Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Sign and encrypt emails in Mail via thawte Apps
With the release of Snow Leopard, GPGMail is no longer functional. GPGMail has been a commonly-used application for encrypting and signing emails. After some research, I found the developer of the application has stated he will not be releasing an update to make the application compatible with Mail.app in Snow Leopard. This is because the application was using an undocumented/unsupported feature in Mail.app, and Apple has discontinued the protocols that where being used by GPGMail.

This left me to look into new methods of signing and securing emails with out spending money on a commercial application like PGP. The following provides directions for using thawte to achieve email encryption and signing. By default, thawte stores your private keys on their system, which is all fine and good, but personally, I do not want anyone having copies of my private keys --that is, after all, why they are called private keys. The downfall of my method, of course, is that you want to make sure you do not lose your key pair!

Note: These directions require use of the command line. If you are not comfortable with the command line, then do not attempt this process.

[robg adds: Read on for the solution; in researching this hint, I found this email discussion stating that someone's working on a Python port of GPGMail, and that beta testing may open soon, for those interested.]

The following commands are run in Terminal, unless otherwise noted.
  1. Generate your private key: openssl genrsa -des3 -out mail.key 1024. This process should look like this:
    $ openssl genrsa -des3 -out mail.key 1024
    Generating RSA private key, 1024 bit long modulus
    Enter pass phrase for mail.key: [this is your secret pass phrase]
    Verifying - Enter pass phrase for mail.key: [this is your secret pass phrase]
    $
  2. Login to thawte and request a new certificate by clicking Test. The Test button should have a label above it that says "Developers of New Security Applications ONLY." You'll have to select an email address, click OK a few times, accept the default extaensions, and go all the way through until it gives you a string of numbers and letters. Copy that string into your clipboard.
  3. Generate a CSR for thawte, and paste your clipboard into the Common Name field: openssl req -new -key mail.key -out mail.csr.
    $ openssl req -new -key mail.key -out mail.csr
    Enter pass phrase for mail.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Florida
    Locality Name (eg, city) []:Key Largo
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:TCH Enterprises
    Organizational Unit Name (eg, section) []:EMAIL
    Common Name (eg, YOUR name) []:paste_your_certificate_here
    Email Address []:your_email@domain.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    $
  4. Open up mail.csr in an editor, copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.
  5. Once your keys are generated, load this page on the thawte site. Do not download using the email link sent to your email! On the web page, click Generic X509 and then click Fetch.
  6. In Terminal, type pico deliver.exe, and place the following in the file:
                        -----BEGIN PKCS7-----
                        insert the contents of your fetched key file. YOU ONLY WANT THE CONTENT LOCATED IN THE PKCS7  
                        section of the document which is located between "-----BEGIN PKCS #7 SIGNED DATA-----" and "-----END
                        PKCS #7 SIGNED DATA----. Remove any blank lines in the base64 code.
                        -----END PKCS7-----
  7. Verify that your deliver.exe file looks like the following, then save it:
                        -----BEGIN PKCS7-----
                        MIIJmQYJKoZIhvcNAQcCoIIJijCCCYYCAQExADALBgkqhkiG9w0BBwGgggluMIIC
                        9jCCAl+gAwIB
                        AgIDDB8KMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU
                        wIwYDVQQKExxUaGF3dGUgQ29u
                        (about 80 lines of this)
                        TA4MjBaFw0wNTA0MTMxOTA4MjBaMGoxDjAMBgNVBAQTBUJha2Vy
                        -----END PKCS7-----
  8. Export the certificates from thawte: openssl pkcs7 -print_certs -in deliver.exe > deliver.certs. There won't be any output from this command.
  9. Create the PKCS#12 file for Mac OS's Keychain: openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12. This process looks like this:
    $ openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12
    Enter Export Password:
    Verifying - Enter Export Password:
    $
  10. Import your key for use: open mail.p12. You will be prompted to enter your key password by Keychain Access.app.
  11. Quit and relaunch Mail.app.
When you compose a new message, you will now see the option to sign and encrypt emails. Note you will only be able to encrypt emails to people whom you have a public certificate for. The easiest way to get these is to have them send you a digitally-signed email.

Posting your public key to the web:

The easiest way to get your public key is send yourself an email that is signed. Open the email in a web-based email client and download the attachment. This attachment is your public key, which you can now post to your personal website for people to download. This will allow them to send you encrypted emails even if you have never sent them a signed email.

Do not lose your key pair! If you lose your key pair, there is no way to get it back. Make a backup copy and store it in a secure location -- a secure location is a spot not on your own computer, and is ideally stored at an offsite location.

[robg adds: I haven't tested this one.]
    •    
  • Currently 2.00 / 5
  You rated: 1 / 5 (8 votes cast)
 
[21,509 views]  

10.6: Sign and encrypt emails in Mail via thawte | 27 comments | Create New Account
Click here to return to the '10.6: Sign and encrypt emails in Mail via thawte' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Sign and encrypt emails in Mail via thawte
Authored by: Frig on Oct 02, '09 08:11:23AM
There's a much easier way to get yourself a X.509 certificate for using S/MIME with Apple Mail:
  1. Just go to http://www.thawte.com/secure-email/personal-email-certificates/ and create or login with your account
  2. register your email address under my emails if it isn't already
  3. go to certificates -> request a certificate and generate a certificate with your browser.
  4. You receive a mail with the link to the certificate and if you click on the link it will be automatically installed in your browser

This is what is done, when requesting a certificate:

  • You click through the information you want to provide.
  • The webserver sends the request to generate a private key and send a certificate request.
  • The private key will be saved in your keychain.
  • The browser submits the certificate request and the certificate authority uses the data you submitted and generate a valid certificate with it.
  • If you click on the link for the certificate, it will get downloaded and saved in your keychain. So Apple Mail recognizes a valid certificate and will automatically use your certificate.

If you're using Firefox i.e. the certificate and private key will be saved in Firefox. You have to go to Preferences -> Security -> View certificates and export your email certificate. After that you could double click on it in Finder and it will be imported to your keychain.



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: QJB on Oct 02, '09 08:16:26AM

So to be clear. The private key is generated on your own machine and never leaves your computer during this process. Only a certificate signing request containing your public key will be sent to Thawte.

Right?



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: lrivers on Oct 04, '09 03:20:59PM

Thanks for the write-up.



[ Reply to This | # ]
10.6:ECA Certs broken?
Authored by: David Fetrow on Oct 05, '09 02:19:26PM
ECA/DOD X.509 certs seem to have become broken in MacOS 10.6.

Reading encrypted email, signing work fine. Encrypting breaks.

These are certs used by contractors. Like many other organizations (e.g. certain State Governments) they are rather standard certs but have special chains of trust and are not available except from certain vendors.

One of the few workarounds I know is to send encypted email via Entrourage.

I suspect the extreme future dates in the chain of trust certs might be the issue but don't know why they worked in 10.3-10.5 and now are broken.

I and several other Mac users would be very very happy to learn we are just forgetting to do something.

[ Reply to This | # ]

10.6:ECA Certs broken?
Authored by: ccannell on Dec 07, '09 01:59:07PM

Does anyone have any additional information on encrypting email in Mac Mail using a Verisign ECA/DoD certificate? Address Book indicates that a certificate is associated with the email address in question. I'm also able to decrypt mail sent to me. When I attempt to send an email to a recipient, whose public cert I have, the encrypt and sign buttons are shown but grayed out.

Thanks

Edited on Dec 07, '09 02:02:35PM by ccannell



[ Reply to This | # ]
10.6:ECA Certs broken?
Authored by: David Fetrow on Aug 30, '10 09:43:29AM

See http://yank.to/Musings/Miscellaneous/Certificates and OS X Mail/



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: davidduff on Jan 04, '10 12:31:09PM

i have been using thawte freemail certs for several years and now i have a replacement cert from verisign. i just noticed however that mail.app is still sending out my old thawte cert in my outgoing email when i choose to sign a message.

how do i make the new verisign cert my current cert and get mail to stop using the old one?

if i look in keychain.app, i can see both certs. if i look at myself in Address Book, then i see that certain of my email addresses have little cert symbols next to them and if i click on them, i see old an expired thawte cert (i.e., neither the most recent but now revoked thawte cert nor the new verisign cert). i assume this is a bug. (i'm running 10.5.8)

is there some what to tell the system or mail.app which cert to use?



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: vykor on Oct 02, '09 08:13:42AM

If the other party you want to contact uses PGP/GPG exclusively for encryption (as a few of my more annoying friends do), though, this might not work for you. Apple Mail and most other mail clients use S/MIME as the built-in encryption and signing protocol, which uses these certificates. GPG has its own protocols, its own key infrastructure, and its own keyservers. The two systems usually don't interoperate very well -- you end up having to pick one or the other on a per-message basis if you run both. Sometimes this depends heavily on what the guy on the other end is using -- if he's sticking to GPG, you'll probably still have to find a GPG-aware client for yourself.



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: pepi on Oct 02, '09 08:16:58AM

You can forget about Thawte and Verisign ertificates in an instant!

Thawte has announced that they will discontinue the free email certificate program on November 16th 2009. ALL existing Thawte certificates will be revoked at that day and cannot be used to sign or encrypt new emails from that day on.

No new certificates will be issued by Thawte anymore!

Sadly I know of no real equivalent to thawte where users might turn to at the moment. Suggestions for alternative CAs are welcome.
Best regards
Pepi



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: QJB on Oct 02, '09 08:25:50AM
10.6: Sign and encrypt emails in Mail via thawte
Authored by: vykor on Oct 02, '09 08:27:39AM
Pretty sure Comodo still offers free personal email certs. Dunno how long that's gonna last, though.

[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: dpouliot on Oct 02, '09 09:12:47AM

Can't you just use the Certificate Assistant within Keychain's app menu?



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: Frig on Oct 02, '09 02:14:14PM

No, because this certificate wouldn't be trusted by another Software. If you're using a thawte certificate or another official certificate authority, this certificates will be trusted.



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: dak180 on Oct 02, '09 10:35:53AM
You could try CAcert.

[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: Frig on Oct 02, '09 02:22:42PM
Because of you're hint i was searching for a new certificate authority for S/MIME. I'm using startssl.com free server certificates for some days now, because Internet Explorer now also supports free certificates from startssl.com.
At startssl.com you could also request free email certificates. I'll tried this out and it seems to work fine.
The only problem I've found, is that you can't use this site with Safari, because there's a bug in WebKit and Safari won't show the correct drop downs. So you have to use another browser, like firefox, and import the certificates to your keychain. After that email signing and encrypting works just fine!

[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: azchipka on Oct 02, '09 03:00:17PM

Pepi,

Wow wish Thawte was being more public about the killing of there Personal Email certs I have been using them for ever and just heard about it through this forum. I cant believe they arnt even making an effort to contact customers.

At least there providing those of us with certs replacement verisign cert free of charge for a year.



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: TonyT on Oct 02, '09 08:27:47AM

fwiw, openssl docs say that genrsa has bee Superceded by genpkey.



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: DistantThunder on Oct 02, '09 09:22:15AM
I've been using Comodo certificates:
http://www.comodo.com/home/internet-security/secure-email.php

They work well. Although my experience is limited to sending encrypted email to myself at work, and vice versa.

[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: kaih on Oct 03, '09 04:38:16AM
The link to the Comodo free certificate is here:
http://www.comodo.com/home/internet-security/free-email-certificate.php

The link above is their Windows-only secure email client.

---
k:.

[ Reply to This | # ]

10.6: Sign and encrypt emails in Mail via thawte
Authored by: quinntaylor on Oct 02, '09 12:02:42PM
It should be noted that the paranoia of Thawte retaining one's public key seems unwarranted. From what I understand, the public-private keypair is generated in the local browser, and only the public key ever travels over the wire. This is why you can only retrieve a certificate from the same computer, same user login, same browser, etc. Accordingly, the setup is much simpler than this.

I wrote up some instructions for this process some time ago: http://homepage.mac.com/quinntaylor/secure_email/smime.html

I'll have to update them with the fact that 10.6 breaks MacGPG (I never liked PGP so much, anyway) and that Thawte is discontinuing the Freemail certificates. (They really should advertise that better, a lot of people are going to be caught unawares.) That's a real bummer....

Looks like Verisign is ~$20/year (1 year free for current Thawte cert holders) and Comodo is ~$12/year. (Couldn't find a free offer as someone mentioned.) Now I have to evaluate whether it's worth money for me to get a certificate... :-(

By the way, people in other replies mentioned CACert and the OS X Certificate Assistant. The former is not a certificate that's trusted by default on OS X (and probably not on Windows, either) and the latter will work, but will use a self-signed certificate, which is a far cry from certificates issued by trusted authorities like Thawte and Verisign, which are already trusted by most operating systems. At least generating a self-signed certificate is free, despite the increased complexity of being trusted.

[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: 10drill on Oct 04, '09 09:16:26PM
Free Comodo certificates (via InstantSSL) are available here: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: krokodil on Oct 03, '09 02:43:01AM
Hints stats "By default, thawte stores your private keys on their system".

This is incorrect. Thawte does not have access to your private keys. To understand better how X.509 and certificates work you may want to start with the following article:

http://en.wikipedia.org/wiki/X.509
http://en.wikipedia.org/wiki/Certificate_authority
http://en.wikipedia.org/wiki/Thawte

P.S. Disclosure: I am Thawte WOT Notary.


[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: krokodil on Oct 03, '09 02:45:32AM

Instead of using OpenSSL command line, one can use much friendlier "Certificate Assistant" application which comes with MacOS to generate CSR. To start, open "Keychain Access" app and select "Certificate Assistant" from the menu.



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: B_B_B on Dec 23, '09 05:58:30AM

Can you please be a bit more specific on step 2. I get totally lost here. Can you provide for a direct link to the Tawte site you refer to OR be way more specific. Please keep in mind that Thawte may also change their site now and then, so the info you provide can become outdated very quickly. I am lost already (and would like to get back on track, because your article looks very clear for the rest!



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: ashill on Mar 25, '10 06:59:50AM

To be clear, Thawte discontinued issuing email certificates in November 2009, shortly after this hint was published. There are a couple of other options suggested downthread.

(I'm arriving now because my Thawte certificate just expired, so I'm looking for a replacement.)



[ Reply to This | # ]
10.6: Sign and encrypt emails in Mail via thawte
Authored by: AlexWillner on Jul 31, '10 07:09:56AM

Might be interesting in this context: we've revamped the GPGMail project and a 10.6.4 compatible version (1.3.0) can be downloaded at http://www.gpgmail.org (installer and integrated update included).



[ Reply to This | # ]
10.6:ECA Certs broken?
Authored by: David Fetrow on Aug 30, '10 09:41:43AM

Partial Solution Found: "http://yank.to/Musings/Miscellaneous/Certificates and OS X Mail".


I am not going to try and replicate the info here. He may find yet more workarounds.



[ Reply to This | # ]