I created directions for friends to get a Thawte certificate for use with programs that support its use, like AOL Instant Messenger and Thunderbird. I am tired of trying to find the initial email and then forwarding it so I finally wised up and am blogging it. Hopefully it will 1) save me time 2) be helpful to somebody and 3) get me started blogging again (my hat is off to those of you who are disciplined enough to blog consistently AND do your day job).
Here are the steps:
Last updated on 2006/11/10
To get your own personal certificate to use in AIM (it will work in
Firefox and Thunderbird too) follow these steps. DO NOT BE TURNED OFF BY
THE LENGTH :-) It isn't near as bad as it looks and I would HIGHLY
NOTE: You need to do the following from within the Firefox (Netscape
will work fine too) browser. The steps are Firefox specific and easy. If you don't have it go to http://getfirefox.com. You only have to use Firefox to fetch the cert from Thawte so you can export it and use it in AIM (or another app that supports using certs for signing and or encrypting).
1) Go to
2) At the bottom click on "Click here to get your
Personal E-Mail Certificate now!"
3) Click Next to agree to Terms and Conditions, then enter your name and
age (lie if you want) then click Next
4) Enter your email address then click Next (you will use this in step 13)
- You won't get spam, but the cert is email specific.
- I create a cert for both my work (sun.com) and personal addresses
5) Click Next
6) Enter your Personal (login) Password and confirm it then click Next
(you will use this in step 13)
7) Select your 5 password questions then click Next
8) Confirm all the information you entered then click next
9) Retrieve the email you will be sent to the address you entered above
10) Click on the link in the email address
11) Enter the Probe and Ping values from the email into the web page
then click next
12) You now have a Thawte account (no certificate - yet, sorry) - Click Next
13) Enter the email address (which is basically your username now at
Thawte) and the password from step 4&6
14) Click Request under X.509 Format Certificates
15) Select Mozilla Firefox/Thunderbird... then Click Request
16) Click Next when asked for Certificate Bearers Name - it should show
17) Select the email address (initially there will be only one) then
18) Click Next where it talks about Strong Extranet Identifiers
19) Click Configure to customize certificate extensions
20) Select: Digital Signature, Non-repudiation, Key-encipherment,
Data-encipherment (see step 36 below if you are a PKI weenie and are offended by creating a cert for both signing and encrypting)
21) Scroll down and also select S/MIME and SSL Client Authentication (in
case you want to use it for those too)
22) Click Accept
23) Click Next and accept the 2048-bit high grade key and your private
key will be created
24> Wait for popup to go away.
25) Scroll down and click Finish
26) Scroll down under the heading "Certificate Manager Page" and click
on the word "here" to go to the Certificate Manager Page
At this point your certificate is being created - you can see in the
list that it will say "pending" for the new cert. You will receive an
email at the address you used when it is ready for you to install. It
can take a while so be patient.
27) After you get the email the Certificate Manager Page will show the
cert as being "issued". You can fetch this certificate in one of two ways.
28a) You can click on "Navigator" (even though this is for Firefox) on
the line for the issued cert. This brings up a page that shows you
details about your cert and at the bottom you can click Fetch. Nothing
will seem to have happened, but that is not the case. Your certificate
has been installed in Firefox.
28b) You can click on the link in the email you received.
29) Now we can go see the certificate. In Firefox click on the menu Tools and then
Options. On the left side select Advanced and then click on the Security
tab and click View Certificates.
30) You should see a branch for Thawte Consulting and the first
certificate under it will be the one you just created and installed.
Click on that certificate to see the details and confirm it is the one
you just fetched. It should say that it is an Email Signer Certificate
and Email Recipient Certificate. You won't have your name in your cert,
just your email. If you get notarized by enough Thawte Notaries (like
me) you can get enough points to get your real name in your cert.
Interesting, but not important. :-) Let's get the cert into AIM. Click
31) With the new certificate highlighted, click on Backup.
32) You can name the file whatever you want. I put all my certs in a
folder called "My Certs". Here is how I name my certs that I've
exported: .sign-encrypt.p12, where " is the actual email address you used to create this certificate. The p12
extension will be done for you. That is the one I use in AIM. I have
another just like it for use within Sun. Enter the name you
want to use and click OK.
33) You will next be asked for the master password for the Software
Security Device. This is just a password for the file that holds your
certs. If you don't have a password for this already you will probably
be prompted twice. Remember this! Click OK.
34) Next you have to secure the exported certificate itself. Enter this
password twice and click OK.
Here is how to use the certificate with AOL Instant Messenger
35) Go to AIM and select the menu My Aim, then Edit Options and then
36) Scroll to the bottom and select Security. You will then see that
there is a place for your certificates. One for encryption and one for
signing. Don't be appalled :-) I use the same cert for both
operations. Yes, this is against best practices in the public key (PKI) world,
but it is easier. However, there is nothing to prevent you from creating two certs and having one with an encrypt extension and the other with a signing extension. The reason corporations don't usually do this is because signing is a personal
thing that ONLY the individual should be able to do. Encrypting, and
more importantly, decrypting is something companies want control over, at least when it applies to things they own - like your email. I'll stop here as it is already probably more info than you wanted.
37) Click Advanced and then click Import
38) Browse to the file that you exported earlier and click Open.
You are now ready to do secure point to point instant messaging with me and anyone else who has a cert installed. No, this will not work between heterogeneous instant messaging clients - at least not yet.