By doing so, you've confirmed that your email address exists and that you have access to it.
- Hooray! You now have a Thawte account. Now we can actually get started on getting a certificate!
Requesting a Certificate
- Log into your Thawte account. If you're still on the page that says "Congratulations! You now have an account...", just click "Next". Otherwise, go to Thawte's Personal Email Certificates page and click "Login". Enter your email address and password that you used to create the account.
- Click the "Request" button immediately under "X.509 Format Email Certificates".
- A new window should appear, and you should select your browser/email client combination. Remember, your certificate can be used for any of these software programs (and many more), but the actual process of installing it differs based on what browser you use, so please choose the browser you're actually using right now, then click "Request".
- This next page doesn't apply at this time, so just click "Next".
- Since Thawte doesn't know who you are, they won't issue a certificate to your name, only to your email address (which is the one they've verified before). Otherwise, people could request certificates using fake names like "Bill Gates", "Hulk Hogan", or "The Man In The Moon". Instead, your certificate will be issued to "Thawte Freemail Member". If you want to verify your identity, you can participate in the Thawte Web of Trust where you visit people trusted by Thawte to vouch for your identity.
- Confirm your email address. This is the address that will part of the certificate, and will be the address to which people will be able to send encrypted email to. If you have multiple addresses on file with Thawte, only select one. If you need to add or change the address, go back to Step 1 in this section, log in, select "my emails", and select "new email address" to add an email account to Thawte. You'll need to confirm it using the methods above, and then can return and start the requesting procedure over again. Once you've selected the proper address, click "Next".
- This doesn't apply. Just hit "Next".
- Click "Accept". The default options are fine.
- Select the options for your public key. You should have a choice between "2048 (High Grade)" and "1024 (Medium Grade)". You should choose 2048, as this will offer better security. If this is not possible, select 1024.
- A window will pop up indicating that it is generating your key. Wave your mouse around randomly and hit keys on the keyboard to generate extra random data for the generator. This can take between a few seconds and a few minutes.
- Confirm the certificate request details, then click the button to proceed.
- Hooray! You've now requested a certificate. It should take less than 10 minutes for them to issue your certificate. You'll get an email when it's ready. Go have some coffee or something.
Installing the New Certificate
- When you get the email confirming your certificate has been issued, log into your Thawte account, select "certificates" in the left-hand menubar, then check "view certificate status". You should see one listing there with the status of "issued". Click the link that says "Navigator" in the left column.
- Confirm the details of the certificate you requested. Once you verify everything, click the "Fetch" button at the bottom of the page. You should receive a notice saying your certificate was installed, and encourage you to make a backup copy.
- You should now make a backup of your certificate and private key. Fortunately, doing so is also the same process needed to install the certificate in Mozilla Thunderbird and the Windows key store on your computer.
- In Firefox, go to the "Tools" menu, select "Options", click the "Advanced" button at the top, followed by the "Encryption" tab.
- Click the "View Certificates" button and ensure the "Your Certificates" tab is open.
- Locate your Thawte certificate, select it, and click the "Backup" button.
- Choose a name and suitable location for the exported certificate file. I usually choose the Desktop. Click "Save" to continue.
- Enter and repeat a password to protect the certificate file. You will need to know this password to import the certificate into Thunderbird or to restore the certificate in the future. Click "OK" to continue.
- Your certificate is now exported. You should copy it to a backup medium (e.g. USB flash drive, CD-R, etc.) and store it in an off-site, secure location like a bank safe deposit box. If your original certificate is lost, you can restore it from this backup. It is very important that you keep a backup copy of your certificate in a secured location -- if your original certificate is lost or destroyed, you will be unable to decrypt any encrypted emails or files that have been sent to you.
- (Optional) Import the certificate into the Windows key store. If you use a mail client like Outlook Express, want Microsoft Office or OpenOffice to be able to sign documents, or want to give Internet Explorer access to your certificate (can be handy at times), simply double-click on the exported certificate file. This will open the Windows Certificate Import Wizard, click "Next", select your backed-up certificate file, enter the password to access the certificate, and select the options you want (I usually mark the key as exportable, but leave "strong private key protection" off as I find the warnings annoying). Hit the buton to proceed, and select "Automatically select the certificate store type" option, then hit "Next". Confirm the details on the next page, then hit "Finish". Now your certificate is accessible to Microsoft products on your computer.
- Import the certificate into Mozilla Thunderbird. Oddly enough, the certificate manager for Thunderbird is identical to Firefox's, but the two are not linked -- you need to export certs from Firefox and then import them into Thunderbird. I'm assuming you've still got the exported cert file from step 3. I will also assume that you have Thunderbird configured with your email account that corresponds to the email address used in your cert.
- First, open Thunderbird, select your account in the left pane, then go to the "Edit" menu and choose "Properties". Select the "Security" option under the account that you wish to use the certificate with. Click "View Certificates", make sure you're in the "My Certificates" tab, then click "import". You may be prompted to create a "master password" for the "software security device", just as you were in Firefox. Again, choose a good password, but make sure it's easy to remember -- Firefox uses this one password to secure all your saved email account passwords and to protect your certificates from misuse. After you do this, click "OK" to proceed to the next screen.
- You will be prompted for the password that you created in step 3 to protect your exported certificate file. Enter it now. Click "OK", and your certificate will be imported. Click "OK" to exit the certificate manager. You should still have the "Security" pane for your account open; click the "Select" button in the "Digital Signing" box, then select your certificate. You will be asked if you also want to use this certificate for encryption. Assuming you do (you probably do), say "yes". You can tick the box to "Digitally sign messages by default" if you wish, but it's not required. Click "OK" to exit the properties window. Your certificates are now imported.
Using Your Certificate with Thunderbird
- Open Thunderbird (assuming it's not already opened from step 5 above).
- Click the "Write" button to compose a new message. You will note the "Security" button at the top of the window. If you click on the small black down-arrow immediately to the right of it, you can choose whether or not you want to sign or encrypt the message. Note that while you can sign messages to anyone, you can only encrypt messages to people that you have certificates on file for. Let's assume you want to sign the message, so select that option. In the very bottom-right corner of the window, a small picture of a sealed envelope will now appear, indicating that you rmessage will be signed.
- Compose and send your message as normal. You may be prompted for the "master password"; this gives Thunderbird access to your private key in order to digitally sign the message.
How to Send and Receive Encrypted Email
Signing Emails: When you click the "Write" button to compose a new message, you'll see the "Security" button at the top of the window. Simply click the small black down-arrow immediately to the right of it and select "Digitally Sign This Message". Your message will now be signed. Easy.
Encrypting Emails: In order to encrypt emails to another person, they will need to have a certificate configured in their email program. (it doesn't matter what email program they use, so long as they can use S/MIME encryption and certificates. It also doesn't matter who issues their certificate; Thunderbird will be able to use it.)
Additionally, the two of you will need to exchange public keys. This is easy: just send a signed email to each other; your email programs will detect the other person's public key and signature attached to the email, and will import them automatically. It may be prudent to call the other person on the telephone and verify the key's fingerprints to ensure that you received their signature and that nobody is attempting to impersonate them with an illegitimate public key.
Once you'vedone this, just compose an email to the other person and select the "Encrypt This Message" option in the "Security" button; it's just above the "Digitally Sign This Message" option from the step immediately preceeding this one. You can (and probably should) click the "Sign" button as well to verify that it is you who are sending the message. Your email program will automatically select the recipient's public key, encrypt and/or sign the message (as selected) and send the message. When the recipient opens it, it will automatically verify the signature (if present), and decrypt the message using their private key. If someone intercepts the encrypted message, they will be unable to decrypt the message without the recipient's private key, and so will have only scrambled, unreadable text. Excellent!
Can I send you a test message?
Sure. If you found this helpful, and now have a certificate imported into your email program, I'd be very happy if you were to send me a digitally signed or encrypted message. My email address is firstname.lastname@example.org.
In order to avoid your message being mistakenly detected as spam, be sure to use an informative subject. "S/MIME Test Message" generally works well.
You can get my public key in one of two ways:
- Send me a digitally signed email (so I can import your public key and be able to send you encrypted messages) and I will reply with a signed email so you can import my key.
- You can download my public key from the this page.
I hope this has been helpful in getting you set up with a Thawte secure email certificate using Windows XP, Mozilla Firefox, and Thunderbird.
This readme should be applicable to any modern version of Firefox ('veI used versions 184.108.40.206 and 3.0.1) and Thunderbird on any operating system. The only difference is that if you're not running Windows, you (obviously) cannot export your certificate from Firefox to the Windows certificate store on your computer. Otherwise, the actions of importing and exporting certificates should be identical or nearly so.
If you have any questions about this process, please email me above (signed and encrypted messages are welcome) and I'll try to help you. I use Firefox and Thunderbird regularly, and so should be able to answer most questions you might have.
Thanks for reading this guide! Stay secure, stay safe.