How to Setup Mail.app to Use a Thawte Email Certificate
Assumptions:
- Using Apple Mail.app version 2.0.7
- Using Mac OSX version 10.4.6
- Using a free Thawte Email Certificate
Goals:
- Enable Digital Signing of all Outbound emails
How To:
- Visit the Thawte Personal Email Certificate Request Page.
- Complete the enrollment process.
- Once you have completed the enrollment and verification process, it’s time to generate the new certificate.
- Login to the Thawte Website with the username and password you previously setup.
- In the Left Nav Bar, Click on “certificates”.
- In the Left Nav Bar, Click on “request a certificate.
- Click on the “test” button under the “Developers of New Security Applications ONLY” section.
- A Pop-up Window Titled “certificates available for request” should now appear.
Click the “Paste-in CSR Certificate Enrollment” Radio Button.
Clink the “test” Button. - On the “configure certificate name” page, select the option from the drop-down that best suits your situation. Most users will select “No Employment Information Availabe. Click the “next” button.
- On the “configure email address for certificate” page, select to check box that corrisponds to your email account. Click the “next” button.
- On the “configure extranet certificate name” page, select the option that best suits your situation. Most users will just click the “next” button.
- On the “configure X.509v3 certificate extensions” page, you may configure specific certificate extensions, this process is optional and is not required for email signing. Most users will just click the “accept” button.
- You will now be presented with a “generate certificate public key” page as follow:
Note the 16 Alpha-Numeric string highlighted above. Note this string as it will be needed in future steps.
- At this time, we will need to open the Keychain Access.app located in /Applications/Utilities/Keychain Access
- From the “Keychain Access” menu, select “Certificate Assistant”.
- The Certificate Assistant will open a window introdusing you to the application, click on the “Continue” button.
- On the “Options” menu, select “Request a certificate from an existing CA” and click on the “Continue” button.
- On the “Certificate Information” page, enter the following:
- “User Email Address” field: Your email address.
- “Common Name” field: The 16 Alpha-Numeric string as highlighted in #13 above.
- “CA Email Address” field: Your email address (the Certificate Signing Request (CSR) will be emailed to you at this address).
- On the “Key Pair Information” page, select the following:
- “Key Size” field: 2048 bits.
- “Algorithm” field: RSA
- You may be promted to “confirm Access to Keychain”, indicating that Certificate Assistant wants to access to an item on your keychain, select “Allow Once” if prompted.
- Your key will be generated and you will be presented with a “Conclusion” page, indicating that your has been emailed to you. Click on the “Done” button and exit out of Certificate Assistant.
- Check your email for the “Certificate Request” email, open the attached file named “CetificateSigningRequest.certSigningRequest” in a text editor. Copy all of the text contained in the file, including the “—–BEGIN” and “—–END” tags.
- Paste the CSR text data into the text entry box on the Thawte webpage titled “generate certificate public key”:
Once the information has been pasted into the text entry box, click on the “next” button.
(If you receive a “Form Processing Error”, it is quite likely that you did not setup the common name corretly in the Certificate Assistant, you will need to create a new CSR by re-running steps 14-23.) - You should be presented with a page titled “confirm certificate request”, click on the “finish” button.
- On the “personal certificate requested” page, click on the link to go to the “Certificate Manager page.
The Certificate Manager page will show that your cert is “pending” until is has been issued.
- Once the Certificate Manager page indicates thet the certificate has been issued, click on the “Generic X509″ link (highlighted below) to retreive your certificate:
- On the resulting page, scroll to the bottom and click on the “fetch” button.
- Your signed certificate will be presented to you in plain text. Copy the certificate text from the email, starting with “—–BEGIN PKCS #7 SIGNED DATA—–” and ending with “—–END PKCS #7 SIGNED DATA—–”, please include these tags in the copied text.
- Create a new text file in your favorite text editor (I suggest TextWrangler) and paste the copied text into it. The new file should appear as follows within the text editor (but much longer):
—–BEGIN PKCS #7 SIGNED DATA—–
eda4iRh4dvdf4555df54gdfsgMMUvaUSzTANBgkqhkiAQQFADBiMQs
wCQYDVQQGEddsddscvwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTH
RkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ
0EwHhcNMDYwNiuhi7y348otnhnq3n78mocwNDE2MDYxMDA4WjBBMR8w
HQYDVQQDExZU
aGF3woecfijopwmj034mc9juq0,9xfjq90,jq0-39fq230-9f
cHMudXMwggEi54sdf65g4e65g46as4g6w847h65eggEKAoIBAQDFdpR239Nrah4
Ao5Hq2zE0fVvI
GFsW8tE6c4fa56s4d54g3521cdxKbxRPXzU5PpPAz9pCJ
yiHrds45xf65a4fx56a4s65d4f568AV8cMJ0q2mp/pB2IhO
n/tU4Ge894sx45as6+d4x+6f4s+63JM71ZMz+B+QO—–END PKCS #7 SIGNED DATA—–
- Save the resulting file as “certificate.p7r”, note where this is located as it will be needed in the next step.
- Go back to the Keychain Access application and select “My Keys”.
- Drag the newly created “certificate.p7r” file into “My Keys” window.
- An error message will be displayed indicating that the item already exists, while anoying, this is normal and you can safely click the “OK” button.
- You should now see the certificate displayed in the “My Keys” section of the Keychain Access application.
- Launch mail and create a new message, you should now see the following change to the “New Message” window:
The Lock Icon is for encrypting the email being sent, the Checkbox/X indicates whether the email will be signed when the “send” button is clicked.
Mail.app is now setup to use your Thawte Personal Email Certificate to sign email.
Content Feed