David's World

Once you have enough trust-points, you will need to get a new certificate from Thawte. The first certificate they give you has no name it, because they couldn't verify your name. The new one
demonstrates that they believe your name to be authentic, not just your e-mail address.

However, the way Thawte is set up, it seems to generate a new secret/public key pair for a new
certificate. That is annoying, because you'll get encrypted e-mail from people that don't have your new public key yet - and you can't decrypt it. The other problem is that Thawte has the possibility of retaining your secret key, which is a big no-no, of course, as they - or some intelligence agency - could read your e-mail. Let's not be paranoid: Thawte is a company from South Africa, so it's not a US company within easy reach of CIA and NSA. But either way you want to guard your secret key closely, and keep it on your machine at all times.

I found this tutorial by Daniel Baker, who thankfully figured out how to generate a public/secret key pair locally with the openssl command, without going through Thawte's key generation process. Then, the public key is sent to Thawte using their special developer's option, and they sign it for you. It is sent back, needs to be post-processed a little and can then be imported into your own system. Daniel describes the process for Mac OS X, but it should work with little modification for Linux, and in principle on Windows, too.

There is one caveat I noticed on OS X 10.3. You may want to request multiple certificates using the same key pair: one for each e-mail address. (I use the same public/private key to reduce clutter.) However, when you import the certificates into your OS X keychain, it will complain that "the item already exists in your keychain". It will refuse to import any certificates but the first one. The reason for that seems to be that the final certificate file always contains a copy of the secret key that is being certified, and OS X detects that this key is already present in the key chain. Unfortunately, it abandons the whole import!

The solution to this is to bundle all certificates for import, as follows. Suppose you have three e-mail addresses and request one certificate for each. Download your certificates with Thawte and modify the files with a text editor as described in Daniel's tutorial. I assume you name them in thawte-cert-email-A.txt through -C.txt. The next step is to convert the certificates with the following command - however, output all of the results into the same file:

openssl pkcs7 -print_certs -in thawte-cert-email-A.txt >deliver.certs
openssl pkcs7 -print_certs -in thawte-cert-email-B.txt >>deliver.certs
openssl pkcs7 -print_certs -in thawte-cert-email-C.txt >>deliver.certs

Then, convert the resulting certificate to pkcs12 binary format for the key chain:

openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12

I assume, the file mail.p12 now contains your key pair, Thawte's root certificate and a certificate for each e-mail address.
You should now use Keychain Access (find it in /Applications/Utilities/) to move your 'secret key' to an extra key chain. I recommend keeping it there, because you might get e-mail encrypted to your old key which you will want to decrypt at some point. Look for an entry of type 'private key'. Here's what that should look like:

Create a new key chain, give it meaningful name - such as 'old keys' - and drag&drop the private key there. It's a good idea to move your public key and the old certificate - if you have one - for this key pair too.

You can then import it into the keychain by saying open mail.p12

Keychain Access will ask you, where to import it, and not complain about importing something that already exists. That's it!

A final tip: I recommend you back up your key pair (file mail.key) and the certificate file mail.p12 in a safe place.