Thawte certificate with own private key

From
Revision as of 09:43, 1 December 2005 by Wolfm (talk | contribs)
Jump to navigation Jump to search

Any certification authority such as Thawte may have the chance to see and store your private key, which is not a the way you prefer. It is assumed a basic understanding of how public key infrastructure with X.509 certificates (for S/MIME e-mail encryption) works.

If you want to have your name in the Thawte Certificate you have to pass the web of trust procedure to demonstarate that the notaries believe your name to be authentic, not just your e-mail address. (See details here.) If you have accumulated enough trustpoints you can start the following procedure from Baker <dbaker@cuckoo.com>:

  1. Generate your private key: openssl genrsa -des3 -out mail.key
    1024wolfm@wolftux:~/thawte>

openssl genrsa -aes256 -out mail.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ ...+++ e is 65537 (0x10001) Enter pass phrase for mail.key: ***your secret pass phrase***

Verifying - Enter pass phrase for mail.key: ***your secret pass phrase***

  1. Login to Thawte > Personal E-mail Certificates > certificates, request a new certificate by clicking "test."
    Above the test button it a label saying "Developers of New Security Applications ONLY."
    • Paste-in CSR Certificate Enrollment (Click OK), ...
    • You'll have to select an e-mail address,
    • hit OK a few times, accept the default extaensions,
    • and go all the way through until it gives you a string of numbers and letters. (Generate a CSR. Set the CommonName (sometimes called the "Domain Name" by server SSL key management packages) attribute to the following string (case sentitive):) Copy that into your clipboard.
  2. Generate a CSR for Thawte and paste your clipboard into the commonname: openssl req -new -key mail.key -out mail.csr
    wolfm@wolftux:~/thawte>

openssl req -new -key mail.key -out mail.csr Enter pass phrase for mail.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Berlin Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wolf Mueller Organizational Unit Name (eg, section) []:Email Common Name (eg, YOUR name) []:aCKVWVD8NWm6w723 Email Address []:Wolf.Mueller@informatik.hu-berlin.de Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

  1. Open up mail.csr in an editor, copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.