10 Replies Latest reply: Nov 2, 2009 6:45 PM by SiRGadaBout
thomas_r. Level 7 Level 7 (27,945 points)
Since Thawte has stopped offering free certificates and will soon be revoking those that have already been issued, I'm searching for a new way to get certificates for encrypting and signing e-mail. I found [StartSSL|http://www.startssl.com>, which offers free certificates, but I haven't found a way to obtain more than one (for different addresses).

More importantly, there's a trust issue - apparently, Thunderbird (at least) does not trust certificates from StartSSL by default. Thus, if I send a signed message, Thunderbird doesn't accept the certificate and that person can't send me encrypted mail. That's a bit of a problem, especially since most people I would need to exchange signed/encrypted e-mails with would not understand what was going on or how to change their settings to trust the certificate.

Are there any other places to get free certificates that will be trusted by most/all common e-mail clients by default?

17" MacBook Pro, Mac OS X (10.6.1)
  • 1. Re: Free SSL certificates?
    J D McIninch Level 5 Level 5 (4,060 points)
    Most people simply create their own. Self-signed certs are fine for most applications outside of commercial applications.
  • 2. Re: Free SSL certificates?
    thomas_r. Level 7 Level 7 (27,945 points)
    That has the same problem as a StartSSL certificate in Thunderbird for Windows. A signed message is received with no notice that the certificate is not trusted, other than an easy-to-miss icon. In order to trust the certificate, you've got to know what settings to go fiddle with in Thunderbird. This was not the case with my old Thawte certificates, which were trusted automatically.

    If there aren't any other certificate authorities that will be trusted automatically by most/all e-mail clients, I guess I will just deal with this inconvenience.
  • 3. Re: Free SSL certificates?
    Templeton Peck Level 9 Level 9 (58,265 points)
    I just logged into my account at Thawte.com and their product page still lists personal email certificates as being free. Is that what you're looking for?
  • 4. Re: Free SSL certificates?
    thomas_r. Level 7 Level 7 (27,945 points)
    I just played around with the concept of self-signed certificates, and was totally unable to make Thunderbird on Windows accept a self-signed certificate, created in Keychain Assistant. I exported the certificate as a .cer file and imported that into Thunderbird as an authority, set it to trust that authority, and yet still Thunderbird would not recognize the signature on messages I sent from Mail signed with that certificate.
  • 5. Re: Free SSL certificates?
    thomas_r. Level 7 Level 7 (27,945 points)
    I recently got the following e-mail from Thawte:

    Important Thawte® Personal E-mail Certificate Holder Notice
    Thawte Personal E-mail Certificates and Web of Trust are being discontinued

    Dear Thomas Reed,
    Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.

    It continues, but this is the relevant info.
  • 6. Re: Free SSL certificates?
    Templeton Peck Level 9 Level 9 (58,265 points)
    Ahhhh... maybe that's the same email I got from them last week and didn't read... Hmm...
  • 7. Re: Free SSL certificates?
    Kathylee Level 1 Level 1 (65 points)
    I wanted to simply create a self-signed cert for encrypting email using the Keychain Certificate Assistant. I overrode the defaults and selected Digital Signature and Data Encipherment under Key Usage, and under Ext Key Usage: Email Protection, Apple .Mac email signing, and Apple .mac email encryption, and used my mac.com email address.

    This showed up in my Keychain just fine, I selected Always Trust and sent a digitally signed email to a friend. He accepted it and set Always Trust as well. He also created a self-signed cert with the same settings as mine (but with his mac.com email address) and sent a digitally signed email to me.

    However, we cannot encrypt to each other after all this. The Lock icon is grayed out and Mail only lets us sign email to each other. We are both on Leopard 10.5.8 with Mail app 3.6.

    Anyone know what I might have done wrong? Does one have to get a cert from a Certificate Authority? Can we get one from MobileMe for email encryption (we used to when they first offered the ichat/email cert, but removed the functionality after the first renewal back in 2007)

    Thanks for any hints!
  • 8. Re: Free SSL certificates?
    Kathylee Level 1 Level 1 (65 points)
    One more piece of info: we both have MobileMe and therefore have the Apple certificate for iChat encryption, which also says it can be used for digital signatures... could that certificate be the one that is grabbed in Mail instead of the new self-signed cert I created? It's using the same mac.com account...
  • 9. Re: Free SSL certificates?
    thomas_r. Level 7 Level 7 (27,945 points)
    This is a completely different topic. You will get better answers by starting your own topic rather than trying to ask on an existing topic that does not really address your issue.
  • 10. Re: Free SSL certificates?
    SiRGadaBout Level 3 Level 3 (605 points)
    I came across this webpage on my own hunt after receiving the same email from Thawte:


    Hope this helps.