This HOWTO will allow you to generate your own key and CSR using OpenSSL on MacOS. Doing so, you can receive a signed Thawte Freemail certificate that can be imported into Mac OS X's Mail.app. The result is that you will be able to send and receive signed and encrypted e-mail.

With Thawte's web-based generation on Safari, they hold the private key. As a result, Thawte (or anyone compromising their security) could generate signed and/or encrypted e-mail using your known certificate. Also, they can read any mail encrypted to you.

With my method, you are the only holder of the private key.

Yep. But they still couldn't read mail sent encrypted to you using your self-generated private key.

1. Generate your private key: openssl genrsa -des3 -out mail.key 1024

panda:/Users/dbaker/thawte% openssl genrsa -des3 -out mail.key 1024
Generating RSA private key, 1024 bit long modulus
...................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for mail.key: (this is your secret pass phrase)
Verifying - Enter pass phrase for mail.key: (this is your secret pass phrase)
panda:/Users/dbaker/thawte% 
  

2. Login to Thawte, request a new certificate by clicking "test." The test button should have the label above it that says, "Developers of New Security Applications ONLY." You'll have to select an e-mail address, hit OK a few times, accept the default extaensions, and go all the way through until it gives you a string of numbers and letters. Copy that into your clipboard.

3. Generate a CSR for Thawte and paste your clipboard into the commonname: openssl req -new -key mail.key -out mail.csr

panda:/Users/dbaker/thawte% openssl req -new -key mail.key -out mail.csr
Enter pass phrase for mail.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daniel Baker
Organizational Unit Name (eg, section) []:Email
Common Name (eg, YOUR name) []:nzp35P6YvXXu6943
Email Address []:dbaker@cuckoo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
panda:/Users/dbaker/thawte% 
  

4. Open up mail.csr in an editor, copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.

5. Wait for the key to be generated and then save your deliver.exe (or whatever the filename is called) to your working directory. Save a backup: cp deliver.exe deliver.bak

6. Open up deliver.exe in an editor and make the following changes:

   1. Delete everything above "-----BEGIN PKCS #7 SIGNED DATA-----"
   2. Delete everything below "-----END PKCS #7 SIGNED DATA-----".
   3. Delete all blank lines, even blank lines inside the base64 data.
   4. Change "-----BEGIN PKCS #7 SIGNED DATA-----" to "-----BEGIN PKCS7-----""
   5. Change "-----END PKCS #7 SIGNED DATA-----" to "-----END PKCS7-----""

7. Verify that your deliver.exe file looks like this:

   -----BEGIN PKCS7-----
   MIIJmQYJKoZIhvcNAQcCoIIJijCCCYYCAQExADALBgkqhkiG9w0BBwGgggluMIIC
   9jCCAl+gAwIB
   AgIDDB8KMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU
   wIwYDVQQKExxUaGF3dGUgQ29u
   (about 95 lines of this)
   TA4MjBaFw0wNTA0MTMxOTA4MjBaMGoxDjAMBgNVBAQTBUJha2Vy
   -----END PKCS7-----
   

8. Export the certificates from Thawte: openssl pkcs7 -print_certs -in deliver.exe > deliver.certs

   panda:/Users/dbaker/thawte% openssl pkcs7 -print_certs -in deliver.exe>deliver.certs
   panda:/Users/dbaker/thawte% 
   

9. Create the PKCS#12 file for Mac OS's Keychain: openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12

   panda:/Users/dbaker/thawte% openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12
   Enter Export Password:
   Verifying - Enter Export Password:
   panda:/Users/dbaker/thawte% 
   

10. Import your key for use: open mail.p12

    
    
    

11. Rename your private key so you don't forget what it is later

12. All done!

    

13. To test: Send a signed and encrypted message using Mail.app

(about me) (home) (links) (photos) (projects)

© 1993-2010 Daniel Baker. All Rights Reserved.