Thursday Feb 15, 2007

Getting a Thawte Certificate and Using it with AIM

I created directions for friends to get a Thawte certificate for use with programs that support its use, like AOL Instant Messenger and Thunderbird. I am tired of trying to find the initial email and then forwarding it so I finally wised up and am blogging it. Hopefully it will 1) save me time 2) be helpful to somebody and 3) get me started blogging again (my hat is off to those of you who are disciplined enough to blog consistently AND do your day job).

Here are the steps:

Last updated on 2006/11/10

To get your own personal certificate to use in AIM (it will work in Firefox and Thunderbird too) follow these steps. DO NOT BE TURNED OFF BY THE LENGTH :-) It isn't near as bad as it looks and I would HIGHLY recommend it.

NOTE: You need to do the following from within the Firefox (Netscape will work fine too) browser. The steps are Firefox specific and easy. If you don't have it go to You only have to use Firefox to fetch the cert from Thawte so you can export it and use it in AIM (or another app that supports using certs for signing and or encrypting).

1) Go to

2) At the bottom click on "Click here to get your Personal E-Mail Certificate now!"

3) Click Next to agree to Terms and Conditions, then enter your name and age (lie if you want) then click Next

4) Enter your email address then click Next (you will use this in step 13)

  • You won't get spam, but the cert is email specific.
  • I create a cert for both my work ( and personal addresses

5) Click Next

6) Enter your Personal (login) Password and confirm it then click Next (you will use this in step 13)

7) Select your 5 password questions then click Next

8) Confirm all the information you entered then click next

9) Retrieve the email you will be sent to the address you entered above

10) Click on the link in the email address

11) Enter the Probe and Ping values from the email into the web page then click next

12) You now have a Thawte account (no certificate - yet, sorry) - Click Next

13) Enter the email address (which is basically your username now at Thawte) and the password from step 4&6

14) Click Request under X.509 Format Certificates

15) Select Mozilla Firefox/Thunderbird... then Click Request

16) Click Next when asked for Certificate Bearers Name - it should show your name.

17) Select the email address (initially there will be only one) then click Next

18) Click Next where it talks about Strong Extranet Identifiers

19) Click Configure to customize certificate extensions

20) Select: Digital Signature, Non-repudiation, Key-encipherment, Data-encipherment (see step 36 below if you are a PKI weenie and are offended by creating a cert for both signing and encrypting)

21) Scroll down and also select S/MIME and SSL Client Authentication (in case you want to use it for those too)

22) Click Accept

23) Click Next and accept the 2048-bit high grade key and your private key will be created

24> Wait for popup to go away.

25) Scroll down and click Finish

26) Scroll down under the heading "Certificate Manager Page" and click on the word "here" to go to the Certificate Manager Page

At this point your certificate is being created - you can see in the list that it will say "pending" for the new cert. You will receive an email at the address you used when it is ready for you to install. It can take a while so be patient.

27) After you get the email the Certificate Manager Page will show the cert as being "issued". You can fetch this certificate in one of two ways.

28a) You can click on "Navigator" (even though this is for Firefox) on the line for the issued cert. This brings up a page that shows you details about your cert and at the bottom you can click Fetch. Nothing will seem to have happened, but that is not the case. Your certificate has been installed in Firefox.


28b) You can click on the link in the email you received.

29) Now we can go see the certificate. In Firefox click on the menu Tools and then Options. On the left side select Advanced and then click on the Security tab and click View Certificates.

30) You should see a branch for Thawte Consulting and the first certificate under it will be the one you just created and installed. Click on that certificate to see the details and confirm it is the one you just fetched. It should say that it is an Email Signer Certificate and Email Recipient Certificate. You won't have your name in your cert, just your email. If you get notarized by enough Thawte Notaries (like me) you can get enough points to get your real name in your cert. Interesting, but not important. :-) Let's get the cert into AIM. Click Close.

31) With the new certificate highlighted, click on Backup.

32) You can name the file whatever you want. I put all my certs in a folder called "My Certs". Here is how I name my certs that I've exported: .sign-encrypt.p12, where " is the actual email address you used to create this certificate. The p12 extension will be done for you. That is the one I use in AIM. I have another just like it for use within Sun. Enter the name you want to use and click OK.

33) You will next be asked for the master password for the Software Security Device. This is just a password for the file that holds your certs. If you don't have a password for this already you will probably be prompted twice. Remember this! Click OK.

34) Next you have to secure the exported certificate itself. Enter this password twice and click OK.

Here is how to use the certificate with AOL Instant Messenger

35) Go to AIM and select the menu My Aim, then Edit Options and then Edit Preferences.

36) Scroll to the bottom and select Security. You will then see that there is a place for your certificates. One for encryption and one for signing. Don't be appalled :-) I use the same cert for both operations. Yes, this is against best practices in the public key (PKI) world, but it is easier. However, there is nothing to prevent you from creating two certs and having one with an encrypt extension and the other with a signing extension. The reason corporations don't usually do this is because signing is a personal thing that ONLY the individual should be able to do. Encrypting, and more importantly, decrypting is something companies want control over, at least when it applies to things they own - like your email. I'll stop here as it is already probably more info than you wanted.

37) Click Advanced and then click Import

38) Browse to the file that you exported earlier and click Open.

You are now ready to do secure point to point instant messaging with me and anyone else who has a cert installed. No, this will not work between heterogeneous instant messaging clients - at least not yet.




« July 2016