Getting an SMIME certificate: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(Added section "other uses of certificates")
Line 17: Line 17:


====Free Certificates from Thawte====
====Free Certificates from Thawte====
You can get a free [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate from [http://www.thawte.com/email/index.html Thawte]. Like most free certificates, it is bound to your email only and not your name, which will only show as ''Thawte Freemail Member''. By participating in the free Thawte [http://www.thawte.com/en/secure-email/web-of-trust-wot/index.html|"Web of Trust"] (WOT), you can have others verify your identity from your legal documentation, allowing you to bind your real name to your certificate. From then on, you can use your certificate alone to verify your identity (to those who know what it means and choose to accept it.)
You can get a free [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate from [http://www.thawte.com/email/index.html Thawte]. Like most free certificates, it is bound to your email only and not your name, which will only show as ''Thawte Freemail Member''. By participating in the free Thawte [http://www.thawte.com/en/secure-email/web-of-trust-wot/index.html|''Web of Trust''] (WOT), you can have others verify your identity from your legal documentation, allowing you to bind your real name to your certificate. From then on, you can use your certificate alone to verify your identity (to those who know what it means and choose to accept it.)


Oddly, Thawte's free certs do not include CRL link fields, so revocation will not typically be detected by recipients. (They would have to manually configure Thunderbird to check CRL lists which they will first have to find.) Revocation is an important piece of public key infrastructure security so this is an unfortunate shortcoming.
Oddly, Thawte's free certs do not include CRL link fields, so revocation will not typically be detected by recipients. (They would have to manually configure Thunderbird to check CRL lists which they will first have to find.) Revocation is an important piece of public key infrastructure security so this is an unfortunate shortcoming.

Revision as of 09:12, 8 September 2007


Certificate Authorities

Sources of Free SMIME Certificates

Free SMIME certificates are available from:

Free Certificates from Comodo

Comodo has perhaps one of the easiest procedures for requesting a certificate. They are free, good for a year, can be picked up in most browsers, and in any key length.

Free Certificates from Thawte

You can get a free S/MIME certificate from Thawte. Like most free certificates, it is bound to your email only and not your name, which will only show as Thawte Freemail Member. By participating in the free Thawte Web of Trust (WOT), you can have others verify your identity from your legal documentation, allowing you to bind your real name to your certificate. From then on, you can use your certificate alone to verify your identity (to those who know what it means and choose to accept it.)

Oddly, Thawte's free certs do not include CRL link fields, so revocation will not typically be detected by recipients. (They would have to manually configure Thunderbird to check CRL lists which they will first have to find.) Revocation is an important piece of public key infrastructure security so this is an unfortunate shortcoming.

Free Certificates from Verisign

Alternatively you can get a similar free certificate from VeriSign - just click the buy button and choose the free option. Note that the free certificate is good for 60 days while the paid-for one (20USD) lasts a year. VeriSign runs a free LDAP service that is compatible with Netscape, Mozilla, Thunderbird, Outlook, and Outlook Express so your friends can look-up your certificate automatically while composing email to send you encrypted email.

To obtain certificate from an authority

Browsers such as Firefox, MSIE, Opera, Safari and so forth contain cryptotools capable of generating public/private keypairs. When signing up for a certificate with an authority, their website triggers your browser to create a keypair and transmit to them the public key, which is then certified. For this reason, when you return to pick up your completed certificate (typically a few minutes later), it is mandatory that you do so with the same browser on the same computer . You will othewise not possess the private key necessary for pickup.

It will then still be necessary to export the resulting new key and certificate to a regular but password protected file that can then be imported into Thunderbird's certificate store. The CA's and/or your browsers help files should explain how to export your new certificate and keys.

To import the exported keys into Thunderbird, "Tools -> Options -> Advanced -> Encryption -> View Certificates -> Import".

Once you have imported your certificate into Thunderbird, it will then be available for pairing with one or more accounts in Thunderbird. Account Settings -> Security -> Select.

Be thoughtful about whether to select to "digitally sign all messages by default". Institutional firewalls may protect their own security protocols and break your cryptographic signature, leaving your recipient with all kinds of warnings about the message being invalidly signed. As S/MIME usage is still not widespread, most people still don't know how to interpret this. A broken signature will probably seem worse to them than receiving a message with no crypto signature at all, even though the contents are identical in both cases.

Webmail users will see an unreadible attachment which can raise simliar questions.

Self-signed certificates

You may use a personally self-signed certificate in Thunderbird. However, since these certificates are not signed by an approved certificate authority, the certificate will not be trusted by other computers or people unless they add the self-signed certificate to their list of certificate authorities. Personally self-signed certificates are generally only useful for testing or for exchanging information with people you already know and trust.

It's possible to generate self-signed certificates using the Firefox Add-on Key Manager: Tools - Key Manager Toolbox - Key Manager - Your Keys - Generate SelfSign Cert and insert you data. On tab Advanced - Standard X.509 Extensions check "Is CA?".

Another option for those who have sufficient understanding of certificate structures is using the command line OpenSSL.

Special considerations for installing personally self-signed certificates can be found in the Installing an SMIME certificate article.

Self-signed certificates in Mac OS X 10.4

You can create your own self-signed certificate using the Keychain Access application's Certificate Assistant. To export your certificate as a PCKS12 file for import into Thunderbird, click "My Certificates" in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select "File -> Export". You will be asked for a password to protect this file. This is the password you will require when importing the certificate into the "Your Certificates" tab of Thunderbird after entering your master password.

To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the Keychain Access window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.

Other uses for certificates

Free certificates are not necessarily limited to use only by S/MIME email. The same digital id's can be imported and employed during document generation, for example, by ...

  • Adobe Acrobat for signing and encrypting pdf documents. This requires the non-free Acrobat to generate. The free Adobe Reader is available to decrypt and verify.
  • OpenOffice also contains some signing capability using certificates.

These have the advantage over S/MIME in that they pass more easily through firewalls, but at the price of requiring more effort to generate.

See also

External links