Skip navigation
This discussion is archived

How to replace THAWTE certificate by VERISIGN certificate

10190 Views 22 Replies Latest reply: Jan 30, 2010 9:43 AM by Richard Liu RSS
1 2 Previous Next
janinspain Level 1 Level 1 (5 points)
Currently Being Moderated
Oct 14, 2009 1:14 AM
These day millions of user receive an e-mail "Important Thawte® Personal E-mail Certificate Holder Notice - Thawte Personal E-mail Certificates and Web of Trust are being discontinued".

The message comes with a special offer from VeriSign giving you a full year of VeriSign digital certificate fro free which seems to be a fair offer (I think normal price is around 20$ per year).

Enrollment and installation of the new certificate is well described and worked perfectly: you'll end up with a brandnew certificate from VeriSign in your Key Chain - BUT...

Mail keeps on encrypting with the old one from THAWTE and Address Book shows in your own record that your mail address is still linked to the old certificate.

Some users will just delete the old one - DON'T DO THIS - because you might find out that all your old encrypted mail that you received earlier won't be readable any longer.

I din't find a way to select the new certificate for the encryption of outgoing mail and I gues there thousands of former THAWTE & Mac users who are trying to find the solution.

Who can help?
Jan
Macbook Pro, Mac OS X (10.6.1)
  • Valentin Starke Level 1 Level 1 (40 points)
    There should be three methods:

    First, either you revoke your Thawte certificate or you wait for Nov 16th when Thawte does it for you. In principle, once Keychain recognizes that the certificate is no longer valid, Keychain will switch to the new one from Verizon. As long as Thawte is valid there is no problem using it. Once revoked, however, you can never again use it.

    Second, if you open Key Chain and you double click on the Thawte certificate then you can edit the trust settings and set them to "Never trust" and Mail will no longer use the certificate for signing. I tried this method and it works. You can always undo your decision and trust the certificate later.

    Third, you single click on the triangle next to the certificate, the key symbol appears and then you double click on the key. Here you can change the access to the certificate and remove Mail from the list. I haven't tried this method myself but you can always undo your decision if it doesn't work.

    Let me know which one works for you.


    Best regards

    Valentin.
    MacBook Pro late-2007, Mac OS X (10.6), TC, Airport Express, MacBook
  • Valentin Starke Level 1 Level 1 (40 points)
    Hello ... glad this solved part of your challenge. It's not surprising that Keychain doesn't know yet that the certificate is revoked. My understanding is that the certificate's ID will be published by Thawte after 24 to 48 hours as revoked and only then, during the next check of the status by Keychain, it will notice that it is no longer valid.

    I have revoked mine, too, this morning and I wait for it to appear in Keychain.


    Best regards

    Valentin.
    MacBook Pro late-2007, Mac OS X (10.6), TC, Airport Express, MacBook
  • Richard Liu Calculating status...
    Thanks for the good tips. I chose method 2 and can verify that Mail immediately uses the new certificate. However, Address Book seems to still have the old one. Any solution here?
    MacBook Core 2 Duo 2 GHz, MacBook Pro Core 2 Duo 2.93 GHz 17" glossy screen, Mac OS X (10.5.8), 4GB RAM
  • Richard Liu Level 1 Level 1 (45 points)
    Valentin,

    How did the revocation of the Thawte certificate go? Can you confirm in the keychain that it is no longer valid, and does Address Book notice as well and display the Verisign certificate instead of the Thawte one in your vcard?

    Richard
    MacBook Core 2 Duo 2 GHz, MacBook Pro Core 2 Duo 2.93 GHz 17" glossy screen, Mac OS X (10.5.8), 4GB RAM
  • Valentin Starke Level 1 Level 1 (40 points)
    No ... unfortunately revoking the certificate (in this case on Thawte's end) didn't have any effect at all for Keychain so far and mail continues to us the - now revoked certficate.

    I am not in a hurry and wait a bit longer.

    Valentin.
    MacBook Pro late-2007, Mac OS X (10.6), TC, Airport Express, MacBook
  • Joo-Chen Calculating status...
    Hi folks,

    I am not even able to enable encrypting or signing an email in Mail.app delivered with 10.6.1. I needed to install a CAcert certificate as the Thawte ones are not available anymore. Does anyone have a clue where to find a working tutorial for 10.6?

    Cheers,

    Jochen
    17'' MBP, 17'' iMac Intel Core Duo, IT Admin, Mac OS X (10.6.1)
  • Valentin Starke Level 1 Level 1 (40 points)
    Hello ... Your message is a bit unclear but I will give it a try: Thawte certificates are no longer available. There are many other cert services which are, and normally and you should be able to install a new certificate without problems. If you have more than one valid one and you want to force mail.app to use a specific one than you find some ideas in this thread. I can confirm that little or nothing has changed on how mail.app uses certificate between 10.6 and 10.6.1 and possibly since Leopoard. There is no reason which keeps you from using certificates in 10.6.1.

    But ... CACert is not recognized as a Root Authority by Apple. In Keychain this certificate should show as "invalid". My suggestion is you try StartSSL or Comodo which are both recognized by Apple.


    Good luck.

    Valentin.
    MacBook Pro late-2007, Mac OS X (10.6), TC, Airport Express, MacBook
  • Joo-Chen Level 1 Level 1 (5 points)
    Hi Valentin, THAT was the right tip for me. CAcert did not work properly, but the COMODO certificate was a snap. Now it works perfectly. Thanks a lot!

    http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

    is the URL to get your personal free email certificate. After registration, you get the cert file. It is automatically imported to the keychain when downloaded via Safari. After relaunch of Mail.app, I am able to sign and encrypt my mails. That’s all.
    17'' MBP, 17'' iMac Intel Core Duo, IT Admin, Mac OS X (10.6.1)
  • Remmy1978 Calculating status...
    Another way to tackle this issue is to export your 'old' certificates, then remove them from the keychain. Make sure to leave the certificate you'd like to use in the keychain. After this, import your 'old' certificates again. If all went well, Mail.app will now default to the oldest valid (by way of the date it was added to the keychain) certificate.
    iMac 24", Mac OS X (10.6.1)
  • Richard Liu Level 1 Level 1 (45 points)
    Does anybody know by what magic OS X is supposed to discover that Thawte has revoked the Freemail certificates before the date specified therein? November 16, the date on which Thawte ceased to issue Freemail certificates, has come and gone, yet, as far as OS X is concerned, all the Freemail certificates that have not yet expired are still valid. Must the Keychain Access | Preferences ... | Certificates be set to something else besides Off, Off and grayed out? Does anybody know for sure how the revocation will work? Will each individual certificate be revoked, or just one which they all trust?

    Regards,
    Richard
    MacBook Core 2 Duo 2 GHz, MacBook Pro Core 2 Duo 2.93 GHz 17" glossy screen, Mac OS X (10.5.8), 4GB RAM
  • Richard Liu Level 1 Level 1 (45 points)
    At the risk of beating a dead horse -- or, at least, a horse in which nobody seems interested! -- I relate here my experience with my Thawte Freemail certificates after Nov. 16, when they were supposed to have been revoked.

    First, there seems to be some confusion about whether Freemail certificates that had not expired by Nov. 16 would be revoked. Thawte's email to Freemail certificate holder clearly states that (a) after Nov. 16 no new Freemail certificates would be issued, (b) Freemail certificates could not be renewed after Nov. 16, and (c) Freemail certificates that are still valid on Nov. 16 would be revoked on that date.

    Second, those Mac users who have acquired new certificates to replace their Freemail ones have a real interest in the revocation of their Thawte certificates. For, as long as OS X perceives the Thawte certificates to be valid, Address Book will display them in the user's contact card and the Mail application will use them to sign email. Several solutions have been proposed in these forums.

    Manually turning off the Thawte certificates' trust convinces Mail to use the Verisign certificates, but not Address Book. This is more than just a superficial problem. If the first email address on the contact card has an untrusted certificate, then if an appointment with an invitee is created, the next email address with no or a trusted certificate is set as the one to which the invitee will reply. In my case, that meant that the invitation was sent from my personal email address (default in Mail), but, since according to Address Book it had an untrusted certificates, the reply-to address in the invitation was my work email account, which has no certificate.

    Some people have suggested deleting the Thawte certificates. That certainly forces Mail and Address Book to use the Verisign certificates, but it also means that emails encrypted with the Thawte certificate can no longer be read. A variation on this theme is to export the certificates, delete them, then import them after the applications have taken notice of the Verisign certificates. I have not tried this. Perhaps it works, but is this compliant with Apple's "it just works" philosophy?

    I have asked Thawte support whether the Freemail certificates have in fact been revoked. I have been informed by phone that they have been. I have not been able to confirm this. I have set the Keychain Access | Preferences | Certificates options to "Best Attempt" validation as well as to check if the certificate specifies a URL, and in every case my Freemail certificates as well as all the Thawte certificates on from which its trust derives are valid. I can still sign email with those certificates, send the email to myself at work, where we use Outlook, and the infrastructure at work also recognizes the certificate as valid.

    So, again I ask: Can anybody who has a Thawte Freemail certificate that expires after Nov. 16 confirm that the certificate has been revoked? Were that to be the case, I would expect that it could no longer be used to sign emails and, if for some reason the Mac did not check its validity, in any case an email client that receives the email would notice the problem.

    Regards,
    Richard
    MacBook Core 2 Duo 2 GHz, MacBook Pro Core 2 Duo 2.93 GHz 17" glossy screen, Mac OS X (10.5.8), 4GB RAM
  • kae Calculating status...
    I'm having the same problem. My thawte certificates are still being chosen and used by Mail. I don't seem to be able to get onto the Thawte site to revoke them. I've tried "untrusting" them, but mail seems to still try to use them. I've also tried to remove Mail from the list of apps that can use the certificate, but Mail just keeps asking to use it. I'm at a lost as to what to do next. There doesn't seem to be a way to get Mail to use the Verisign cert.
    Mac OS X (10.4.11)
  • Arkonova Level 1 Level 1 (0 points)
    Hot topic.

    I was wondering if there is a way to tell Mail which certificate to use (via CLI or by modifying a plist somewhere). Any clue about this?

    From those three solutions Valentin gave us, the 3rd one seem to be the best, but still it is not the correct way to tell Mail wich certificate to use. I am really looking forward for Apple to add some way to select manually which certificate to use with a specific email address. In addition to good defaults as it already is. And not only for Mail.
    Mac Book Pro 15'' Unibody, Mac OS X (10.5.8)
1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.