Skip navigation
This discussion is archived

How to replace THAWTE certificate by VERISIGN certificate

10206 Views 22 Replies Latest reply: Jan 30, 2010 9:43 AM by Richard Liu RSS
  • kae Calculating status...
    I have found no way in Apple's Mail app to "select" a certificate when there is more than one valid certificate for an email account. (I could swear that this used to exist, but maybe I'm thinking of Thunderbird).

    Here is a fix that I tried and it appeared to work. At least it worked for me, but I don't know if it works for all cases.

    I exported my old (still valid) Thawte certificates to a file (actually using Firefox, because I loaded them there as well). I started up Keychain and deleted the Thawte certificates. I then loaded them back into the login keychain. It appears that Mail now picks my Verisign certificates.

    I'm guessing that when the Thawte certs were deleted, Mail latched onto the verisign certs. When I reloaded the Thawte certs, Mail remained locked onto the Verisign certs.

    I'm not sure if this does anything for address book certificates (didn't know they had certs), but it worked for me with Mail on a couple of my mac machines.

    I still don't know if this will work as MobileMe sync propagates my changes to my other macs. Only time will tell, but at least this MobileMe sync'ed mac is now okay.

    I think this is a short coming of the Apple Mail tool. I understand that most of the time you will probably only have one certificate, but in this particular situation created by Thawte, it ends up causes problems for the Mail user.
    Mac OS X (10.6.2)
  • tiffert Calculating status...
    Currently Being Moderated
    Jan 19, 2010 10:59 PM (in response to kae)
    Kae's suggestions worked for me too on 10.6.2.
    2.4Ghz MacBook Late 2008, Mac OS X (10.5)
  • Arkonova Calculating status...
    It works.

    But it is not the solution if you have more than one valid certificate for an email address. Apple should really add a way to select which cert to use in Mail prefs. Or maybe better: session wide for a given email.
    Mac Book Pro 15'' Unibody, Mac OS X (10.5.8)
  • kae Level 1 Level 1 (105 points)
    I'm glad it works for people, but I agree with Arkonova.

    It's a total kludge at best and could stop working at any time. If some apple "patch" is loaded which changes the "selection criteria" (whatever that is), the party could be over and we'd be back in the same situation.

    I contacted Thawte and their response was: "Your Thawte Personal Email Certificate has been revoked on 16 November 2009 on the same date that we stop offering Thawte Personal Email Certificates".

    What I don't understand is how to I tell my machine that those are revoked?

    Shouldn't I be able to download a "revoke" token or when the certificate is checked shouldn't it return "revoked" or something?

    It's like either Apple isn't checking certificates for "revocation" or maybe Thawte isn't listing the "revocation" or maybe I don't know how this works at all. It's probably the latter, but if someone knows, I would love an explanation or a link to a web page that has an explanation of how this revocation process works.
    Mac OS X (10.5.8)
  • vzaliva Calculating status...
    Arkonova wrote:
    Hot topic.

    I was wondering if there is a way to tell Mail which certificate to use (via CLI or by modifying a plist somewhere). Any clue about this?

    I found it! In Keychain "File" menu select "New Certificate Preference".
    MacBook Pro, Mac OS X (10.5.4)
  • kae Level 1 Level 1 (105 points)
    What app is this in? Is it the "Keychain Access" app? I looked on the file menu and I don't have a "New Certificate Preference". Can you give more information?
    Mac OS X (10.5.8)
  • vzaliva Level 1 Level 1 (0 points)
    yes, it is in Keychain Access app. You need to select a certificate to see this menu.
    MacBook Pro, Mac OS X (10.5.4)
  • Richard Liu Level 1 Level 1 (45 points)

    Been there, done that ... either I don't understand what this option does, or it isn't working. I go to the Verisign certificate, click "New Identity Preference" and specify the email address for which Mail is still using the Thawte certificate. Then I send a signed email to one of my other accounts and examine the certificate with which it was signed. It's the Thawte certificate. Address Book is also still displaying the Thawte certificate next to the email account on my card.

    MacBook Core 2 Duo 2 GHz, MacBook Pro Core 2 Duo 2.93 GHz 17" glossy screen, Mac OS X (10.5.8), 4GB RAM
1 2 Previous Next


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.