Thawte certificate with own private key: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
m (typo2)
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Any certification authority such as Thawte may have the chance to see and store your private key, which is not a the way you prefer. It is assumed a basic understanding of how public key infrastructure with X.509 certificates (for S/MIME e-mail encryption) works.
Any certification authority such as Thawte may have the chance to see and store your private key, which is not a the way you prefer. It is assumed a basic understanding of how public key infrastructure with X.509 certificates (for S/MIME e-mail encryption) works. Actually the private/public key pair is often generated by the web browser and only the public key is sent towards the CA. Nevertheless there are some particular purpurses that you want to have signed a particular keypair e.g. resigning an uncompromized one which has been expired.


If you want to have your name in the Thawte Certificate you have to pass the web of trust procedure to demonstarate that the notaries believe your name to be authentic, not just your e-mail address. [https://www.thawte.com/cgi/personal/wot/contents.exe (See details here.)]
If you want to have your name in the Thawte Certificate you have to pass the web of trust procedure to demonstrate that the notaries believe your name to be authentic, not just your e-mail address. [https://www.thawte.com/cgi/personal/wot/contents.exe (See details here.)]
If you have accumulated enough trustpoints you can start the following procedure from
If you have accumulated enough trustpoints you can start the following procedure from
[http://cuckoo.com/daniel/thawte/openssl_private_key_macosx.phpDaniel Baker <dbaker@cuckoo.com>]:
[http://cuckoo.com/daniel/thawte/openssl_private_key_macosx.phpDaniel Baker <dbaker@cuckoo.com>]:


#'''Generate your private key: openssl genrsa -des3 -out mail.key''' <pre><nowiki>1024wolfm@wolftux:~/thawte>
#'''Generate your private key: <pre>openssl genrsa -aes256 -out mail.key 2048</pre>''' <pre><nowiki>wolfm@wolftux:~/thawte>
openssl genrsa -aes256 -out mail.key 2048
openssl genrsa -aes256 -out mail.key 2048
Generating RSA private key, 2048 bit long modulus
Generating RSA private key, 2048 bit long modulus
Line 16: Line 16:
#*Paste-in CSR Certificate Enrollment '''(Click OK)''', ...
#*Paste-in CSR Certificate Enrollment '''(Click OK)''', ...
#*You'll have to select an e-mail address,
#*You'll have to select an e-mail address,
#*hit OK a few times, accept the default extaensions,
#*hit OK a few times, accept the default extensions,
#*and go all the way through until it gives you a string of numbers and letters. ''(Generate a CSR. Set the CommonName (sometimes called the "Domain Name" by server SSL key management packages) attribute to the following string (case sentitive):)'' '''Copy that into your clipboard.'''
#*and go all the way through until it gives you a string of numbers and letters. ''(Generate a CSR. Set the CommonName (sometimes called the "Domain Name" by server SSL key management packages) attribute to the following string (case sentitive):)'' '''Copy that into your clipboard.'''
#'''Generate a CSR for Thawte and paste your clipboard into the commonname: openssl req -new -key mail.key -out mail.csr'''
#'''Generate a CSR for Thawte and paste your clipboard into the commonname: <pre>openssl req -new -key mail.key -out mail.csr</pre>'''<pre><nowiki>wolfm@wolftux:~/thawte>
<pre><nowiki>wolfm@wolftux:~/thawte>
openssl req -new -key mail.key -out mail.csr
openssl req -new -key mail.key -out mail.csr
Enter pass phrase for mail.key:
Enter pass phrase for mail.key:
Line 34: Line 33:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wolf Mueller
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wolf Mueller
Organizational Unit Name (eg, section) []:Email
Organizational Unit Name (eg, section) []:Email
Common Name (eg, YOUR name) []:aCKVWVD8NWm6w623
Common Name (eg, YOUR name) []:aCKVWVD8NWm6w723
Email Address []:Wolf.Mueller@informatik.hu-berlin.de
Email Address []:Wolf.Mueller@informatik.hu-berlin.de

Please enter the following 'extra' attributes
Please enter the following 'extra' attributes
to be sent with your certificate request
to be sent with your certificate request
A challenge password []:
A challenge password []:
An optional company name []:
An optional company name []:</nowiki></pre>
</nowiki></pre>#'''Open up mail.csr in an editor''', copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.
#'''Open up mail.csr in an editor''', copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.
#'''Wait until your personal certificate is issued.''' You get an email from thwate wich contains a link to download the certificate (<nowiki>https://www.thawte.com/cgi/personal/cert/deliver.exe?serial=1111111</nowiki>). Save it as eg. ./deliver.exe. It contains a Certificate chain in Netscapes format and a Certicicate in PKCS7. <pre><nowiki>
We deliver your developer cert as a chain, and we deliver it in
two formats. The first is the Netscape Cert Sequence format, documented
on the Netscape Security Site at http://www.netscape.com/eng/security/.
The next is a degenerate PKCS7 SignedDate, with certificates and possibly
CRL's but no content.
-----BEGIN NETSCAPE CERTIFICATE CHAIN-----
...
-----END NETSCAPE CERTIFICATE CHAIN-----
...
-----BEGIN PKCS #7 SIGNED DATA-----
...
-----END PKCS #7 SIGNED DATA-----</nowiki></pre>
#'''We have now to extract the PKCS7''' for the furter use with openssl. You can either use an editor to snap aut the lines form <nowiki>-----BEGIN PKCS #7 SIGNED DATA-----</nowiki> to <nowiki>-----END PKCS #7 SIGNED DATA-----</nowiki> and replace the first and last line by <nowiki>-----BEGIN PKCS7-----</nowiki> and <nowiki>-----END PKCS7-----</nowiki> or use perl for this task:
#*from comand line <pre><nowiki>
perl -ne 'if (/-----BEGIN PKCS/ ... /-----END PKCS/)
{s/-----([A-Z ].*PKC).*/-----$1S7-----/g;if ( m/.+/ )
{ print $_;}}' < deliver.exe > mail.pk7</nowiki></pre>
#*'''or''' using perl script in a file <pre><nowiki>
#!/usr/bin/perl -n
# extract_pkcs7.pl
# usage: extract_pkcs7.pl < input > out.pk7

if (/-----BEGIN PKCS/ ... /-----END PKCS/) { # extract PKCS7 only
s/-----([A-Z ].*PKC).*/-----$1S7-----/g; # name it PKCS7
if ( m/.+/ ) { print $_;}
}</nowiki></pre>
#'''Export the certificates from Thawte (public key): in PEM-Format (for presenting it on your webpage)<pre><nowiki>openssl pkcs7 -print_certs -in mail.pk7 -outform DER -out mail.der</nowiki></pre>'''
#'''Create the PKCS#12''' for signing E-Mail or PDF-Documents'''<pre><nowiki>openssl pkcs12 -export -inkey mail.key -in mail.der -out mail.p12</nowiki></pre>'''<pre><nowiki>
wolfm@wolftux:~/thawte>
openssl pkcs12 -export -inkey mail.key -in mail.der -out mail.p12
Enter pass phrase for mail.key:
Enter Export Password:
Verifying - Enter Export Password:
</nowiki></pre>
#'''Rename mail.p12 to a more intuitive name e.g. Wolf.Mueller_inf_2005_12.p12 and store it on a save place.''' Even if the certificate expires it is needed to decrypt E-mail you got entcrypted with the public key. Now you can import the p12 to the E-mail clients you want to use (Thunderbird, Evolution, Outlook) or even use it in Acrobat.
#'''Cleaning up:''' Remove savely the sensitive files which contain the private key (*.p12, *.key)'''<pre><nowiki>shred -u mail.{key,p12}</nowiki></pre>'''<pre><nowiki>
wolfm@wolftux:~/thawte> ls -l
total 40
-rw-r--r-- 1 wolfm users 7249 2005-12-01 12:47 deliver.exe
-rwxr-xr-x 1 wolfm users 181 2005-12-01 13:35 filter.pl
-rw-r--r-- 1 wolfm users 1090 2005-12-01 10:12 mail.csr
-rw-r--r-- 1 wolfm users 4255 2005-12-01 14:39 mail.der
-rw-r--r-- 1 wolfm users 1766 2005-12-01 09:30 mail.key
-rw-r--r-- 1 wolfm users 4125 2005-12-01 14:42 mail.p12
-rw-r--r-- 1 wolfm users 3449 2005-12-01 14:22 mail.pk7

wolfm@wolftux:~/thawte> shred -u mail.{key,p12}

wolfm@wolftux:~/thawte> ls -l
total 28
-rw-r--r-- 1 wolfm users 7249 2005-12-01 12:47 deliver.exe
-rwxr-xr-x 1 wolfm users 181 2005-12-01 13:35 filter.pl
-rw-r--r-- 1 wolfm users 1090 2005-12-01 10:12 mail.csr
-rw-r--r-- 1 wolfm users 4255 2005-12-01 14:39 mail.der
-rw-r--r-- 1 wolfm users 3449 2005-12-01 14:22 mail.pk7
</nowiki></pre>
#'''All is done.'''
--[[User:Wolfm|WM]] 12:59, 13 December 2006 (CET)

Latest revision as of 10:06, 15 March 2007

Any certification authority such as Thawte may have the chance to see and store your private key, which is not a the way you prefer. It is assumed a basic understanding of how public key infrastructure with X.509 certificates (for S/MIME e-mail encryption) works. Actually the private/public key pair is often generated by the web browser and only the public key is sent towards the CA. Nevertheless there are some particular purpurses that you want to have signed a particular keypair e.g. resigning an uncompromized one which has been expired.

If you want to have your name in the Thawte Certificate you have to pass the web of trust procedure to demonstrate that the notaries believe your name to be authentic, not just your e-mail address. (See details here.) If you have accumulated enough trustpoints you can start the following procedure from Baker <dbaker@cuckoo.com>:

  1. Generate your private key:
    openssl genrsa -aes256 -out mail.key 2048
    wolfm@wolftux:~/thawte>

openssl genrsa -aes256 -out mail.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ ...+++ e is 65537 (0x10001) Enter pass phrase for mail.key: ***your secret pass phrase***

Verifying - Enter pass phrase for mail.key: ***your secret pass phrase***

  1. Login to Thawte > Personal E-mail Certificates > certificates, request a new certificate by clicking "test."
    Above the test button it a label saying "Developers of New Security Applications ONLY."
    • Paste-in CSR Certificate Enrollment (Click OK), ...
    • You'll have to select an e-mail address,
    • hit OK a few times, accept the default extensions,
    • and go all the way through until it gives you a string of numbers and letters. (Generate a CSR. Set the CommonName (sometimes called the "Domain Name" by server SSL key management packages) attribute to the following string (case sentitive):) Copy that into your clipboard.
  2. Generate a CSR for Thawte and paste your clipboard into the commonname:
    openssl req -new -key mail.key -out mail.csr
    wolfm@wolftux:~/thawte>

openssl req -new -key mail.key -out mail.csr Enter pass phrase for mail.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Berlin Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wolf Mueller Organizational Unit Name (eg, section) []:Email Common Name (eg, YOUR name) []:aCKVWVD8NWm6w723 Email Address []:Wolf.Mueller@informatik.hu-berlin.de Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

  1. Open up mail.csr in an editor, copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.
  2. Wait until your personal certificate is issued. You get an email from thwate wich contains a link to download the certificate (https://www.thawte.com/cgi/personal/cert/deliver.exe?serial=1111111). Save it as eg. ./deliver.exe. It contains a Certificate chain in Netscapes format and a Certicicate in PKCS7.

We deliver your developer cert as a chain, and we deliver it in two formats. The first is the Netscape Cert Sequence format, documented on the Netscape Security Site at http://www.netscape.com/eng/security/. The next is a degenerate PKCS7 SignedDate, with certificates and possibly CRL's but no content. -----BEGIN NETSCAPE CERTIFICATE CHAIN----- ... -----END NETSCAPE CERTIFICATE CHAIN----- ... -----BEGIN PKCS #7 SIGNED DATA----- ... -----END PKCS #7 SIGNED DATA-----

  1. We have now to extract the PKCS7 for the furter use with openssl. You can either use an editor to snap aut the lines form -----BEGIN PKCS #7 SIGNED DATA----- to -----END PKCS #7 SIGNED DATA----- and replace the first and last line by -----BEGIN PKCS7----- and -----END PKCS7----- or use perl for this task:
    • from comand line

perl -ne 'if (/-----BEGIN PKCS/ ... /-----END PKCS/)

        {s/-----([A-Z ].*PKC).*/-----$1S7-----/g;if ( m/.+/ ) 

{ print $_;}}' < deliver.exe > mail.pk7

    • or using perl script in a file
  1. !/usr/bin/perl -n
  2. extract_pkcs7.pl
  3. usage: extract_pkcs7.pl < input > out.pk7

if (/-----BEGIN PKCS/ ... /-----END PKCS/) { # extract PKCS7 only

   s/-----([A-Z ].*PKC).*/-----$1S7-----/g; # name it PKCS7
   if ( m/.+/ ) { print $_;}

}

  1. Export the certificates from Thawte (public key): in PEM-Format (for presenting it on your webpage)
    openssl pkcs7 -print_certs -in mail.pk7 -outform DER -out mail.der
  2. Create the PKCS#12 for signing E-Mail or PDF-Documents
    openssl pkcs12 -export -inkey mail.key -in mail.der -out mail.p12

wolfm@wolftux:~/thawte> openssl pkcs12 -export -inkey mail.key -in mail.der -out mail.p12 Enter pass phrase for mail.key: Enter Export Password: Verifying - Enter Export Password:

  1. Rename mail.p12 to a more intuitive name e.g. Wolf.Mueller_inf_2005_12.p12 and store it on a save place. Even if the certificate expires it is needed to decrypt E-mail you got entcrypted with the public key. Now you can import the p12 to the E-mail clients you want to use (Thunderbird, Evolution, Outlook) or even use it in Acrobat.
  2. Cleaning up: Remove savely the sensitive files which contain the private key (*.p12, *.key)
    shred -u mail.{key,p12}

wolfm@wolftux:~/thawte> ls -l total 40 -rw-r--r-- 1 wolfm users 7249 2005-12-01 12:47 deliver.exe -rwxr-xr-x 1 wolfm users 181 2005-12-01 13:35 filter.pl -rw-r--r-- 1 wolfm users 1090 2005-12-01 10:12 mail.csr -rw-r--r-- 1 wolfm users 4255 2005-12-01 14:39 mail.der -rw-r--r-- 1 wolfm users 1766 2005-12-01 09:30 mail.key -rw-r--r-- 1 wolfm users 4125 2005-12-01 14:42 mail.p12 -rw-r--r-- 1 wolfm users 3449 2005-12-01 14:22 mail.pk7

wolfm@wolftux:~/thawte> shred -u mail.{key,p12}

wolfm@wolftux:~/thawte> ls -l total 28 -rw-r--r-- 1 wolfm users 7249 2005-12-01 12:47 deliver.exe -rwxr-xr-x 1 wolfm users 181 2005-12-01 13:35 filter.pl -rw-r--r-- 1 wolfm users 1090 2005-12-01 10:12 mail.csr -rw-r--r-- 1 wolfm users 4255 2005-12-01 14:39 mail.der -rw-r--r-- 1 wolfm users 3449 2005-12-01 14:22 mail.pk7

  1. All is done.

--WM 12:59, 13 December 2006 (CET)