The author has tried to maintain complete accuracy but this document is provided "as is" and without warranty. You use the information contained within this article at your own risk. In no event shall the author or Vuulf Technical & Multimedia Solutions be liable for any damages resulting from the interpretation or use of this work. All opinions expressed are those of the author of this article and do not necessarily reflect those of Vuulf Technical & Multimedia Solutions.

First you will need to create a Thawte Freemail Email Signature Account. You can get one HERE. You will be required to give a personally identifiable piece of identification to evidence that you are who you say you are. This is not an effort on the part of Thawte to gain personal information to use or sell for advertisement purposes, instead this simply validates that you at least seem to be telling the truth as to who you are. Identification that may be used varies by area, but generally a social insurance number, tax identification number, drivers license number, credit card, etc. may be used. You will need to provide only one piece of identification. While I trust Thawte implicitly you should always use your own personal discretion as to who you should give your personal information out to. It is a good idea to at least cursively validate that the Internet site that you are giving your personally information to has a good reputation by searching their name in Google or another search engine. Once you are satisfied that Thawte is a trustworthy company, follow the on screen instructions to create and set up your account, verifying your email address where required.

The first screen that comes up will offer you two types of certificates. The X.509 Certificate is the type we are looking to get here. The second variety is for developers who are coding new software that utilize certificates and are meant to be used for testing purposes. Click Request. This will pop open a small window. Make sure that the browser selected on the screen is the one you are using and then click Request. Unless you are certified by the WoT you will not be able to select any employable information. Just leave the default of "No Employment Information Available" selected and hit Next. The next screen, pertaining to strong extranets, which is beyond the scope of this article, is not covered here. Chances are you would simply hit next here, which you can do.  The following screen will allow you to customize your certificate, though no customization is required for this tutorial so you can hit Accept. I would strongly suggest that you do not customize your certificate unless you understand what you are doing. On the next screen you can choose who will give you the certificate and the type. I usually stay with either the default (Microsoft Enhanced Cryptographic Provider) or  use Microsoft Strong Cryptographic provider. For example of this demonstration I will stay with MS Enhanced. All providers may not be available in all areas. You can learn more about each provider and keys by searching the name of the provider in Google. Select your provider and hit Next.

After hitting Next you may be alerted by Internet Explorer, it may explain that there is a Potential Scripting Violation and that Thawte is requesting a certificate on your behalf. If you see this then click Yes to allow the procedure to continue. Following that you will be prompted by the Windows Crypto API explaining that a protected item is being accessed by your browser. It is safe to hit OK here. Finally you will see a confirmation screen. When you are satisfied with the certificate click Finish. You can now close all of your browser windows.

Open your emailer, probably Thunderbird if you are reading this document ;) You should receive an email from Thawte with the subject: Certificate Requested. This is just an informational letter to verify that your certificate is being generated. Generation can take from 2 minutes to an hour, depending on how busy the Certificate Authority servers are. When your Certificate has been successfully generated you will receive another email from Thawte with the subject: Thawte Personal Cert Issued. When visiting the URL referenced in the email you must be using the same browser as you did in the above steps. If IE is set to your default browser, click the link and sign in to Thawte. However if you are only using IE to conform to this tutorial and a different browser is set as your default browser, select and copy the URL and then Paste it into a new IE browser window.

Now we can install the certificate into your browser. To do this, simple click Install Your Cert after following the URL and signing in as mentioned above. Again you may get a Possible Scripting Violation error and again we can hit Yes to proceed, which you may have to do several times. Finally, a window will tell you that your Certificate has been installed!. You now have a certificate that we can use to sign and encrypt email with in Thunderbird, but we still have to get the certificate over there. Close all of your browser windows so that your session with Thawte is ended.

Open your Internet control panel by opening Start-->Control Panel-->Internet Options. On the Content tab click the Certificates button. On the Personal tab of the new window you should see a new certificate called "Thawte Freemail Member", issued by "Thawte Personal Freemail Issuing CA, and an expiration date, which is 1 year from the date of issue. Select that certificate. If you would like to view the certificate to ensure it is valid, hit View - your email address will be shown as the "Subject" in the Details panel, when finished viewing, close the certificate window. Now click the Export button. An Export Wizard should pop up and you simply need to hit Next. Here we have to ensure that the key-pair is exported and not only the public key. Make sure the radio button is set to "Yes, export the private key" then click Next. The PIX-PKS#12 format of export is automatically selected. Since we have IE6 and greater than WinNT4SP4 we can check Enable Strong Protection and then click next. Type in a reasonably simple password like 1234 as it will only be used for accessing this file, which we will delete when finished with this article. Finally, we can Browse to where we want to store the exported certificate. A good place is on the Desktop so that it is both easy to find, and that you remember to delete the exported key pair when finished. Name the file and then hit Next and finally hit Finish. Another protective measure should pop up warning you of access to the key store. Click OK. Click OK again and close all of the Internet Options windows. On your desktop you will see what looks like an open envelope with a key and a certificate on it. We are finished with the export.

Now we need to bring the certificate into Thunderbird. Open Thunderbird and go to Tools-->Options and call up the Advanced Panel. Click the button marked Manage Certificates and make sure you are on the tab marked Your Certificates. Click the Import button at the bottom then browse for and open the PFX file we saved in to the Desktop. You will have to type in the master password for Thunderbird. (If you haven't created this yet, it will instruct you to type a new password. A special note on the creation of your master password, keep in mind that you will have to type this password in when you send the first signed or encrypted email in a Thunderbird session. You will not have to do this for subsequent emails as long as you don't exit Thunderbird, but if you exit Thunderbird, you will have to type the Master Password again when you send your first signed email the next time you run Thunderbird. While this may seem like a pain, it is actually a nice security feature that helps to keep unauthorized people from sending email that is signed with your certificate. You should use a strong password, but something that is easy to remember like a combination of your favourite movie and when your pet Chihuahua was born :) Now you will be asked for the password you used when you saved the PFX file to the Desktop (1234 was the example I used above).  Voila! Your certificate is now installed into Thunderbird and there is only one more step to do! (WHEW!) Close all of the Options windows that are open with an affirmative response.

Now we have to set up the signature so that it is applied to the right email account. As Thunderbird can have unlimited accounts, and Thawte will provide you with unlimited certificates,  you can apply a certificate to each account. Working with multiple certificates can be frustrating if you are not WoT certified because all of your certificates are named the same. Make sure you apply the right certificate for the right email address. For example don't sign mail from joe@someisp.net with a ray@otherisp.com certificate as it will result in the mail not sending.

The first thing we need to do is open your Account settings. Hit Tools-->Account Settings and find the account we will be working with. If you have a plus beside the accounts name click the plus to open the tree, otherwise you will see "Security" in the tree below the account name. Click Security in that tree and the panel will change to the Security view. Click Select and this will allow you to select the signature to apply to mail sent using this account. The first certificate in the list is shown and you should see something similar to:

The x's are filled with your information. Beside "Issued to: E=" should display the exact email address which you will be applying this certificate to. Select your Certificate and then hit OK. It will ask you if you want to encrypt using the same key. This is entirely up to you. If you say yes you will encrypt any encrypted mail based on the same key, if you prefer to have two certificates say no and follow the above directions to get a second certificate for the same email address and select that one. For ease of this article, let's say Yes to using the same certificate for encryption. We are now back at the Security options.

Under Security Options you can choose to Digitally Sign all of your emails that this account sends. This is safe to do, and I employ this tactic with all of my email accounts (see note about Hotmail in the FAQ). This ensures that if you send an email to Jane and someone/thing tampers with the email between your delivery and her receiving the email, Jane will get a warning that the email has been tampered with and that the email may have been changed. If it hasn't been tampered with, then the email will simply display as normal.  Under encryption you will see a pair of radio buttons. You should always (!!!) leave this to set to Never. The only time you would want to change this to Required is when everyone on your email list has their own certificate such as in an office environment, SIG or other similar setting. Encryption will only work if the person receiving the email has a certificate of their own. This is because the email encryption is based on both your key and the receivers key. What we should have selected on this panel before we proceed is a check in Always Digitally Sign and Never encrypt selected. Hit OK and let's test this puppy out!

Create a new email using the account you just assigned a certificate. Address it to yourself and send it. When you get this test mail back you should be able to see that the email is Digitally Signed by clicking View-->Message Security Info. You will also be able to see if the email was Encrypted and view the signing certificate to ensure that it is valid. Try the same after applying encryption to an email. After testing and ensuring you signature has worked to your  satisfaction, delete the PFX file that you exported to your desktop. If you are security conscious, make sure you use a secure deletion method like Wipe Info. Also for the security conscious, if you wish to, you may delete the certificate that was imported into Thunderbird from the Certificate store in IE. Simply open the Internet Options and delete the key from the Personal store. Use step 4 as a guide to navigating to that location if you don't remember where they were stored.

Very cool! We are done!

No. Click the downward facing delta beside the lock on your toolbar. If you don't have the lock on your toolbar the same options are available in the Options menu under Security. Remove the  check mark from the "Digitally Sign This Message" option and your email will not be signed. This is not a sticky option, so the next email you send will have the signature restored. If you want to set it up so that only messages that you choose are digitally signed, edit the security settings for the account removing the Always Sign check mark, and then use the delta or  menu to sign only those message that you want to.

No. Click the downward facing delta beside the lock on your toolbar. If you don't have the lock on your toolbar the same options are available in the Options menu under Security. Change "Encrypt this Message" to "Do Not Encrypt this Message". You should always keep your account settings set to  never encrypt email messages as default unless everyone you email has a compatible certificate.

The person you are sending the email to does not have a compatible security certificate. If you wish to send encrypted email, both you and the receiver will have to have a certificate.

Don't sign your email or become a proactive Thunderbird supporter and tell them to download their copy today! ;) Seriously, though,  you can get rid of this by putting a check in the box that will dismiss the message from showing again unless, of course, a message has been tampered with.

Someone or something is tampering with your email while it is in transit. This is something that you should investigate further. There are many possibilities here including hardware malfunctions or even someone intercepting your email before they arrive at your mail server and defacing them. If this happens repeatedly, you should at bare minimum phone your ISP and let them know what is going on.  Chances are a router or gateway along the way may be corrupting data, however that is not always the case. This is something that should not be ignored.

Hotmail is broken {:> For some strange reason, Hotmail does not support digitally signed email. When sending to email to someone on Hotmail, make sure that you have removed the Digital Signature. It is a personal aspiration to make Hotmail support Digital Certificates. Even my ISPs webmail software supports Digital Signatures, so why not Hotmail? If you want to send Signed email to a web based Hotmail user, know that they will have to download a reader to handle the file. An alternative is to ask the recipient to save the attachment to their desktop and change the file type to a text file by changing the extension from .p7s to .txt. While this will convert the message to plain text, they will be able to at least read the email. Do note, however, that this will not work with multi-part email nor will it work for encrypted email. The best thing to do is to loudly complain to Hotmail for not implementing a feature to recompose a signed message, which is a simple task. It is the authors personal opinion that a company the size of Hotmail, an offshoot of Microsoft, not supporting an enhancing security feature like Digital Signatures and Encryption is ridiculous - an effort in sheer idiocy and a demonstration of their laziness to conform to future standards. I am not an anti-MS proponent, however some things should simply be. Currently I know that Yahoo, Gmail and other web based email providers work fine with digital signatures, I don't see why Hotmail can't provide the service just as easily.

---