[kman42]

I just got my first Thawte certificate for my .mac email account. I use this account from my desktop and my portable. Is there an easy way to transfer the certificate to my other computer so that it is available on both?

thanks,
kman

[Big Mac]

Theoretically you're supposed to be able to download new certificates at will. I've been having significant problems with getting Thawte certs working after trying multiple browsers. I was able to successfully obtain my cert by using Safari ONCE, but subsequent attempts just haven't worked. If it works the way it's supposed to, though, you should just be able to download the cert from any machine you wish. I'm speaking about the free certs provided by Thawte Community, for reference.

[kman42]

So I just tried to 'Fetch' my cert with my portable using the latest version of Safari on 10.3.2. It downloaded to my Keychain, but Mail doesn't seem to recognize it. Is this the same problem your having?

The initial download to my desktop seemed to work the same way and it functions fine. I did notice that the email they sent me says you have to download it using the same computer. Hmmmm....

kman

[kman42]

I found the following in the Thawte FAQs. Perhaps you have to export the cert from the Keychain on one machine and import it to the other. I'll have to wait until I get home to try this.



Can I move my certificate key pair to another machine?
If you want to use your certificate on another machine, as long as it uses the same email address, you can simply use the export/import function in your browser to do this.



Netscape:
To export:
Security > under Certificates > Yours > select the certificate > Export. You can export the private key separately which you will find on your hard drive in the file format, key3.db.


To import: Security > under Certificates > Yours > Import > select the exported certificate file.


Internet Explorer:
To export:
Tools > Internet Options > Content > Certificates > select certificate > Export > follow the steps in the wizard, and make sure you export the private key.


To import:
Tools > Internet Options > Content > Certificates > Import > select exported certificate file.









kman

[wataru]

I used Firefox. I had significant trouble for a while (I'd fetch it, but nothing would happen), but the cert magically appeared in Firefox's certificates list and I was able to export it to a file. If you can get this file then just move it to another machine and open it. It will automatically be added to the keychain. To get it in a browser that doesn't use the keychain you will probably have to import it from within the browser.

[kman42]

Originally posted by wataru:
I used Firefox. I had significant trouble for a while (I'd fetch it, but nothing would happen), but the cert magically appeared in Firefox's certificates list and I was able to export it to a file. If you can get this file then just move it to another machine and open it. It will automatically be added to the keychain. To get it in a browser that doesn't use the keychain you will probably have to import it from within the browser.

Yep. I can confirm that Firefox worked great for this. Here's another link to a tutorial. I hope more people will consider getting certificates so we can all give a big finger to John Aschroft (no, I don't really think the NSA can't read my encrypted email).

http://www.joar.com/certificates/body.html

kman

[besson3c]

What is the difference between a Thawte personal certificate, an SSL certficiate for incoming (IMAP) mail, and an SSL certificate for outgoing (SMTP) mail? I'm currently using self-signed certs for my email, but I'd like to price my options for obtaining commercial SSL certs that won't make mail clients complain.

As far as I can see, Thawte personal certificates are a way a encrypting the email contents, but not the communication channel?

[krove]

Well, I guess I am a little late to this game, but better now than never.

Anyways, I used Safari to sign up for my free Thawte email certificate on my iBook. Now, I have been trying to re-download the issued certificates on another computer that I also use to check and send email, but have been unsuccessful at getting Mail to recognize the certificates that are clearly present on the second computer in Keychain Access.

What gives?

I tried using Firefox to download them, but they do not appear in the Personal Certificates list as others have stated. Safari seems to work, but Mail doesn't recognize the certificates.

Any thoughts?

[Big Mac]

Originally posted by krove:
Well, I guess I am a little late to this game, but better now than never.

Anyways, I used Safari to sign up for my free Thawte email certificate on my iBook. Now, I have been trying to re-download the issued certificates on another computer that I also use to check and send email, but have been unsuccessful at getting Mail to recognize the certificates that are clearly present on the second computer in Keychain Access.

What gives?

I tried using Firefox to download them, but they do not appear in the Personal Certificates list as others have stated. Safari seems to work, but Mail doesn't recognize the certificates.

Any thoughts?

Yeah, just about the same thing happened to me. It worked properly the first time I tried it through Safari, but when I tried subsequent certificates they would fail to transfer completely to the Keychain. Neither Mozilla nor Firefox succeeded where Safari had failed.

[Mojo-ike]

the observant will notice the fine print that indicates that you can only download the certificates using:
1. the EXACT browser that you used to sign up for the certificate
2. on the EXACT machine that you used
3. with the EXACT account that you used

so, if any of those have changed, you are out of luck to download the certificate from thawte ever again. if you have applied an apple update and safari has been updated.. its all over. if you are trying to download it from work when you requested it from home.. give it up.

for all those that have not started using certificates i completely whole-heartedly suggest that you do so. it is the way that things should be.

at the same time, i would suggest you use a mozilla browser (firefox or seamonkey) to go through the certificate application process with thawte, as you can export the certs - unlike keychain access (though i think that 10.4 will be better about this).

keep in mind that you would be required to keep around THAT version of the browser if you ever wanted to get it from thawte again. better zip up the browser for archival purposes. or, better yet, export the certs when you get them (remember the export password) and back it up somewhere so you can get at the files whenever you want from whatever machine you want, etc.

i use thawte for my email certs. i even went throught the motions of becoming a wot authority because i believe so much in security. but, as a company, they are kinda a pain in the ass. i dont believe that security should be dificult. its a shame that its so complicated.

comodo is also offering email certificates for free. but it requires windows internet exploder to get - though they say they are working on other browser support. other than that, they are infinitely easier to get than thawte:
http://www.instantssl.com/ssl-certif...rtificate.html



besson3c:
yes, email certs are different than server certs. email certs will work with any email application (that can use them, eg: apple mail.app, thunderbird, the outlooks) on any platform (eg: mac, windows, solaris). they can even be used to authenticate to web services (like web servers or email smtp gateways).

server certs can be used to secure web page connections (https), email application connections (simap or spop3), and mail server to mail server communication (smtp_tls).

where email certs are used to encrypt the actual email, server certs are used to encrypt the traffic between two points.

i use the previously mentioned instantssl certs (they are really comodo certificates) to secure the imap server, the web server, and smtp server to server communication (if the other servers also have that ability) under 10.3 server. it all works like a charm. $50 a year is the cheapest i have found. like most any other certificate authorities, they are willing to give you a free one month trial cert to test it all out.

at the same time, the only time that i have found that self-signing doesnt work is the sever-to-server smtp. though apple mail and thunderbird complain, self signing works.

[AppleOptionFour]

Related question:

If I request a new cert, will the old cert still be valid?

That is can I have 2 certs for the same email, using one at home and one at work?

Thanks,

Erik


PS: If not ill just use the Firefox method. w00t to signed mail.

[kman42]

What's up with the certificate generator in Tiger? Is it still present? I thought I remember hearing they added one to Keychain.

[AppleOptionFour]

Originally Posted by AppleOptionFour

Related question:
If I request a new cert, will the old cert still be valid?
That is can I have 2 certs for the same email, using one at home and one at work?
Thanks,
Erik
PS: If not ill just use the Firefox method. w00t to signed mail.

Firefox method worked. You have to use Firefox to request it though also.

[krove]

Originally Posted by kman42

What's up with the certificate generator in Tiger? Is it still present? I thought I remember hearing they added one to Keychain.

Supposedly, there is a certificate assistant to aid in such matters. I'm hoping that I'll be able to transfer my Thawte certificates, which I downloaded/requested with safari, to another computer that I also use to access several email accounts.

Come Friday, I guess we'll know the answer.

[CatOne]

Originally Posted by kman42

I just got my first Thawte certificate for my .mac email account. I use this account from my desktop and my portable. Is there an easy way to transfer the certificate to my other computer so that it is available on both?

thanks,
kman

With Tiger, this will be very easy.

1) Set .Mac sync services to synchronize your keychain between machines.
2) There is no step 2. You're done.

[milhous]

here's an updated link to getting the e-mail certificates:

http://www.thawte.com/email/index.html

i'm definitely going to look into this after i've upgraded to tiger.

[krove]

Well, has anyone been able to get their mail certificates to correctly sync across multiple computers with the .Mac sync?

You can export them from Keychain Access (the keys, certificates, etc), but I have not yet tried to import my certificates on the other computer. Still, I'm wondering how this keychain syncing is supposed to work?