Certificate management
by Ragnar Schierholz
You've probably followed the recent entries concerning the Thawte certification. I myself have taken the opportunity of having my Thawte certificate notarized becoming a notary myself, finally. Thanks to vowe at this occasion! Now, the use of such thing is rather limited, if you keep it to yourself or only as a file as such. Thus, I just tried to spread my digital certificate to where I think I need it. Not too easy when some Notes is involved, as it turned out.
I want to :
- have it in my Mozilla browser (just in case there might be a a web site allowing me to authenticate with a client certificate)
- import it into my Notes ID, so I can use it for signing Internet e-mails
- have it in my default contact which resides in my Notes personal address book (so I can send it around when sending my default contact, e.g. via my P800)
- have it synchronized to my P800 (compare b)
- and have it in Windows' certificate store (just to make sure, for any other app that might want to check for it via the Windows API.)
Beyond my PC, of course I want to
- have my downloadable VCard to include my public key as well and
- for those who only want my public key, that should be downloadable separately as a PCKS #7 file).
So, first things first.
Importing the certificates into Mozilla Firefox works like a charme: just click the fetch button on the Thawte website. You'll be prompted for a password, that's it. Somewhat of a feedback (like "Certificates successfully installed" or so) would hae been nice, but I guess you can't have it all. If you do that on one machine and export the certificate into a *.p12 file, on a different machine you can just go to Tools->Options, select the Advanced tab on the left and scroll down to "Manage certificates...". There import the file exported earlier. Easy... Now I only have to wait for a website where I can authenticate using the certificate. Actually, the exported file comes in handy later.
Importing your Internet certificate into your Notes IDs is easy. Just go to to File->Security->User security, select the "Your Identities" tab on the left, select "Your certificates" and then import the file exported from Mozilla (*.p12). Trying to send emails to other people returns mixed results though, but that seems to be a client configuration issue on the recipients' side. Tests in my vicinity (where I can watch the user open the email) show a signed e-mail message and they can import the certificate into their system for future reference. Neat!
Now, how to get it into my Notes address book? Consulting the help, I learn that I can only import X.509 certificates into my address book via the "Add sender to address book..." action from my mail. I.e. I have to have received a signed e-mail from someone. Besides the fact, that I see somewhat of a security issue here (I'd rather download the public key from a SSL-certified server and then trust a signature in some email), I now need to send myself an email which is signed with the Internet certificate. Inside my Notes system, all mails are signed with my Notes key though, so I have to find a work around. Good thing I have two (Notes) mail accounts in different domains which route mail to each other via the Internet.
Sending the mails back and forth (I want the certificate in two address book records, one for each email, private and work) and importing the X.509 certificates, I find that Notes selects the address book entry to merge the key into by the name, not the e-mail address. Since my names in private and in work life happen to match I have to cut one document, import the key into the other and then paste the first document back in. You obviously have to think around the corner here. Anyway, after doing so, my two address book entries contain the Internet certificate and I can select it to be used for Internet e-mail encryption. Sending encrypted mail back and forth works as a charme, even though (as expected), iNotes doesn't display the encrypted content. My Notes-ID including the X.509 certificates is imported to iNotes though.
Synchronizing my address book with my P800 does match the other fields I changed (as an indicator the synch actually was performed), but I can't find anything X.509 related in the UI. For now I can't check whether beaming my contact to another device would deliver the public key, but I doubt it. One To Do left for later.
Now I want the certificates in my Windows certificates. So I open the control panel, select Internet options and in the content tab (not the security!!!), I find the button to manage my digital certificates. Again, as in Firefox, I just need to import the *.p12 file and here I go. And again, I only have to wait for applications that can make use of the certificate I now have there.
So now I can turn my attention beyond my own box. I want anyone to be able to send me encrypted mail and verify my signature. So I need to make my public key available for download, since I am not aware of a public directory where Thawte or anyone else would publish this for me in a way that most people would find it. For contact data, the VCard format is the way to go, as far as I can see. So, I think this should be easy again, since Notes allows me to export my address book entries in VCard 3.0 format.
As a colleague and friend used to say: "Assumption is the mother of all F***-Ups." Notes exports a VCard file and I did select the "All fields" option. But there is no trail of a public key in the file. Re-importing it into Notes proves that the information was dropped. Damn! So how to create a VCard file. I checked Tucows.com, one of my preferred shareware sites, but no, nothing simple that seems to help me there. Having a Windows box, I still have a rarely used copy of Outlook Express installed. A brief check tells me, that it would be capable of exporting VCard files as well. So how to get my certificate into my Outlook Express contact? The import dialog wants a *.p7c, *.p7b or *.cer file, I only have a *.p12 file. Checking with the Windows certificate manager, I find that it allows me to export my public key into such a file and I'm done. Exporting my contacts from Outlook Express creates a VCard that looks as desired, at least it contains some X.509 key and I have no reason to doubt that it is correct. Feel free to check by downloading my VCard.
Just out of curiosity I view the file with Notes... no Internet certificate imported. Well, too bad, one down again for Notes' VCard handler.
One last step, I want the public key only to be downloadable as well. Since I already created a *.p7b file with the Windows certificate manager earlier, that is the one to be put online and there I go. Check it, if you wish.
In conclusion, I'd say almost anything was met to my expectations. Notes had some difficulties with handling the certificate and showing it more or less automaticall where I wanted it, except for the importing into the ID. But as I said, keeping it to myself kind of spoils the idea. The remainder of the parts worked, but still required a significant amount of manual work, except the import into the browser. In IE there are a couple of dialogs more than in Firefox, but it still works smoothly.
In general though, I must say that it was still somewhat of a lengthy procedure and if PKI is supposed to spread wider among average users, it needs to become a lot simpler to handle!
Comments
Excellent set of instructions. I have linked to this as well from my thawte Notary page on my site.
Thanks Ragnar and Volker.
Thanks for your commendation.
I'll probably put up a slightly extended version on my own site sometime soon. Inlcuding screenshots and the alike. I've had some experience with the process at the office when helping a colleague.
Obviously, the instructions are not that excellent, when it comes to people who don't know that well about certificates (and the guy I'm talking about is certainly a excellently skilled IT professional and Domino administrator. Just, Domino makes these things so easy, your admin hardly has to worry about them ;-).
Once I found the time, I'll link to the reworked instructions here.
Oh, and by the way: thawte is not only "a certification agency that is similar to Verisign", it is actually owned by VeriSign. => See the thawte timeline.
OT: Now, that was a surprise. Posting the "Oh, by the way" I was prompted with exactly the same number for human-reader-proof that I already had when posting the previous comment. Now THAT is a coincident...
Thanks for the info, Ragnar. I updated my site.
Rocky, actually I am not to sure how soon X.509 certificates will be a cure against spam. Reading your site, I thought maybe I should tell all my contacts in my address book to become certified as well. Besides the benefit that I would have plenty of people to notarize and thus could quickly give 35 points, that would allow me to put any unsigned e-mail in my folder "junk mail" to be checked (and at least currently most of the times deleted unread) when I find the time.
But then I see, that quite a number of my contacts actually use web-based free-mail accounts. And from what I assume for now (until I've been proven wrong in multiple cases) most web-based e-mail accounts can't send signed emails. As I wrote, iNotes can't either and that even claims to be a professional, commercial e-mail application. Until recently, I would even have gone so far to say, they probably can't even display that a message is signed at all nor even check the signature and the certificate for validity. At leas the first part of that I must reveal now, I've seen web-based free-mailers who can at least show that a message is signed and the signature is ok. Whether they actually check the CRL for the certificate's validity I don't know, I don't have a revoked certificate to check that. But I know that even Firefox had to be told to check and update CRLs periodically.
Thus, the majority of folks (at least of those with no IT background) would be excluded and to be honest, I don't think the systems are easy enough to use for the average "I only want it to work and that so easily that I can handle it" user. (And I think I know what I'm talking about, I'm taking care of the machines of such a user from upper management...)
But no doubt, if we all work on the spreading of certificates in our environment, we'll get there, eventually.
