Getting Thawte cert
Paul Kinzelman
when I "Fetch" it, all I get is a mycert.spc file, and everything
else seems to need a P12 file.
I found a tool pvkimprt which seems to take in a SPC and PVK file,
but all I seem to get from Thawte fetch is a SPC file, no PVK file.
I even turned off the Download Status bar, but all I get is one file.
Is there anyplace that has a comprehensive how-to to get S/MIME
working?
TIA!
Paul Kinzelman
out of IE, so I tried that ...
I right-clicked the SPC file and went thru the import wizard,
but I have no idea where it imported it to, maybe IE?
But under IE, I go to Tools | Internet Options | Content | Certificates
but under "Personal" there's nothing.
Under Firefox 2.0.0.15, under Tools | Options | Content | View
Certificates | Your Certificate
I've got nothing. Actually I've got a Root CA (and I have no idea
how I succeeded in that one), but nothing from Thawte.
Bob Henson
From your second message, I assume you're using IE to fetch the
certificate? If you're using IE7 and Vista there is no easy way to
import a certificate (there's a long complicated message somewhere in
the Thawte knowledge base explaining how you can do it) If that were the
problem, you'd have got a "424 Object required" VBscript error, which
you would probably have mentioned - so maybe that's not your combination
of clients. Even with XP it may be tricky with IE7 (a question of
setting the website to trusted and then letting scripts run?). XP and
IE6 works fine, and having got the certificate, you can export it from
Windows on the path you mentioned, and then import it into Thunderbird.
Why Thawte haven't updated their site yet is a mystery. Getting a cert
from CA
is similarly difficult with Vista and IE7, and you don't even get the
error message - just a failure and no clues (it is the same problem). I
had to get my certificate from CA using Firefox 3, export it to disk,
and then import it into Windows to use it with IE7. It's easy to import
the same certificate into Thunderbird.
There must be an easier way than this, but it's the only one I could
find with my level of technical competence (not high!)
Regards,
Bob
--
Remove "x" from address to e-mail
Chris Ilias
When you go to the Certificate Summary page, it should say
"Certificate Type: Navigator".
And use Firefox when fetching the cert. When you click on "Fetch" it
should not be prompted for any file type, but get a message saying the
the cert was imported to Firefox.
1. After that, go to Tools-->Options-->Advanced-->Encryption, and click
on "View Certificates".
2. Select the tab called "Your Certificates".
3. Your Thawte cert should be listed. Select it.
4. Click the [Backup...] button.
That is when you can create your PKCS12 (.p12) file.
--
Chris Ilias <http://ilias.ca>
List-owner: support-firefox, support-thunderbird, test-multimedia
Paul Kinzelman
> 1. After that, go to Tools-->Options-->Advanced-->Encryption, and click
> on "View Certificates".
> 2. Select the tab called "Your Certificates".
> 3. Your Thawte cert should be listed. Select it.
That's precisely the problem. I see *no* certificates there
after doing endless fetches from Thawte using Firefox 2.0.0.15
All I seem to get out of a fetch is only a SPC file. Nothing else.
But the literature suggests I should also get a PVK file or
something to go with it.
> 4. Click the [Backup...] button.
> That is when you can create your PKCS12 (.p12) file.
Re: the other answer...
I was using Firefox. I used IE7 only because one of the things I found
while googling was to use the M$ tool and IE7. I try to avoid IE as
much as possible.
Chris Ilias
>
>> 1. After that, go to Tools-->Options-->Advanced-->Encryption, and
>> click on "View Certificates".
>> 2. Select the tab called "Your Certificates".
>> 3. Your Thawte cert should be listed. Select it.
>
> That's precisely the problem. I see *no* certificates there
> after doing endless fetches from Thawte using Firefox 2.0.0.15
> All I seem to get out of a fetch is only a SPC file. Nothing else.
> But the literature suggests I should also get a PVK file or
> something to go with it.
Are you sure the certificate you created was a Navigator type?
See <http://ilias.ca/screenshots/certtype-nav.png>
Paul Kinzelman
> See <http://ilias.ca/screenshots/certtype-nav.png>
Yes, I just checked to make sure, and it is. Actually I got
one, couldn't get it installed, revoked it, and got another,
same problem. Navigator should wokr for Firefox, right?
Paul Kinzelman
here and be very specific about my steps.
Apparently when I fetch the
cert from thawte, it's not actually getting into Firefox.
I read all the documentation pointed to me by NA, and found that
apparently I have to set a master password (I had none set) to
get the cert to work, so I set one.
However that seems to have not changed anything.
So this is what I do:
I start up FFox 2.0.0.15, it asks me for Master Password (because of
sameplace add-on) so I give it.
I browse to thawte.com
I select Products | Free email Certificate
I login using my thawte email and pswd
I click on certificates | view certificate status and see...
Type: Status: Date:
Navigator: issued Thu, 19 June, 2008, etc.
(I created this cert using the same Firefox - no, I take that
back, I think it was 2.0.0.14, could that be the problem because
I'm running 2.0.0.15 now?)
I click on "Navigator:", then down at the bottom of the page
that comes up, I click on the 'fetch' button.
It downloads a 'mycert.spc' file using the Download Statusbar add-on,
and it downloads just mycert.spc and that's it. Nothing else.
When I click on:
Tools | Options | Advanced | Encryption | View Certificates | Your
Certificate
all I see is one "CAcert WoT User", there is no Thawte
certificate listed.
What am I missing? Could there be some other profile setting
that's preventing the cert from being put into the vault?
I also have the Enigmail add-on, could that be colliding?
TIA!
NA
> As NA suggested, the problem is probably a FF one, so I'll post
Not likely a problem with FF...
> here and be very specific about my steps.
>
> Apparently when I fetch the
> cert from thawte, it's not actually getting into Firefox.
>
> I read all the documentation pointed to me by NA, and found that
> apparently I have to set a master password (I had none set) to
> get the cert to work, so I set one.
> However that seems to have not changed anything.
>
> So this is what I do:
>
> I start up FFox 2.0.0.15, it asks me for Master Password (because of
> sameplace add-on) so I give it.
>
> I browse to thawte.com
> I select Products | Free email Certificate
> I login using my thawte email and pswd
> I click on certificates | view certificate status and see...
> Type: Status: Date:
> Navigator: issued Thu, 19 June, 2008, etc.
> (I created this cert using the same Firefox - no, I take that
> back, I think it was 2.0.0.14, could that be the problem because
> I'm running 2.0.0.15 now?)
Again, see http://kb.mozillazine.org/Getting_an_SMIME_certificate
under paragraph 'To obtain certificate from an authority' in bold text...
Start over, try requesting and fetching a new certificate with the same
browser on the same computer. BTW, you never describe the steps you
used to generate the certificate--what options you selected when you
made the certificate request. May or may not be an issue but it might
offer additional insight as to what you're doing or not doing.
>
> I click on "Navigator:", then down at the bottom of the page
> that comes up, I click on the 'fetch' button.
> It downloads a 'mycert.spc' file using the Download Statusbar add-on,
> and it downloads just mycert.spc and that's it. Nothing else.
Try disabling the 'Download Statusbar' add-on as this might be
interfering with the fetch process that automatically installs the
certificate into FF. Also, please note the 'Fetch and Install
Certificate' paragraph that's above the Fetch button.
Chris Ilias
> As NA suggested, the problem is probably a FF one, so I'll post
> here and be very specific about my steps.
>
> Apparently when I fetch the
> cert from thawte, it's not actually getting into Firefox.
>
> I read all the documentation pointed to me by NA, and found that
> apparently I have to set a master password (I had none set) to
> get the cert to work, so I set one.
> However that seems to have not changed anything.
That's because you don't need to have a master password. :-)
When you back up to a p12 file, you need to set a password for the
certificate. When you import that p12 file to Thunderbird, you will need
to enter that password.
Try it in Firefox Safe Mode:
<http://support.mozilla.com/en-US/kb/Safe+Mode>.
Paul Kinzelman
> On 7/6/2008 9:16 PM EDT, Paul Kinzelman wrote:
>> As NA suggested, the problem is probably a FF one, so I'll post
>
> Not likely a problem with FF...
I didn't mean with FF itself, but whatever the problem is, is during
my attempt to fetch the cert while running FF.
> Try disabling the 'Download Statusbar' add-on as this might be
> interfering with the fetch process that automatically installs the
> certificate into FF.
(see below)
> Also, please note the 'Fetch and Install
> Certificate' paragraph that's above the Fetch button.
Nothing obvious to me there that I should look for. It just says
the cert contains my correct email. I'm not in the WoT yet.
So I tried revoking and redoing the whole thing so here's my steps...
I start up FFox 2.0.0.15, it asks me for Master Password (because of
sameplace) so I give it.
I browse to thawte.com
I select Products | Free email Certificate
I login using my thawte email and pswd
I click on certificates | revoke a certificate and revoke the old one
I click on "request a certificate"
Under X.509 Format Certificates, I click on "request"
A pop-up opens, and I leave the radio button set on "Mozilla Firefox/TB
etc."
and click on 'request'
Under employment I leave "No Employment Info Avail" selected and click
'next'
On the Email Addresses page, I have only one email available (the one I
normally use) and it's checked. I click 'next'.
Strong Extranet Identities, I click 'next'.
Under 'Accept Default Extensions' I click 'accept'.
Under Public Key, I leave 2048 selected and click 'next'.
Next page is "Confirm Cert Req" (the email is correct) I click 'finish'.
I refresh the 'view certificate status' page and eventually it says
'issued'.
Type: Status: Date:
Navigator: issued Mon, 07 July, 2008, etc.
I click on "Navigator:", then down at the bottom, I click on the
'fetch' button.
It downloads a 'mycert.spc' file using the Download Statusbar add-on,
and it downloads just mycert.spc and that's it. Nothing else.
When I click on:
Tools | Options | Advanced | Encryption | View Certificates | Your
Certificate
all I see is one "CAcert WoT User", there is no Thawte
certificate listed.
I then tried disabling DownloadStatusbar, Downloadthemall, killed FF,
restarted it, ran thru fetching the cert again (I didn't revoke/request
because the browser didn't change), and still all I get
is the mycert.spc file downloaded and no Thawte in the Your Certficate
tab.
NA
The only difference between your setup and procedure and mine is that
when you click on Fetch, you get a file mycert.spc *downloaded* while I
would get the certificate automatically *installed* into FF with the
following alert pop-up window message upon completion:
------------------------------------------------------------------
! Your personal certificate has been installed. You should keep a
backup copy of this certificate.
<OK>
------------------------------------------------------------------
I searched my computer for any SPC file, and nothing found. I suspect
the problem may be with your add-on(s) which might be causing a download
instead of running the fetched file to install the certificate. Thus,
follow Chris' suggestion to run FF in safe-mode so to disable all
add-ons, and try fetching the certificate again. Other than that, I
don't see anything else that's obvious.
NA
> On 7/6/08 9:16 PM, _Paul Kinzelman_ spoke thusly:
>> As NA suggested, the problem is probably a FF one, so I'll post
>> here and be very specific about my steps.
>>
>> Apparently when I fetch the
>> cert from thawte, it's not actually getting into Firefox.
>>
>> I read all the documentation pointed to me by NA, and found that
>> apparently I have to set a master password (I had none set) to
>> get the cert to work, so I set one.
>> However that seems to have not changed anything.
>
> That's because you don't need to have a master password. :-)
> When you back up to a p12 file, you need to set a password for the
> certificate. When you import that p12 file to Thunderbird, you will need
> to enter that password.
>
> Try it in Firefox Safe Mode:
> <http://support.mozilla.com/en-US/kb/Safe+Mode>.
>
The OP is misquoting without the complete context from his other thread
in m.s.t. The master password he's referring to is the TB Master
Password for logging into the Software Security Device which is
requested when he tried to import the certificate into TB.
codsw...@mailinator.com
> > 1. After that, go to Tools-->Options-->Advanced-->Encryption, and click on "View Certificates".
> > 2. Select the tab called "Your Certificates".
>
> That's precisely the problem. I see *no* certificates there
> after doing endless fetches fromThawteusing Firefox 2.0.0.15
I too am having this same problem. I'm using Vista with Firefox 3 and
whenever I 'fetch' my certificate from Thawte's site Firefox downloads
an .SPC file rather than automatically importing it (my previous
certificate just expired, so I've gone through all this successfully
before). The file can be imported into the Windows Security
Certificate Manager and all the right stuff is visible there (Start ->
Run -> certmgr.msc if you want to play). I can even export from
Windows in various formats (.CER and .PFX files, I think they were --
the .PFX files seemed like the right format as well). In any case,
dragging/dropping any of those onto Firefox or Thunderbird doesn't
work. The .PFX files seem right but after Firefox imports (and says
they were successfully imported, no less), there are still no
certificates.
If the OP is on Vista, I'm thinking that might be the problem (and I
don't really mind Vista)...
NA
Interesting... I'm using FF3 with XP Pro SP3 and Ubuntu 8.04, and they
seem to be working OK for me.
Paul Kinzelman
I tried FF in safe mode to fetch the cert (I didn't create it tho) and
same problem - it downloads .SPC, doesn't install anything. I didn't
see the msg you suggested ("Your personal cert has been installed...").
So sounds like the problem isn't with the add-ons.
Re: codswallop
> I too am having this same problem. I'm using Vista with Firefox 3 and
> whenever I 'fetch' my certificate from Thawte's site Firefox downloads
> an .SPC file rather than automatically importing it
Sounds like what I'm seeing so I suppose it could be a problem specific
to Vista (as you suggested). I'm running Vista Home Premium too with FF
2.0.0.15
I just had a thought that maybe the problem is with the extra security
crap M$ put in, so I ran FF as administrator (rt-click on the start
menu item) but that didn't help. Same result.
> The file can be imported into the Windows Security
> Certificate Manager and all the right stuff is visible there (Start ->
> Run -> certmgr.msc if you want to play).
I was able to import it, and I can export it to a couple of different
formats, but the selection for .P12 is grayed out, I can't get it to
output in P12 format. The choices are .CER (2 different flavors, which
one?) and .P7, I see no PFX file type, but you said it doesn't work
anyway. Why is the .P12 output format grayed out?
> If the OP is on Vista, I'm thinking that might be the problem (and I
> don't really mind Vista)...
I'm starting to mind it more and more. :-)
Anybody else on Vista tried it?
How about if I went to an XP system/FF? Would I have to create another
cert or could I fetch the cert I created here on Vista/FF?
Then if I were successful, could I expect to be able to export it from
FF, then import it into my Vista/FF?
Alternatively, suppose I use IE to get an IE cert from Thawte, install
it, and export it to P12, do you think that might work? Although if I
have the SPC cert in the certmgr program and can't export it to P12,
this probably wouldn't work either.
NA
>
> Anybody else on Vista tried it?
>
> How about if I went to an XP system/FF? Would I have to create another
> cert or could I fetch the cert I created here on Vista/FF?
>
> Then if I were successful, could I expect to be able to export it from
> FF, then import it into my Vista/FF?
>
> Alternatively, suppose I use IE to get an IE cert from Thawte, install
> it, and export it to P12, do you think that might work? Although if I
> have the SPC cert in the certmgr program and can't export it to P12,
> this probably wouldn't work either.
Looks like Vista is the culprit, see the following links for more info:
http://www.vistax64.com/vista-security/18542-unable-request-thawte-freemail-x-509-certificate.html
http://nemesisv.blogspot.com/2008/07/thawte-free-email-certificate-vs-vista.html
Paul Kinzelman
Well glad that's figured out. I was going crazy why I couldn't follow
your directions.
I looked on Thawte and they have something on how to get it to work
with Vista and IE, I haven't tried it yet:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO5558&actp=search&searchid=1215468579628
But I probably have to request a new IE cert, right?
And if I used XP/FF, could I do just a fetch? Or would I have to
do a whole request as well because it's not the same FF as on this
machine?
Is it possible to change the thread name to include Vista in it
or is it too late? I don't want to change it here or it might not
get applied to the right thread.
NA
>> Looks like Vista is the culprit, see the following links for more info:
>
> Well glad that's figured out. I was going crazy why I couldn't follow
> your directions.
>
> I looked on Thawte and they have something on how to get it to work
> with Vista and IE, I haven't tried it yet:
> https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO5558&actp=search&searchid=1215468579628
>
>
> But I probably have to request a new IE cert, right?
Your guess is as good as mine since Vista is new to me too. I would
tend to agreed with you that you're probably right. Try it...
>
> And if I used XP/FF, could I do just a fetch? Or would I have to
> do a whole request as well because it's not the same FF as on this
> machine?
I would think that you would need to start over and request a new
certificate since Thawte would probably not install when you do a fetch
because of the difference. Again, you can try it... there's no harm.
>
> Is it possible to change the thread name to include Vista in it
> or is it too late? I don't want to change it here or it might not
> get applied to the right thread.
You can change the Subject on your post.
Paul Kinzelman
I tried the instructions on the Thawte web site for getting a cert
using Vista/IE7 but it doesn't work, gets a VBscript error so I gave
up. Thawte is broken on Vista and their instructions don't work.
I've been on hold now for an hour with their support chat.
I tried just fetching my old cert using a different PC (XP/FF)
and like the docs said, that doesn't work because of the private
key thing.
So I went to XP/FF 2.0.0.15, requested a new certificate, and
got it to work! I was able to backup to a P12 file and
imported it into Vista/FF and it worked! Finally!
Then I tried to import it into TBird but I never set a master
password, but it thinks I did, so I can't get into it. This
question doesn't belong in this forum, but so many people
follow both, any suggestions besides removing the master
password and losing stuff? What exactly do I lose when I reset
the master password? Any of my configuration? Or just cert stuff?
Or would you prefer I move this to the Tbird forum?
Thanks for your help!
NA
>
> Then I tried to import it into TBird but I never set a master
> password, but it thinks I did, so I can't get into it. This
> question doesn't belong in this forum, but so many people
> follow both, any suggestions besides removing the master
> password and losing stuff? What exactly do I lose when I reset
> the master password? Any of my configuration? Or just cert stuff?
> Or would you prefer I move this to the Tbird forum?
>
> Thanks for your help!
I never had to reset my TB Master Password so I don't really have
practical answers to your questions. According to
http://kb.mozillazine.org/Master_password it seems you would loose
access to all the encrypted names and passwords to your email and news
servers that were protected by the Master Password. Then you would just
have to re-enter them after reseting your Master Password. Not sure
about installed certificates though... at worst, you would need to
re-install your CA certificate(s).
BTW, did you tried using the password(s) that you entered in your
earlier unsuccessful attempt(s) to backup from FF and import to TB? It
might have stored that entered password as your Master Password when the
pop-up window request came up during your previous attempt(s) to import
a certificate. Might worth a try before resetting...
You're almost there, so close... best to you!
Paul Kinzelman
> practical answers to your questions. According to
> http://kb.mozillazine.org/Master_password it seems you would loose
> access to all the encrypted names and passwords to your email and news
> servers that were protected by the Master Password. Then you would just
> have to re-enter them after reseting your Master Password. Not sure
> about installed certificates though... at worst, you would need to
> re-install your CA certificate(s).
Yes, it says that, but I just did it and it seems to have just wiped
the certs all out. It didn't touch the stored email server passwords,
nor the Enigmail. This sounds kind of like a bug, I expected it would
wipe at least the stored server passwords. And after I reset the
password and created a new one, I can see all my old email
passwords. I wouldn't expect this to happen. You think I should post
it as at least a heads-up on the Tbird forum?
> BTW, did you tried using the password(s) that you entered in your
> earlier unsuccessful attempt(s) to backup from FF and import to TB? It
> might have stored that entered password as your Master Password when the
> pop-up window request came up during your previous attempt(s) to import
> a certificate. Might worth a try before resetting...
I gave up trying to figure out all the passwords I've got and when to
use them in all my flailing around here. So I lost my CACert, but it
sounds like that's not as good as the Thawte one anyway.
And I was able to import the Thawte .P12 cert in to Tbird! Yah!
> You're almost there, so close... best to you!
But in software, close sometimes counts for nothing. :-)
But yes, I think I've vanquished this particular dragon thanks to
your help and the other guy who piped in with the suggestion that
good-old-Bill's penchant for ignoring standards might be the problem.
"Standards are great, that's why we have so many of them." :-)
Q.A...@gmail.com
thunderbird my Thawte freemail cert on Vista by placing Firefox 3.0.1
in compatibility mode for windows xp via the properties box on the
shortcut.
Whatcha know, that there compatibility mode done worked perfectly.
Q
Nick Weisser
> I was able to import it, and I can export it to a couple of different
> formats, but the selection for .P12 is grayed out, I can't get it to
> output in P12 format. The choices are .CER (2 different flavors, which
> one?) and .P7, I see no PFX file type, but you said it doesn't work
> anyway. Why is the .P12 output format grayed out?
Same problem here. I'm on Vista using FF3.
Did you find out anything in the meantime?
Cheers, Nick
Nick Weisser
Didn't see this message before. This worked like a charm for me,
too :-)