Getting a Thawte Email Certificate

Important Note

Several years ago Thawte ceased issuing S/MIME certificates. These instructions are thus obsolete and are maintained only for archival purposes.

If you need an S/MIME certificate, several CA's offer them. In no particular order, Comodo, GlobalSign, and Entrust offer S/MIME certs at a low per-cert cost.

StartSSL also offers S/MIME certificates as part of its service. Free certificates only include the user's email address (which can be verified) but not the name (which can't) but otherwise function identically to the paid certificates offered above. One can optionally pay for additional identity verification which allows for one's name to be included in the certificate. This validation is more thorough than that of the previously-mentioned CAs (which basically match the user's name to that on their credit card), also applies to StartSSL-issued HTTPS certificates, and allows for the issuance of an unlimited number of S/MIME and HTTPS certs at no additional cost -- StartSSL charge only for the validation, not each certificate. Depending on your needs, this may be a better option.

What the heck is an X.509 or S/MIME email certificate? Why would I want one?

X.509 or S/MIME certificates are digital certificates issued by Certificate Authorities (henceforth known as "CAs") for several purposes. The purpose I'll be talking about here is using them for sending and receiving digitally signed and/or encrypted email using S/MIME.

Thawte, one of the major CAs, offers such certificates at no cost to individuals. One need only request it from the CA, install it on one's computer, and configure one's email client to use it.

Certificates can be used to encrypt email and digitally sign messages. Since nearly all email is sent unencrypted, any one with access to one of the dozens of servers, routers, and network providers that the message travels across can intercept, read, and modify any such message. Encrypting and signing messages can help assure one's privacy and to authenticate that the sender of the message is who they claim they are, and that the message was not modified in transit.

This may sound complicated (and the actual math that is used for encryption and decryption is very complicated indeed!), but it's actually very easy for an average computer user to set up and use.

The directions below may seem quite lengthy, but it's simply because I went into great detail at some points to avoid any confusion.

If you're comfortable with browsing the internet, filling out forms, and following directions you should be able to complete these instructions in about 10-15 minutes with no trouble. Most of that time is spent waiting for the certificate to actually be generated by Thawte; the rest of the steps usually take only a few minutes to complete.

Basic Terminology

Certificate Authority: A third party orgnaization that issues digital certificates.
Certificate: Essentially a form of digital ID that allows for secure connections, encryption, and digital signatures. It is composed of a public and private key. It can be revoked if lost of stolen. It is issued by a Certificate Authority.
Digital Signature: This is comparable to a pen-and-ink signature on paper, with a few extra bonuses: it is effectively impossible to forge, proves that a signed message was actually sent by the sender (or more specifically, the person with the sender's private key), and proves that the message was not altered or modified in transit. The signature is generated by the sender's private key, and is verified by others using the sender's public key.
Encryption: A form of scrambling a message so that only a person with the proper decryption key can decode and read it.
Public key: The public half of an individual's certificate. It is included in every signed email that is sent to allow the recipient to verify the message is from the sender and is unmodified. It is used by others to encrypt messages to the owner of the key.
Private key: The private part of an individual's certificate. This must be kept absolutely private; if the key is compromised, it must be revoked so nobody else can mis-use it. It is used for digitally signing messages and for decrypting messages sent to the keyholder.

Tutorials

I have created a few tutorials that can help you request, install, and use such a certificate. The installation procedure differs slightly depending on what web browser you use and what email client you use. I've included directions for some of the more common browsers and email clients below. If you know of any that I don't list here, please feel free to send me a message and I'll do what I can to create documentation for it.

Internet Explorer/Outlook Express for Windows XP. If you're using Internet Explorer as your web browser, you should read this tutorial. It has directions specific to Internet Explorer and Outlook Express, though the directions should be adapatable to Outlook or other common email clients.
Mozilla Firefox/Thunderbird. If you're using Mozilla Firefox as your web browser, you should read this tutorial. It has directions specific to Firefox and Thunderbird. I used the Windows XP verisons of Mozilla's software, but have performed the same actions using Ubuntu Linux and it's identical, so I presume it should work the same for any operating system that can use these programs. Additionally, I included information about exporting the saved certificate from Firefox and importing it into Windows XP's built-in certificate store so it can be accessible from Internet Explorer, Outlook, and other Microsoft products.

Note: I am working on a Windows Vista tutorial. At present, the IE/OE tutorial for Windows XP should work the same for Windows Vista. However, if you are using Firefox on Windows Vista, you will run into some unusual errors when collecting your certificate. For the time being, I recommend that individuals using Firefox and Windows Vista use IE/OE to create and collect your certificate, export it as a file, and then import it into Firefox.

Can I send you a test message?

Sure. If you found this helpful, and have a certificate imported into your email program, I'd be very happy if you were to send me a digitally signed or encrypted message. My email address is pete@heypete.com.

In order to avoid your message being mistakenly detected as spam, be sure your subject has "S/MIME Test Message" somewhere in it.

You can get my public key in one of two ways:

Send me a digitally signed email (so I can import your public key and be able to send you encrypted messages) and I will reply with a signed email so you can import my key.
Or, you can download my public key from the this page. Simply download the .cer file corresponding to my email address and import it into your email program (see the instructions above). Please verify the SHA1 fingerprint (Microsoft products call it a "thumbprint") of the imported certificate against the information provided on my download page to ensure that you are getting the legitimate key that belongs to me.

Conclusion:

I hope this has been helpful in getting you set up with a Thawte secure email certificate and the browser and email client of your choice.

If you have any questions about this process, please email me above (signed and encrypted messages are welcome) and I'll try to help you. I mostly use Firefox and Thunderbird, but may be able to answer questions about most common email clients.

Thanks for reading this guide! Stay secure, stay safe.
-Pete