Getting a Thawte Email Certificate with Windows XP, IE7, and Outlook Express
Important Note
Several years ago Thawte ceased issuing S/MIME certificates. These instructions are thus obsolete and are maintained only for archival purposes.
If you need an S/MIME certificate, several CA's offer them. In no particular order, Comodo, GlobalSign, and Entrust offer S/MIME certs at a low per-cert cost.
StartSSL also offers S/MIME certificates as part of its service. Free certificates only include the user's email address (which can be verified) but not the name (which can't) but otherwise function identically to the paid certificates offered above. One can optionally pay for additional identity verification which allows for one's name to be included in the certificate. This validation is more thorough than that of the previously-mentioned CAs (which basically match the user's name to that on their credit card), also applies to StartSSL-issued HTTPS certificates, and allows for the issuance of an unlimited number of S/MIME and HTTPS certs at no additional cost -- StartSSL charges only for the validation, not each certificate. Depending on your needs, this may be a better option.
This page will describe in a step-by-step manner how one can request a free Thawte X.509 certificate for digitally signing and encrypting email. In this example, I will be using Windows XP, Internet Explorer 7, and Outlook Express.
If you are using Mozilla Firefox and Thunderbird, please see this page instead.
For some basic information about certificates and definitions of terms used here, please see this page.
Creating a Thawte Account
If you already have a Thawte account, please skip ahead to the next section.
- Visit Thawte's Personal Email Certificates page.
- Click on "Join" in the top-right corner of the page. A pop-up window should appear that has their license agreement. If you agree, click "Next".
- Enter your last name under "Surname or Family Name", your first name under "First Names or Names", your birthdate, and your nationality. If you need to change the character set for your language, you may do so using the "Charset for Text Input" menu. Normally, one should leave this menu at it's default setting. Click "Next".
- Enter your email address, then click "Next". This must be an actual, working email address that you have access to. You can change it after you log in, but you must be able to verify ownership of this address. Your currently primary address is your Thawte username that you'll use to log in later.
- If you need to change your default language or character set, you may do so here. Otherwise leave them at their default values. Click "Next" when ready.
- Enter a password that you wish to use for this acount. You will need this whenever you log in to Thawte's website. Enter it twice to ensure that you've typed it correctly. Click "Next".
- Confirm that all the listed information is correct, then click "Next".
- Read the instructions. Basically, Thawte has sent an email to your address. It contains information that will allow you to prove that you have access to that email address.
- Check your email. You should have an email from Thawte in your inbox (if not, wait a few minutes. If it still hasn't arrived, check your junk folder.). The email will contain a link at the top that you should open in your web browser. The email also contains two lines of random characters named "Probe" and "Ping". Copy and paste each of these into the appropriate field in the website you just opened, then click "Next". By doing so, you've confirmed that your email address exists and that you have access to it.
- Hooray! You now have a Thawte account. Now we can actually get started on getting a certificate!
Requesting a Certificate
- Log into your Thawte account. If you're still on the page that says "Congratulations! You now have an account...", just click "Next". Otherwise, go to Thawte's Personal Email Certificates page and click "Login". Enter your email address and password that you used to create the account.
- Click the "Request" button immediately under "X.509 Format Email Certificates".
- A new window should appear, and you should select your browser/email client combination. Remember, your certificate can be used for any of these software programs (and many more), but the actual process of installing it differs based on what browser you use, so please choose the browser you're actually using right now, then click "Request".
- This next page doesn't apply at this time, so just click "Next".
- Since Thawte doesn't know who you are, they won't issue a certificate to your name, only to your email address (which is the one they've verified before). Otherwise, people could request certificates using fake names like "Bill Gates", "Hulk Hogan", or "The Man In The Moon". Instead, your certificate will be issued to "Thawte Freemail Member". If you want to verify your identity, you can participate in the Thawte Web of Trust where you visit people trusted by Thawte to vouch for your identity.
- Confirm your email address. This is the address that will part of the certificate, and will be the address to which people will be able to send encrypted email to. If you have multiple addresses on file with Thawte, only select one. If you need to add or change the address, go back to Step 1 in this section, log in, select "my emails", and select "new email address" to add an email account to Thawte. You'll need to confirm it using the methods above, and then can return and start the requesting procedure over again. Once you've selected the proper address, click "Next".
- This doesn't apply. Just hit "Next".
- Click "Accept". The default options are fine.
- Thawte needs to run an add-on called "Microsoft Certificate Enrollment Control". Follow the instructions to run it (usually it involves clicking the yellow warning bar at the top that says "This website wants to run the following add-on..." and selecting "Run" or "install" or whatever it wants).
- Once the add-on runs, you should have a pull-down menu with several options. Ensure that "Microsoft Enhanced Cryptographic Provider v1.0" is selected, then click "Next".
- You will get a warning saying that the web site is requesting a new certificate on your behalf. Since this is, in fact, what we want to do, click "Yes".
- A window will appear saying "An application is creating a Protected item - CryptoAPI Private Key". This is what we want to happen, so click "OK".
- Confirm the certificate request details, then click the button to proceed.
- Hooray! You've now requested a certificate. It should take less than 10 minutes for them to issue your certificate. You'll get an email when it's ready. Go have some coffee or something.
Installing the New Certificate
- When you get the email confirming your certificate has been issued, log into your Thawte account, select "certificates" in the left-hand menubar, then check "view certificate status". You should see one listing there with the status of "issued". Click the linke that says "MSIE" in the left column.
- Confirm the details of the certificate you requested. Once you verify everything, click the "Fetch" button at the bottom of the page.
- On the next page, click "Install Your Cert". Say "Yes" to the warning that warns you about "This Web site is adding one or more certificates to this computer..." Thawte is a trusted company, and adding your certificate does not pose a security risk. After clicking "Yes", you should get a notice saying that your personal certificate is installed.
- Your certificate is now installed in the Microsoft Windows key storage system on your computer and is now available to any Microsoft program on your computer, like Outlook Express, Internet Explorer, Microsoft Office, etc. You will need to install your certificate in non-Microsoft programs like Firefox or Mozilla in order for them to use it; I'll discuss that at the end of this page.
IMPORTANT: You should immediately backup your certificate and private key in a secure location. In order to do this, open Internet Explorer, select the "Tools" menu, then select the "Internet Options", click the "Content" tab, then the "Certificates" button in the middle of the window. Your certificate should be listed as "Thawte Freemail User". Click it once, then click the "Export" button below.
The "Certificate Export Wizard" will load. Click the "Next" button, and then select the "Yes, export the private key" option, then click "Next".
Ensure that the "Personal Information Exchange" option is selected, with only the "Enable strong protection" box checked, then click "Next".
Enter a password in the two fields; if you ever need to restore your certificate and private key to your computer, you will need to enter this password, so be sure you remember it. Click "Next", select where you want to save the file, then click "Next". Confirm the details, then click "Finish". Say "OK" to the "An application is requesting access to a protected item..." warning, and hit "OK" on the "The export is successful" window.
Go to where you chose to save the exported key and put it on some sort of storage media like a USB flash drive, CD-R, etc. Then put it in a secure location. Ideally, this should be in a secure location away from where your computer is located. A bank safe deposit box is ideal.
The suggestion for secure, off-site storage is for several reasons: if your computer breaks or house burns down, you don't want to lose your digital keys...only these keys can decode encrypted messages you have received.
Also, if a bad guy is able to get their hands on your keys and figures out the password you used to protect them, he'll be able to decrypt your encrypted messages and send emails that appear to be sent by you (and will be digitally signed by your certificate, so people will believe it's you!). In short: protect your backup from damage and loss.
If your certificate/keys are ever compromised or lost, immediately log into the Thawte website and revoke your certificate. This will help prevent anyone from misusing is. It would also be prudent to notify your contacts that you've revoked your certificate in case their email client application does not check to see if certificates have been revoked.
You can use a revoked certificate to decrypt existing messages but cannot use it to sign new messages. You can request and install a new certificate using the instructions above.
I cannot emphasize how important it is for you to keep a secure, off-site backup of your encryption keys.
As Gandalf the Wizard said to Frodo Baggins about the One Ring in The Lord of the Rings, "Keep it secret. Keep it safe." Same thing here, except I don't have a big pointy hat and stick, and you're not a furry-footed Hobbit. I hope.
Using Your Certificate with Outlook Express
- Open Outlook Express. It's normally in your Start Menu. I'll presume you use it regularly for sending and receiving email and already have an email account setup.
- Go to the "Tools" menu, select "Options", and select the "Security" tab. Click the "Advanced" tab in the lower-right corner, then select "Only when online" under the "Check for revoked Digital IDs" -- this will allow you to verify that certificates belonging to other people are valid, and have not been revoked. Click "OK" when done.
- Select the "Digital IDs" button (just above "Advanced") and confirm that your Thawte certificate is listed. If so, excellent. If not, something's wrong. Assuming everything's good, click "Close" and then close out of your Options window.
- Open your "Tools" menu and select "Accounts". Find your email account on the list, select it, and then click "Properties" on the right side of the window. Select the "Security" tab at the top, and use the "Select" button to choose a signing and encrypting certificate (you use your Thawte one for both, so select your certificate for both). When done, Hit "OK" to close the account properties window, then "Close" to close the Accounts window.
How to Send and Receive Encrypted Email
Signing Emails: When you click the "Create Mail" button to compose a new message, you'll see some new options in the top-right corner: "Sign" and "Encrypt" (if you were observant, you should have noticed the "Sign all messages by default" button in Tools-->Options-->Security, you can select this if you want). Simply compose a message to whomever you want, click the "Sign" button, and confirm access to your private key (the program needs to access your private key in order to sign the email), and send the message. That was easy!
Encrypting Emails: In order to encrypt emails to another person, they will need to have a certificate configured in their email program. (it doesn't matter what email program they use, so long as they can use S/MIME encryption and certificates. It also doesn't matter who issues their certificate; Outlook Express will be able to use it.)
Additionally, the two of you will need to exchange public keys. This is easy: just send a signed email to each other; your email programs will detect the other person's public key and signature attached to the email, and will import them automatically. It may be prudent to call the other person on the telephone and verify the key's fingerprints to ensure that you received their signature and that nobody is attempting to impersonate them with an illegitimate public key.
Once you've done this, just compose an email to the other person and check the "Encrypt" button in the top-right. You can (and probably should) click the "Sign" button as well to verify that it is you who are sending the message. Your email program will automatically select the recipient's public key, encrypt and/or sign the message (as selected) and send the message. When the recipient opens it, it will automatically verify the signature (if present), and decrypt the message using their private key. If someone intercepts the encrypted message, they will be unable to decrypt the message without the recipient's private key, and so will have only scrambled, unreadable text. Excellent!
Can I send you a test message?
Sure. If you found this helpful, and now have a certificate imported into your email program, I'd be very happy if you were to send me a digitally signed or encrypted message. My email address is pete@heypete.com.
In order to avoid your message being mistakenly detected as spam, be sure to use an informative subject. "S/MIME Test Message" generally works well.
You can get my public key in one of two ways:
- Send me a digitally signed email (so I can import your public key and be able to send you encrypted messages) and I will reply with a signed email so you can import my key.
- You can download my public key from the this page.
Conclusion:
I hope this has been helpful in getting you set up with a Thawte secure email certificate using Windows XP, Internet Explorer 7, and Outlook Express.
If you have any questions about this process, please email me above (signed and encrypted messages are welcome) and I'll try to help you. I don't use Outlook Express that often, but I should be able to help you get set up properly.
Thanks for reading this guide! Stay secure, stay safe.
-Pete