Knowledge Is Power
Set Up Digital Certificates with the
I wanted to get a digital certificate so I could digitally sign my e-mails and possibly encrypt them if necessary. I decided on a GeoTrust My Credential certificate. Yes, it does cost $20 while you can get one from Thawte for free, but if you read carefully you'll see that Thawte's free certificates are based on a WOT (Web of Trust) model which is more a peer trust model than the more secure hierarchical CA model.
Encryption keys are used to encrypt (hide by scrambling) and/or digitally sign (electronic signature) e-mail messages. A certificate is basically an encryption key along with some reassurance that the person using the key is who they claim to be. The reassurance is accomplished when the Certificate Authority (GeoTrust) asks you to verify, using the phone, that you are who you say you are when you apply for the certificate. The reassurance that a certificate provides is especially important for digital signatures which provide proof of who sent the e-mail.
These types of certificates used for e-mail and digital signatures use "asymmetric" encryption which means there are two different keys. When one of the keys is used for encryption, only the other one can be used for decryption. One is called a public key, because anyone can have a copy of it, while the other is called the private key, because only the certificate holder should have it. The certificate holder encrypts an e-mail message using their private key. If you can successfully decrypt the e-mail message using their public key then you know the message must have come from them.
The first problem you may run into is if you use Internet Explorer to order the certificate. The certificate installation is browser-based and you have to use the same browser to install the certificate that you used to order the certificate. If that's IE then Thunderbird knows nothing about your certificate. You have to use IE to export your certificate to a file and then use Thunderbird to import it.
You use your browser to go to www.geotrust.com/signing-products/secure-email/ to order a signing certificate. During this process you go through a telephone verification step where you enter a code shown in your browser. After that you are forwarded to a Web page with an "Install Certificate" button.
If you used Internet Explorer for this you export the certificate by clicking on Tools /
Internet Options/ Content / Certificates / Personal. Click on your new certificate shown in the list and click on the Export button and export the the certificate with the private key to a file.
Then go into Thunderbird and click on Tools / Options / Advanced / Certifcates /
View Certificates/ Your Certificates. Click on the Import button and import the file you just exported. Once imported your certificate should show up in the list of personal certificates. You can now close the Options window.
Now in Thunderbird click on Tools /
Account Settingsand click on Security on the left side. On the right side click on the Select button in both the Digital Signingand Encryption areas and select your new certificate. You can now close the Settings window.
Now compose a new e-mail to someone and before sending click on the down arrow to the right of the S/MIME button (not the button itself) and select Digitally Sign This Message and then click on the Send button.
If, when you try to send the e-mail, you get the error:it simply means that the "GeoTrust True Credentials
Unable to sign message. Please check that the certificates specified in Mail & Newsgroup Account Setting for this mail account are valid and trusted..
CA 2"Certificate Authority (which is the CA that issues the MyCredential digital certificates) is not listed as a trusted authority in Thunderbird.
To fix this you have to save the CA's root certifcate to a file and import it into Thunderbird. The following is their public certificate. (It is also available at www.geotrust.com/resources/root-certificates/ under
"Root 13".) Highlight this text, including the BEGIN and END lines, and copy/paste it into Notepad.
-----BEGIN CERTIFICATE----- MIICtzCCAiCgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBT ZWN1cmUgZUJ1c2luZXNzIENBLTEwHhcNMDIxMDA3MTQ1NDQ1WhcNMjAwNjIxMDQw MDAwWjBOMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEnMCUG A1UEAxMeR2VvVHJ1c3QgVHJ1ZSBDcmVkZW50aWFscyBDQSAyMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQCylyylkhKlhf9ompahhxLLIaoVvLc6+x6lHMtFTQQ0 MlHAmjsPAWmKtEU5RCROQpexjoFDNf8J4JGuf2LifLmBxe4jYlLKtKYPChtvCXna flw8RscZx5vJtZ0p8B/y++TFhSdOYNk+23ahvlE2klN5OKr0yk0IH/kbs5yvWESW NwIDAQABo4GfMIGcMA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUIoNLTSACDDH0 fFqwGk0VyHhdEUkwDwYDVR0TAQH/BAUwAwEB/zA5BgNVHR8EMjAwMC6gLKAqhiho dHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2ViaXpjYTEuY3JsMB8GA1UdIwQY MBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMA0GCSqGSIb3DQEBBAUAA4GBAEtFK0kW Nxl+B67G8cwvTWaZjUiErkNWACqlCKww/lU15QXd9HQpD938DJwvBLJX7/Y0j4Fk uVoQVnUAqhQNBp0jetnumbH8FjhBjOpZy0A2RihZ6WiSO8tl/+LVpKspSu/49h8w qxneFZZPeNpQEyKRaK6cOtRrMTWOGRpr3WSe -----END CERTIFICATE-----
When saving this file you don't want the usual .txt extension on the file that Notepad adds so you have to enclose the file name in quotes. When you click on File / Save you want to enter into the
File Namefield the following exactly as shown including the quotes and the .cer extension:
Now you need to import it into your Thunderbird trusted authorities. Click on Tools / Options / Advanced / Certifcates /
View Certificates/ Authorities. Click on the Import button and select the file you just saved above.
The CA will show up in the list. However, it will not show up under GeoTrust. It will show up under Equifax Security Inc as "GeoTrust True Credentials
CA 2. Now you should be able to send your digitally-signed e-mail.
If, when you try to import your personal certificate you get prompted for:
Master password for security device
and no matter what you enter it won't take it, you'll have to go for the last resort and rename the file that holds it. The bad news is this same file also holds the password for your POP account so you'll be prompted to re-enter that the next time you go to check your mail so make sure you know what that is before proceeding or you won't be able to get your mail.
The file that holds the password is stored in the user profile. To get rid of the "master password for security device" prompt do the following:
- Close Thunderbird
- Open Windows Explorer and open the following folder:
C:\Documents and Settings\<Login Name>\Application Data\Thunderbird\Profiles\<Profile Name>\
- Find the file named key3.db and right-click on it and select Rename and rename the file by putting a dash at the start of the file name so it becomes -key3.db.
- Close Windows Explorer and open Thunderbird and import the certificate.
Keith's Home Page
Contents, diagrams, and images Copyright © 2004-2009 Keith Parkansky All rights reserved.
"Bestdam Logger" and the BDL graphic logo are trademarks of Keith Parkansky.
Certain graphics, symbols, and terms used on this site and in its documents are registered trademarks
of their respective owners and are contained herein for identification purposes only.
No endorsement of this site, its contents, or its documents by these owners is expressed or implied.
LIABILITYIN NO EVENT WILL KEITH PARKANSKY BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.