Thawte certificate with own private key: Difference between revisions

Any certification authority such as Thawte may have the chance to see and store your private key, which is not a the way you prefer. It is assumed a basic understanding of how public key infrastructure with X.509 certificates (for S/MIME e-mail encryption) works.

If you want to have your name in the Thawte Certificate you have to pass the web of trust procedure to demonstarate that the notaries believe your name to be authentic, not just your e-mail address. (See details here.) If you have accumulated enough trustpoints you can start the following procedure from Baker <dbaker@cuckoo.com>:

1. Generate your private key:

   openssl genrsa -aes256 -out mail.key 2048

   wolfm@wolftux:~/thawte>

openssl genrsa -aes256 -out mail.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ ...+++ e is 65537 (0x10001) Enter pass phrase for mail.key: ***your secret pass phrase***

Verifying - Enter pass phrase for mail.key: ***your secret pass phrase***

1. Login to Thawte > Personal E-mail Certificates > certificates, request a new certificate by clicking "test."
   Above the test button it a label saying "Developers of New Security Applications ONLY."
   • Paste-in CSR Certificate Enrollment (Click OK), ...
   • You'll have to select an e-mail address,
   • hit OK a few times, accept the default extaensions,
   • and go all the way through until it gives you a string of numbers and letters. (Generate a CSR. Set the CommonName (sometimes called the "Domain Name" by server SSL key management packages) attribute to the following string (case sentitive):) Copy that into your clipboard.
2. Generate a CSR for Thawte and paste your clipboard into the commonname:

   openssl req -new -key mail.key -out mail.csr

   wolfm@wolftux:~/thawte>

openssl req -new -key mail.key -out mail.csr Enter pass phrase for mail.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Berlin Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wolf Mueller Organizational Unit Name (eg, section) []:Email Common Name (eg, YOUR name) []:aCKVWVD8NWm6w723 Email Address []:Wolf.Mueller@informatik.hu-berlin.de Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

1. Open up mail.csr in an editor, copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.

1. Wait until your personal certificate is issued. You get an email from thwate wich contains a link to download the certificate (https://www.thawte.com/cgi/personal/cert/deliver.exe?serial=1111111).

Save it as eg. ./deliver.exe. It contains a Certificate chain in Netscapes format and a Certicicate in PKCS7.

We deliver your developer cert as a chain, and we deliver it in
two formats. The first is the Netscape Cert Sequence format, documented
on the Netscape Security Site at http://www.netscape.com/eng/security/.
The next is a degenerate PKCS7 SignedDate, with certificates and possibly
CRL's but no content.
-----BEGIN NETSCAPE CERTIFICATE CHAIN-----
...
-----END NETSCAPE CERTIFICATE CHAIN-----
...
-----BEGIN PKCS #7 SIGNED DATA-----
...
-----END PKCS #7 SIGNED DATA-----

#!/usr/bin/perl -n
# extract_pkcs7.pl
# usage: extract_pkcs7.pl < input > out.pk7

if (/-----BEGIN PKCS/ ... /-----END PKCS/) { # extract PKCS7 only
    s/-----([A-Z ].*PKC).*/-----$1S7-----/g; # name it PKCS7
    if ( m/.+/ ) { print $_;}
}

</nowiki>