Getting an SMIME certificate: Difference between revisions
(→Free Certificates from Thawte: clarified) |
|||
Line 18: | Line 18: | ||
===Free Certificates from Verisign=== | ===Free Certificates from Verisign=== | ||
Alternatively you can get a similar free certificate from [https://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html VeriSign] - just click the buy button and choose the free option. Note that the free certificate is good for 60 days while the | Alternatively you can get a similar free certificate from [https://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html VeriSign] - just click the buy button and choose the free option. Note that the free certificate is good for 60 days while the paid-for one (20USD) lasts a year. VeriSign runs a free LDAP service that is compatible with Netscape, Mozilla, Thunderbird, Outlook, and Outlook Express so your friends can look-up your certificate automatically while composing email to send you encrypted email. | ||
==Self-signed certificates== | ==Self-signed certificates== |
Revision as of 01:27, 8 September 2007
Sources of Free SMIME Certificates
Free SMIME certificates are available from:
- Thawte
- TC TrustCenter
- ipsCA
- StartCom
- Verisign
- InstantSSL / Comodo
- CAcert (CAcert is NOT one of the trusted authorities built-in to FireFox and ThunderBird)
- ChosenSecurity
Free Certificates from Thawte
You can get a free S/MIME certificate from Thawte. Like most free certificates, it is bound to your email only and not your name, which will only show as Thawte Freemail Member. By participating in the free Thawte "Web of Trust" (WOT), you can have others verify your identity from your legal documentation, allowing you to bind your real name to your certificate. From then on, you can use your certificate alone to verify your identity.
Oddly, Thawte's free certs do not include CRL link fields, so revocation will not typically be detected by recipients. (They would have to manually configure Thunderbird to check CRL lists which they will first have to find.) Revocation is an important piece of public key infrastructure security so this is an unfortunate shortcoming.
Free Certificates from Verisign
Alternatively you can get a similar free certificate from VeriSign - just click the buy button and choose the free option. Note that the free certificate is good for 60 days while the paid-for one (20USD) lasts a year. VeriSign runs a free LDAP service that is compatible with Netscape, Mozilla, Thunderbird, Outlook, and Outlook Express so your friends can look-up your certificate automatically while composing email to send you encrypted email.
Self-signed certificates
You may use a personally self-signed certificate in Thunderbird. However, since these certificates are not signed by an approved certificate authority, the certificate will not be trusted by other computers or people unless they add the self-signed certificate to their list of certificate authorities. Personally self-signed certificates are generally only useful for exchanging information with people you already know and trust.
It's possible to generate self-signed certificates using the Firefox Add-on Key Manager:
Tools - Key Manager Toolbox - Key Manager - Your Keys - Generate SelfSign Cert and insert you data. On tab Advanced - Standard X.509 Extensions check "Is CA?".
Another option is using the command line OpenSSL.
Special considerations for installing personally self-signed certificates can be found in the Installing an SMIME certificate article.
Self-signed certificates in Mac OS X 10.4
You can create your own self-signed certificate using the Keychain Access application's Certificate Assistant. To export your certificate as a PCKS12 file for import into Thunderbird, click "My Certificates" in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select "File -> Export". You will be asked for a password to protect this file. This is the password you will require when importing the certificate into the "Your Certificates" tab of Thunderbird after entering your master password.
To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.