Obtaining a free e-mail certificate for digital signatures and encryption

Hi Paul,

I notice that your e-mail messages have a "Security" header. What is this and how do I get one? (I'm using OS X Mail.)


It means the message has been digitally signed, has indeed been sent by the sender, and has not been altered in transit.

At the Thawte web site (the digital certificate people), you can sign up for a 1-year personal e-mail certificate for free. (and renew it for free each year).

How do I get a free e-mail certificate for digital signatures and encryption?

For background information, descriptions, and a gerneral overview of using digital certificates with Apple's Mail.app, see the following article in the November, 2006 issue of Macworld:



Listed below are my bare-bones steps to sign up for, download, and use a digital certificate.

The process is not hard, but it is a bit tedious in places. For the most part, you can accept the default values for things, except where the forms are seeking new information from you.

Or, if you use a Mac you can use this guide (lots of screenshots and arrows) put together by Bret at the campus Counseling and Psychological Services office.

NOTE: Only use Safari with the following instructions. If another browser is your default, then paste into Safari these URLs and the ones that come in e-mail messages from Thawte.

Establish your identity

  1. Using Safari, browse to the Thawte web site: http://www.thawte.com

  2. From the Products menu at the top, select:

      Free Personal E-mail Certificates

  3. Read through the description.

      then "Click here"

  4. Read through the Terms and Conditions.

      then click "next"

  5. Use the default for my language

  6. Enter last and first names

  7. Enter your date of birth

  8. Enter your nationality

      then click "next"

  9. Email address thawte user

    (you will enter something like: username@geology.ucdavis.edu )

      then click "next"

  10. Language Preferences: Use browser settings.

  11. Charset Preferences: Use my browser settings

      then click "Next"

  12. Enter a good password

      It should be 6-20 characters long, and include a mixture of upper- and lower-case characters.,

      (this is the hard part, go ahead and write the password down and seal it in an envelope).

      then click "next"

  13. Use or create 5 questions to reestablish your identity.

      then click "next"

  14. Print out your information and save in a safe place

  15. check your mail Look for Thawte Mail Ping (should show up in a minute or too, if not check Junk)

  16. Your e-mail message will contain Probe and Ping values.

      Copy and paste your Probe and Ping values into the web page

  17. Log in to Thawte

      Do check the box to rememeber your password in your Keychain.

    Request a digital certificate

  18. Request a certificate

  19. Reqest X.509 Certificate

      Select: Mozilla Firefox/Thunderbird, Netscape Communicator

      then click "Request"

  20. Certificate Bearers Name

      No employment info available

      click "next"

      click "next"

  21. select email address

      then click "next"

  22. Strong Extranet Identities

      click "next"

  23. Accept defaults extension

      click "Accept"

  24. Select "1024 (Medium Grade)"

      then click "next"

  25. Confirm Netscape Certificate Request

      then click "Finish"

  26. At this point you have requested a digital certificate. It will take 5 to 10 minutes to calculate and generate the certificate.

    In the mean time you will receive a "Certificate Requested" e-mail message.

  27. Check your e-mail in 5 to 10 minutes

      The Subject will be something like: "Thawte Personal E-mail Certificate Issued"

  28. Retrieve the certificate by clicking on the indicated link in the e-mail message. (Be sure to do this in Safari. If Safari is not your default browser, copy the URL and paste it into Safari. Only Safari will insert the digital certificate into your Keychain.)

      You should see a message stating that" "deliver.exe is being downloaded"

      then click "OK"

  29. Your certificate will be inserted into your keychain automatically.

Using your certificate

After your certificate is inserted into your keychain things happen pretty automatically.

Mail will display padlock and seal-of-approval icons that you can use to digitally sign and/or encrypt messages.

(Though you can only encrypt messages with correspondents with whom you have exchanged signed messages.

To sign and encrypt an email message: (When you get your certificate you should be able to send me encrypted messages because you have received signed messages from me.)

BTW, this is not Mac-only technology. Mail.app uses the SMIME standard and Windows users with a suitably modern e-mail client will also see an indication that the message is signed.

If you have multiple e-mail accounts, you can log back in to your Thawte site and add additional email adresses. For example, in addition to your lastname@geology.ucdavis.edu address, you may also have a campus mailid@ucdavis.edu address. Each e-mail address will have its own digital certificate.

Using your certificate on multiple computers

If you use multiple computers, you will want a copy of the certificate(s) on each computer. The process of exporting a copy of your certificate from Keychain Access is straightforward. Just be careful to protect the extracted file. It contains both your public key and your private key. Anyone who has your private key can impersonate your e-mail address.

To export your e-mail certificate:

Here's a Mail rule I use to mark "Signed" e-mails as green (trusted) in my inbox.

Mail rule: If any (Message is Signed) Set Color (of text) dark green

The color I use is "Clover" from the crayola-box color picker.