How to replace THAWTE certificate by VERISIGN certificate

There should be three methods:

First, either you revoke your Thawte certificate or you wait for Nov 16th when Thawte does it for you. In principle, once Keychain recognizes that the certificate is no longer valid, Keychain will switch to the new one from Verizon. As long as Thawte is valid there is no problem using it. Once revoked, however, you can never again use it.

Second, if you open Key Chain and you double click on the Thawte certificate then you can edit the trust settings and set them to "Never trust" and Mail will no longer use the certificate for signing. I tried this method and it works. You can always undo your decision and trust the certificate later.

Third, you single click on the triangle next to the certificate, the key symbol appears and then you double click on the key. Here you can change the access to the certificate and remove Mail from the list. I haven't tried this method myself but you can always undo your decision if it doesn't work.

Let me know which one works for you.


Best regards

Valentin.

Hello ... glad this solved part of your challenge. It's not surprising that Keychain doesn't know yet that the certificate is revoked. My understanding is that the certificate's ID will be published by Thawte after 24 to 48 hours as revoked and only then, during the next check of the status by Keychain, it will notice that it is no longer valid.

I have revoked mine, too, this morning and I wait for it to appear in Keychain.


Best regards

Valentin.

Thanks for the good tips. I chose method 2 and can verify that Mail immediately uses the new certificate. However, Address Book seems to still have the old one. Any solution here?

Valentin,

How did the revocation of the Thawte certificate go? Can you confirm in the keychain that it is no longer valid, and does Address Book notice as well and display the Verisign certificate instead of the Thawte one in your vcard?

Richard

No ... unfortunately revoking the certificate (in this case on Thawte's end) didn't have any effect at all for Keychain so far and mail continues to us the - now revoked certficate.

I am not in a hurry and wait a bit longer.

Valentin.

Hi folks,

I am not even able to enable encrypting or signing an email in Mail.app delivered with 10.6.1. I needed to install a CAcert certificate as the Thawte ones are not available anymore. Does anyone have a clue where to find a working tutorial for 10.6?

Cheers,

Jochen

Hello ... Your message is a bit unclear but I will give it a try: Thawte certificates are no longer available. There are many other cert services which are, and normally and you should be able to install a new certificate without problems. If you have more than one valid one and you want to force mail.app to use a specific one than you find some ideas in this thread. I can confirm that little or nothing has changed on how mail.app uses certificate between 10.6 and 10.6.1 and possibly since Leopoard. There is no reason which keeps you from using certificates in 10.6.1.

But ... CACert is not recognized as a Root Authority by Apple. In Keychain this certificate should show as "invalid". My suggestion is you try StartSSL or Comodo which are both recognized by Apple.


Good luck.

Valentin.

Hi Valentin, THAT was the right tip for me. CAcert did not work properly, but the COMODO certificate was a snap. Now it works perfectly. Thanks a lot!

http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

is the URL to get your personal free email certificate. After registration, you get the cert file. It is automatically imported to the keychain when downloaded via Safari. After relaunch of Mail.app, I am able to sign and encrypt my mails. That’s all. 😉

Another way to tackle this issue is to export your 'old' certificates, then remove them from the keychain. Make sure to leave the certificate you'd like to use in the keychain. After this, import your 'old' certificates again. If all went well, Mail.app will now default to the oldest valid (by way of the date it was added to the keychain) certificate.

Does anybody know by what magic OS X is supposed to discover that Thawte has revoked the Freemail certificates before the date specified therein? November 16, the date on which Thawte ceased to issue Freemail certificates, has come and gone, yet, as far as OS X is concerned, all the Freemail certificates that have not yet expired are still valid. Must the Keychain Access | Preferences ... | Certificates be set to something else besides Off, Off and grayed out? Does anybody know for sure how the revocation will work? Will each individual certificate be revoked, or just one which they all trust?

Regards,
Richard

At the risk of beating a dead horse -- or, at least, a horse in which nobody seems interested! -- I relate here my experience with my Thawte Freemail certificates after Nov. 16, when they were supposed to have been revoked.

First, there seems to be some confusion about whether Freemail certificates that had not expired by Nov. 16 would be revoked. Thawte's email to Freemail certificate holder clearly states that (a) after Nov. 16 no new Freemail certificates would be issued, (b) Freemail certificates could not be renewed after Nov. 16, and (c) Freemail certificates that are still valid on Nov. 16 would be revoked on that date.

Second, those Mac users who have acquired new certificates to replace their Freemail ones have a real interest in the revocation of their Thawte certificates. For, as long as OS X perceives the Thawte certificates to be valid, Address Book will display them in the user's contact card and the Mail application will use them to sign email. Several solutions have been proposed in these forums.

Manually turning off the Thawte certificates' trust convinces Mail to use the Verisign certificates, but not Address Book. This is more than just a superficial problem. If the first email address on the contact card has an untrusted certificate, then if an appointment with an invitee is created, the next email address with no or a trusted certificate is set as the one to which the invitee will reply. In my case, that meant that the invitation was sent from my personal email address (default in Mail), but, since according to Address Book it had an untrusted certificates, the reply-to address in the invitation was my work email account, which has no certificate.

Some people have suggested deleting the Thawte certificates. That certainly forces Mail and Address Book to use the Verisign certificates, but it also means that emails encrypted with the Thawte certificate can no longer be read. A variation on this theme is to export the certificates, delete them, then import them after the applications have taken notice of the Verisign certificates. I have not tried this. Perhaps it works, but is this compliant with Apple's "it just works" philosophy?

I have asked Thawte support whether the Freemail certificates have in fact been revoked. I have been informed by phone that they have been. I have not been able to confirm this. I have set the Keychain Access | Preferences | Certificates options to "Best Attempt" validation as well as to check if the certificate specifies a URL, and in every case my Freemail certificates as well as all the Thawte certificates on from which its trust derives are valid. I can still sign email with those certificates, send the email to myself at work, where we use Outlook, and the infrastructure at work also recognizes the certificate as valid.

So, again I ask: Can anybody who has a Thawte Freemail certificate that expires after Nov. 16 confirm that the certificate has been revoked? Were that to be the case, I would expect that it could no longer be used to sign emails and, if for some reason the Mac did not check its validity, in any case an email client that receives the email would notice the problem.

Regards,
Richard

I'm having the same problem. My thawte certificates are still being chosen and used by Mail. I don't seem to be able to get onto the Thawte site to revoke them. I've tried "untrusting" them, but mail seems to still try to use them. I've also tried to remove Mail from the list of apps that can use the certificate, but Mail just keeps asking to use it. I'm at a lost as to what to do next. There doesn't seem to be a way to get Mail to use the Verisign cert.

Hot topic.

I was wondering if there is a way to tell Mail which certificate to use (via CLI or by modifying a plist somewhere). Any clue about this?

From those three solutions Valentin gave us, the 3rd one seem to be the best, but still it is not the correct way to tell Mail wich certificate to use. I am really looking forward for Apple to add some way to select manually which certificate to use with a specific email address. In addition to good defaults as it already is. And not only for Mail.

I have found no way in Apple's Mail app to "select" a certificate when there is more than one valid certificate for an email account. (I could swear that this used to exist, but maybe I'm thinking of Thunderbird).

Here is a fix that I tried and it appeared to work. At least it worked for me, but I don't know if it works for all cases.

I exported my old (still valid) Thawte certificates to a file (actually using Firefox, because I loaded them there as well). I started up Keychain and deleted the Thawte certificates. I then loaded them back into the login keychain. It appears that Mail now picks my Verisign certificates.

I'm guessing that when the Thawte certs were deleted, Mail latched onto the verisign certs. When I reloaded the Thawte certs, Mail remained locked onto the Verisign certs.

I'm not sure if this does anything for address book certificates (didn't know they had certs), but it worked for me with Mail on a couple of my mac machines.

I still don't know if this will work as MobileMe sync propagates my changes to my other macs. Only time will tell, but at least this MobileMe sync'ed mac is now okay.

I think this is a short coming of the Apple Mail tool. I understand that most of the time you will probably only have one certificate, but in this particular situation created by Thawte, it ends up causes problems for the Mail user.