Using VeriSign Digital ID Class 1 Certificates on a Mac

Back in October I recommended getting a free personal e-mail certificate from Thawte for e-mail security. Thawte stopped offering Personal Email Certificates on November 16, 2009. I decided to take up Thawte on their offer of a free one-year VeriSign Email Certificate (Digital ID Class 1). Here are some things I learned — the hard way about using a VeriSign Digital ID Class 1 on the Mac environment.
I followed the instructions on the e-mail from Thawte and downloaded my certificate from Verisign using Safari. It got loaded to my keychain and I thought I life was good. The Mail application could not find the new certificate associated with the my e-mail address.
Here is what I found out: Modern browsers have crypto tools which generate public/private key-pairs. When signing up for a certificate with an authority (as with VeriSign), their website should trigger your browser to create a key-pair and then upload the public key, which is then certified and returned to you. This certificate is in a file format called .p12.
Using Safari, the certificate I got from VeriSign was a .p7c file, which has no copy of your private key.
The only way I was able to get a proper .p12 file was using Firefox on my Mac to access the VeriSign certificate tools to renew my certificate (which essentially revokes the old one and generates a new one).
Once the certificate was installed in Firefox, I exported it to a .p12 file which I then imported into my keychain after deleting the useless certificate that had been previously imported.
Problem solved.

Back in October I recommended getting a free personal e-mail certificate from Thawte for e-mail security. Thawte stopped offering Personal Email Certificates on November 16, 2009. I decided to take up Thawte on their offer of a free one-year VeriSign Email Certificate (Digital ID Class 1). Here are some things I learned — the hard way about using a VeriSign Digital ID Class 1 on the Mac environment.

I followed the instructions on the e-mail from Thawte and downloaded my certificate from Verisign using Safari. It got loaded to my keychain and I thought I life was good. The Mail application could not find the new certificate associated with the my e-mail address.

Here is what I found out: Modern browsers have crypto tools which generate public/private key-pairs. When signing up for a certificate with an authority (as with VeriSign), their website should trigger your browser to create a key-pair and then upload the public key, which is then certified and returned to you. This certificate is in a file format called .p12.

Using Safari, the certificate I got from VeriSign was a .p7c file, which has no copy of your private key.

The only way I was able to get a proper .p12 file was using Firefox on my Mac to access the VeriSign certificate tools to renew my certificate (which essentially revokes the old one and generates a new one).

Once the certificate was installed in Firefox, I exported it to a .p12 file which I then imported into my keychain after deleting the useless certificate that had been previously imported.

Problem solved.

No comments | Trackback

Leave a Reply