There are two conversion steps required:
1) Generate a certificate request from the existing key.
2) Get the certificate chain returned by Thawte into a format PGP can import.
Generate Cert Request
Use PGP's built-in CA support to generate the certificate request and a script on a webserver to mail it back to you. You can either use the script I've put up on my server or use your own server, mailreq script attached.
[
Contact me if you want a copy of this script -- Peter]
- In PGPKeys got to Options/CA
- Enter http://install.sime.com/mailreq.php?to=wot@fugue.org as the CA URL
- Select "Net tools PKI Server"e; as the server type
- To get your certificate, go to the Thawte certificate manager
- Use "Paste-in CSR Certificate Enrollment" right at the bottom
- Click through to the "Paste PKCS10 Certificate Here" page
- Note the required common name, something like "dFA7F1w4vmxLxA93"
- Copy this common name to the clipboard (don't close the browser!)
- In PGPKeys, right-click your key and select 'Add/Certificate
- Edit the "Full Name" field, and paste in the string you copied from the Thawte site
- Submit by clicking OK
- You should now get an email containing your request
- Back in the Web browser, paste the request into the text field
- Submit the Certificate request.
Import the stuff you get back from thawte
Thawte will return the finished certificate both as a Netscape Certificate chain and as a PKCS7 Certificate chain, neither of which PGP understands. So, some conversion is required - the easiest way is to split the PKCS7 chain into seperate certificates and output these in ASCII format - just save into seperate .pem files and import into PGP (using 'Key/Import' and selecting the .pem files).
To split the PKCS7 chaing, either use the attached splitchain.c script
[
Contact me if you want a copy of this script -- Peter]
(requires Peter Gutmanns Cryptlib library) or use the web interface at
http://install.sime.com/split.php
You'll want to verify (trust) the Thawte Root Certificate you just imported to your PGP Keyring - here are some ways to do that:
- Download the "Personal Freemail Root" cert from Thawte directly, and compare Key Fingerprint/Key ID. To do this:
- Go to https://www.thawte.com/cgi/lifecycle/roots.exe
- Find the Root entitled "1.Thawte Personal Freemail CA, 1995.12.31 - 2020.12.31" (this should be the right one)
- Download the root in text form, saving as a .pem file
- Import the .pem file into PGP
- Export the Freemail Root certificate the Internet Explorer Root CA database, on your computer, and compare Key ID/Fingerprint. To do this:
- Open Internet Explorer, and select 'Tools/Internet Options/Content/Certificates...'
- In the 'Trusted Root Certificates section, marvel first of all at how many organisations you trust completely (!), and then select 'Thawte Personal Freemail CA'
- Click 'Export...'
- Either: export as a PKCS7 chain and then split it as described above
Or: export as Base-64 encoded X.509
- Import the resulting file into PGP
Whichever you choose, you should finish by updating signatures from your favourite PGP Keyserver, and check those.
Some final thoughts on the security of this process, especially with regard to using scripts on an untrusted server (i.e. my scripts): none of the steps involved send any Private Key data over the Internet, so your Private Key can not be compromised.
Consequence of a hostile script in step 1 (mailing the certificate request back to you): the certificate request is self-signed, a modified request would therefore no longer be valid. A completely new request (different Private Key) would not match your key on import. The script
could get your public key, but as the name implies... I don't see any really bad possibilities here.
Consequence of a hostile script in step 2 (splitting the returned Certificate chain): more room for fun here. I could return a completely bogus certificate with equaly bogus Thawte Root certificates, thereby getting you to trust my "fake Thawte" certificates.
So, it's absolutely VITAL that you check the validity of the root cert before trusting it!
Once the root cert is OK, the rest of the chain including your personal cert can be trivially checked.