Take a Deep Breath and Go
Once you are ready, you can click on the flashy "Join" button to begin the process. For more information about the encryption technology used by Thawte, click on the little key icon that Mozilla displays at the bottom left of the window. This will open an information window with some security-related stuff.
The first page is the very boring, traditional "Terms and Conditions" text. It is essential that you read it very carefully. I did and it's a lot easier than one would think at first sight. The text can be understood easily and it provides a nice introduction to the legal responsibilities that are associated with keys and certificates.
If you accept the conditions, click on "Next."
We are now going to provide some traditional identification information to Thawte. Up until now, it's all very mundane but I cannot stress enough the importance of entering accurate information. Double-check everything, especially the date of birth: it's day/month/year.
Thawte provides a charset pop-up menu to allow international users to enter their names -- have a look at mine and you will understand what I mean! However, they suggest that you remove any non-English characters from your name if they have an easily understandable equivalent. Indeed, this will allow older mail applications and web browsers to deal with the certificate easily.
The next page asks for more personal information, including an Identification number. This number allows Thawte to perform mathematical checks and, in theory, will prove that you are who you claim to be. Needless to say, this is not a 100% guarantee and this is why the certificate that you will get won't contain your name -- to include your name on your certificate, Thawte requires that you either pay a fee and allow them to investigate or rely on a "network of trust."
Pick very carefully the number that you want to give and try not to give a number that would immediately allow a malicious person to impersonate you. Of course, all of them are very sensitive information. However, in some countries -- the U.S. for example -- a social security number is used very commonly, while others may give you more time to react in case you realize they have been stolen. It's up to you and depends entirely on the country in which you reside.
Again, the number should be accurate. Otherwise, the verification process can fail and you could run into trouble.
On the same page, you are going to create your account. Enter a valid email address that you can check securely -- there are some excellent articles on the Mac DevCenter about secure mail reading, like this one from Jason McIntosh.
Note that you should provide the address for which you want to obtain the first certificate: certificates are linked to your email address and you will have to obtain one per address. Of course, you will only have to go through this registration process once.
Using the certificate you will obtain with an address for another email address is a bad idea and will cause most email clients to complain, effectively ruining the trust effect you are trying to establish.
Thawte provides you with a privacy guarantee and certifies that your mail won't be used for advertisements purposes. Of course, you are free to forbid them entirely to send you mails, but I don't suggest that you do that -- in case there really is an emergency, you don't want to discover it too late.
On the next page, you will be asked for language preferences. I suggest that you choose English to be on the safe side, but you are welcome to pick anything else. I left the charset to the default, but some international users may want to modify it.
Let's pause for a second here and note how lucky we are to use Mac OS X: indeed, its support for multiple languages and charsets really gives us all peace of mind.
Next, you will be asked for password information and to provide five "password recovery" questions -- on two pages. This is perhaps the most important part of the process: indeed, if someone were able to break into your account, this person could effectively impersonate you and cause you to run into very serious legal trouble for illegal actions you didn't perform.
Thawte's password page is quite well written and gives you some important information about how the system will use it. Again, read it carefully.
Make sure that you use a secure password and write it down -- yep, for once, I suggest that you write it down. Of course, make sure that you write it on a special piece of paper that nobody can see.
After clicking on "Next," you will be asked for the password questions. I do not like the default questions much... Indeed, the answer to them is quite easy to find and almost everyone could, with a bit of research, give correct answers.
Therefore I strongly recommend that you use a mix of default and personal questions -- and please, oh please, do not use your mother's maiden name and the number of pets you have!
In any case, do not forget the checkboxes next to the questions, and try to provide answers that do not include accented characters. I prefer not to risk running into trouble for this.
Again, write down your choices on another piece of paper.
Your questions are as important as your password since anyone could get your password by using them. So you should make sure that the two pieces of paper are in two different safe places. Ideally, bank safes, and certainly not drawers or bookcases in your office or home.
You will also be asked for a phone number. Provide a number that you are likely to keep for awhile and that you usually answer personally. You should also make sure that this is a number that can be called from outside your country -- i.e., not a special toll-free, short, or extra-costly one. And include the appropriate international codes.
Finally, you will be presented with a summary of the information you have entered. Check it twice and click on "Next" so that Thawte can ping your email address.
Remember when we said that keys are linked to an email address more than to anything else? To make sure that you are who you claim to be, Thawte will send you a mail and ask you to click a link and enter a special code contained in the mail. This is another reason why you should make sure that your email inbox is safe and that you are the only one who can access it.
Once you have successfully confirmed the "ping," you have completed the registration process. This is the longest and most dangerous part since you can now request multiple certificates without having to through it again. You can then safely delete the mail.
Claiming Your Certificate and Creating Additional Ones
Now that you are a registered Thawte user, it is time to claim your first certificate. Click on the "Next" button to begin the process. Later, to obtain another certificate associated to another email address, you will simply need to repeat this process.
Remember that it is now crucial that you use Mozilla Firebird!
You now need to select the certificate type. As the page itself says, you should select "X.509."
More Forms to Fill In
You will now have to go through an 8-page form to select your certificate preferences. Here are a few tips that will allow you to do it quickly and painlessly:
- On the first page, you need to select the format. Thawte seems somewhat PC-centric, but you want to select "Netscape Communicator or Messenger," the default value, and click on the Request button.
- Remember what we were saying about your name not being included in the certificate for now? Here is an example! For now, this page is useless, so you can click on "Next" without changing the default values.
- You will now need to select the email address to which you want to link this certificate. Since the Thawte system only knows the one you indicated as your default address, you simply need to click on the checkbox and click on "Next." Later, you will be able to enter additional addresses and request certificates for them as well.
- On the next page, click on "Next" directly.
- You will then need to select the "extensions" that will be included in your certificate. Simply click on "accept" to include the default ones. It will work beautifully.
- You now have to select an encryption strength for your keys. I recommend that you select the highest available (2048 at least) and click on "Next."
- Here, Mozilla will wake up and ask you for a password for the "Software Security Service." This "Software Security Service" is the Mozilla component that will handle the keys handed out by Thawte -- and this is the component that other browsers lack. This password is as important as the one given to Thawte since a user who could break into the Mozilla Certificate Manager could get your keys. It should, however, not be the same. Write it down and put it in a safe, like the others. Make sure that nobody ever knows it. You have now reached the final stage, the actual key generation process. You can then click on "Next."
- You will then be given a chance to review your information one last time.
The process is now completed and Thawte's computers are working to create your certificate. You can click on "Next" to go to the certificate manager and close the small window.
The certificate manager contains a list of all the certificates that you have requested. Although Thawte has powerful computers, the generation process will take a little while.
After a few minutes, the status of your certificate will change from "Pending" to "Issued." You can now use Mozilla to "fetch" it -- i.e., download it into Mozilla's certificate manager.
Once it is issued, click on the "Navigator" link, in the "Type column." This will direct you to a page with important certificate information, like the expiration date and the assurance level.
At the bottom of the page is a cute "dog" button to fetch it. Click on it and stare in amazement at a Mozilla that does ... nothing.
Well ... not really. In fact, Mozilla has installed the certificate into the certificate manager for which you previously provided a password. It simply didn't tell you that the operation was successful.
You can now exit Thawte's site with confidence.
Transferring the Certificate
We chose Mozilla because its certificate manager understands the certificate file format and can actually handle it. However, for the exact same reason, we need to perform an additional step.
Indeed, as with any good Mac OS X application, Mail looks for security and cryptography elements in the "Keychain," not Mozilla's very own management system.
Therefore, our last step will be to transfer the certificate from Mozilla to the Keychain utility.