Mail 2.1 and Thawte certificates

Similar Messages

• Mail for Exchange and SSL certificate

  I have a little problem with Mail For Exchange and my Nokia N80. I have self-signed certificate for Exchange mailserver and when I am synchronizing e-mails I got always message: "The site has sent an untrusted certificate. Continue anyway ?". I underestand that my certificate isn't verified by any root authority, but if I have synchronization schedule set at 15 minutes it means I have to confirm this message four times when I am not with my mobile one hour. So question is:
  Is possible to import self-signed SSL certificate into Nokia N80 and set it as trusted ? If yes, please describe me how, because I have tried import the certificate as CER (it was opened just as NOTE on Nokia), I tried to convert it via openssl to PEM (the file was not recognized) etc... Thanks for any help in advance.
  Reply With Quote

  Go to your outlook web access website and click on the lock and then view certificate. The details and then you can save it in DER format to your desktop.
  Then go to this site:
  http://www.redelijkheid.com/symcaimport/ and insert through the browse button and then copy the link to your phone.
  Then you should be able to download it
  You can also go to your IIS default site on the exchange server and directory security and export your certificate under edit certificate.
  I have tried everything now. I can download my certificate and the valicert from GoDaddy, but the Nokia phone is still saying "do you trust this certificate" every time the phone syncs.
  Our firm have taken the E-phones away now and went over to windows mobile and all of them worked within 10 minutes without any errors.
  The funny thing is that when you try to call nokia, they wont help you with Mail for Exchange, and it is there program
  I know my GoDaddy certificate works on windows mobile phones, so It must be something with Mail for Exchange.
  Every guy I talked to about symbian phones have told me they always gives problems with SSL. I am a bit **bleep**, but can conclude that Nokia is for the private consumer.
  Best Regards
  Morten @ Denmark
  Message Edited by asp3200 on 02-May-2008 08:37 AM

• Mail and Thawte certificates

  I've been trying to use a thawte email certificate with Mail and Mail does not recognize it.
  Actually, I think part of the problem is that keychain access puts the certificate in "Certificates" and won't let me put it in "My Certificates" - can anyone explain why this is happening?
  I've gotten this to work with public/private key pairs in the past, and there are posts all over this discussion board from people with the same problem - has anyone figured this out?

  Hi Michael-
  I was having the exact same prob. Turns out that Safari or the Keychain Util. didn't actually install everything it was supposed to. I found some good directions on R'Reilly's MacDevCenter site which fixed everything: http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html.
  I had originally gotten a Thawte Personal Freemail certificate using Firefox. So, following their directions, I went to Firefox prefs./security and backed up the Thawte cert. to a file on my desktop. Next, they said to open the Apple keychain util. and CREATE A NEW KEYCHAIN. Not a new certificate, but a new keychain. Call it whatever. Then, double-click on on the backed-up certificate file and install to your new keychain. Voila. You should see three certificates and one private key (when I initially downloaded the certificate using Safari it only installed two certificates, and in the "login" keychain--which I'll now zap).
  Good luck!
  - TRT

• Re: Mail for Exchange and SSL certificate

  I think this is what you need to do
  1. go to the page from where you have to install certificate
  2.You will see lock symbol at the right hand side of the page, click on it and save it on your desktop PC by going to details page
  3. Open Nokia PC Suite --> FileManager and trasnfer the certificate from your PC to FileManager
  4. Click on the certificate inside FileManager and install it, while installing allow it to choose its place automatically
  Then try synchronising your mail, you ill receive it for the first time when you connect then it wont ask you for that again till you connect next time.
  Hope this helps

  Here's how I got my Nokia to accept the certificate as trusted. It may not work for everybody but it worked for me and after the past week of messing about I am truly grateful for that...
  Basically, I uninstalled then reinstalled Certificate Services through add/remove programs. I then followed the advice on this site (below), but only as far as requesting a cert through IIS Manager.
  http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
  I followed the advice until this section (mainly because it wouldn't allow me to request a cert through IE on the server...)..
  "Getting the Pending Request accepted by our Certificate Authority"
  I then opened "certification authority" on the server (through administrative tools) and right clicked the cert authority which will have the same name as the cert you had just requested and selected properties. In my case, something like mail.mydomain.co.uk...
  Under the General Tab I highlighted "certificate#0" in the CA Certificates box and clicked "view certificates".
  This opens the cert and I then clicked the "details" tab and saved the cert to a location using the "copy to file" button.
  Using the wizard I selected the first option "DER encoded binary x509(.cer) gave it a friendly name, saved it somewhere handy and closed the wizard.
  I then copied the file onto a pc with the Nokia PC Suite installed and copied it to the documents folder (although any one will do). I guess you could bluetooth or email the cert as well..
  I then browsed to it on the phone, clicked on it and it let me save it automatically into the certs folder. I restarted the phone, checked SSL was on and bingo the certificate was trusted and remains working today... You might have to delete an existing cert if you already have one installed as it won't let you overwrite it..
  As I say, I can't say this will work for anybody else as I have probably fiddled around with the server so much it has gone west in some respects, but it works for me and that'll do for now...
  dc

• Can't get Mail to recognize Thawte certificate for signing and encrypting

  I got a certificate from Thawte and double clicked on the p12 file. This installed the certificate in the login section of the Keychain. I read in several places that it must be in the X509Anchors chain in order to work. However, whenever I try to import it or copy it there I can't get past the authentication screen. I give it the password to decrypt the p12 file and that works, but then it asks for a password for the X509Anchors keychain. I'm giving it my login password, but that doesn't work. What am I doing wrong?

  You shouldn't have to do anything with the X509Anchors keychain. The X509Anchors keychain contains certificate authority (CA) certificates, i.e., certificates associated with CA's that sign certificates. In it you'll find various CA certificates for thawte among others.
  After you've successfully imported your thawte cert into your login chain, restart mail (I don't think you need to restart keychain access, but it wouldn't hurt).
  Now when you compose a message, you should see encrypt and sign buttons to the right and below the subject line. This of course assumes the email address configured in mail is the same as the one in the thawte certificate.

• Mail for Exchange and certificate authentication -...

  Okey, it works on Windows Mobile browser starting 2003 and Blackberry browser since 2007.
  It's not working on these fancy linuxes (moo-boo or moeba or what it's name?)- but well, what else you can expect from poorly tested code with no compatibility or standards in mind?
  I wonder what stopping Symbian to proper support certificates standarts, while they finally manage to support ActiveSync specification. Lazy programmers?  Are they steal too much code from open source?
  Nokia, your devices will never suceed, if you keep making ovi-style "features" instead of things people need to work better. We pay for you phones,  do you remember that?

  Go to your outlook web access website and click on the lock and then view certificate. The details and then you can save it in DER format to your desktop.
  Then go to this site:
  http://www.redelijkheid.com/symcaimport/ and insert through the browse button and then copy the link to your phone.
  Then you should be able to download it
  You can also go to your IIS default site on the exchange server and directory security and export your certificate under edit certificate.
  I have tried everything now. I can download my certificate and the valicert from GoDaddy, but the Nokia phone is still saying "do you trust this certificate" every time the phone syncs.
  Our firm have taken the E-phones away now and went over to windows mobile and all of them worked within 10 minutes without any errors.
  The funny thing is that when you try to call nokia, they wont help you with Mail for Exchange, and it is there program
  I know my GoDaddy certificate works on windows mobile phones, so It must be something with Mail for Exchange.
  Every guy I talked to about symbian phones have told me they always gives problems with SSL. I am a bit **bleep**, but can conclude that Nokia is for the private consumer.
  Best Regards
  Morten @ Denmark
  Message Edited by asp3200 on 02-May-2008 08:37 AM

• Mail for Exchange and Certificate

  Hi, Can i please get some help in getting a E60 working with Exchagne 4 Mail.
  How do i install a Certificate, i have carried out the following, however every time i access the our company https://server.domain page using IE i get the message or something saying its an untrusted site.
  From my pc opened https://server.domain.com/certsrv and saved cert to my desktop.
  Double clicked the cert and exported it as a der version.
  Now in the phone \ security \ certs \authority \you can see my server cert.
  Is there a step by step guide on installing a Certificate from a Exchange Server ?
  Thanks

  Go to your outlook web access website and click on the lock and then view certificate. The details and then you can save it in DER format to your desktop.
  Then go to this site:
  http://www.redelijkheid.com/symcaimport/ and insert through the browse button and then copy the link to your phone.
  Then you should be able to download it
  You can also go to your IIS default site on the exchange server and directory security and export your certificate under edit certificate.
  I have tried everything now. I can download my certificate and the valicert from GoDaddy, but the Nokia phone is still saying "do you trust this certificate" every time the phone syncs.
  Our firm have taken the E-phones away now and went over to windows mobile and all of them worked within 10 minutes without any errors.
  The funny thing is that when you try to call nokia, they wont help you with Mail for Exchange, and it is there program
  I know my GoDaddy certificate works on windows mobile phones, so It must be something with Mail for Exchange.
  Every guy I talked to about symbian phones have told me they always gives problems with SSL. I am a bit **bleep**, but can conclude that Nokia is for the private consumer.
  Best Regards
  Morten @ Denmark
  Message Edited by asp3200 on 02-May-2008 08:37 AM

• Renewed Thawte Certificate not shown in Address Book

  My old Thawte personal mail certificates expired, and I requested new ones. The ones request via Safari, failed to load in 'My certificates' section of keychain. This is a known bug. I revoked the certificates and re-requested using Firefox.
  From Firefox I 'Fetched' and backed up 'my certificates' to a xxx.p12 file in Documents. Then from Keychain I 'Imported' the xxx.p12 file into the login keychain.
  Mail now works and generates signed e-mails, but when I click on the signed icon against each of my e-mail addesses in the Address Book it shows the old expired certificates.
  I am loathed to delete the expired certificates as it will prevent me from reading my archived mail.
  It is only cosmetic, but can anyone suggest a solution.
  PB 15 1.5 Ghz   Mac OS X (10.4.8)  

  Within the Keychain app I created an Expired.keychain and dragged the expired 'My Certificates' to it. Answered a few enter password prompts and dragged the certificates back to the login.keychain. It complained of some duplicates, which remained in the Expired.keychain. I then deleted the Expired.keychain.
  Problem solved

• Mail missing Encrypt and Digitally Sign buttons

  I don't have the option of encrypting or digitally signing any e-mails I compose in Mail. I have a valid security certificate in my Keychain Access, as well as valid certificates for my contacts. I can't find an option to show/add the encrypt and digitally sign buttons either.
  When composing a new message, the drop down box next to the subject line only gives the following options:
  CC field
  BCC field
  Reply-to address field
  Priority field
  Customize...
  I know where these two buttons should be and what they look like, but they're just not there. Any ideas or suggestions?

  I finally have a solution to this problem. I had been trying to use a .cer security certificate issued by Comodo, it had worked just fine on Windows but my Mac didn't seem to like it. I also tried creating my own certificate through OSX, but even after I created it I still couldn't see the buttons.
  I had someone direct me to this webpage which ultimately helped me fix the problem:
  http://allforces.com/2007/03/02/email-security/
  I ended up using Thawte to issue me another security certificate (this time it was an x.509 file), the security certificate automatically opened in Keychain Access and downloaded to the Certificates and My Certificates folder. Once I shutdown Mail and restarted it I had the buttons for both encryption and digitally signed. Of course the encryption button is still greyed out because it is a new certificate and I need to make sure my Address Book contacts have a copy of it before I can encrypt.

• Mail refuses to accept new certificate

  Hi there,
  I recently acquired a new digital ID issued by our government to replace my certificate from Thawte. The new certificate appears in Keychain Access under My Certificates an the email address in the certificate is exactly the same as the one used in Mail. Unfortunately Mail prefers to use the old certificate which has now expired, so I cannot sign any more messages.
  I tried to delete the old certificate from Keychain, but the problem remains : now Mail says it cannot find a valid certificate for this address although it clearly appears as valid in Keychain... How can I get Mail to use the new certificate ?
  The old certificate also still appears beside my email address in Address Book, although I deleted this certificate !
  Does anyone have the same or a similar problem and a solution ?
  Many thanks in advance,
  Dan

  I'm having a similar problem. Only I've never had a digital signature. I got a Thawte certificate, followed all their instructions but Apple Mail doesn't recognize it. I've tried every forum solution for the last two days, without any luck.
  Currently the certificate is in the System part of the Keychain. And it's showing up in both the Certificates and My Certificates sections. I've also tried variations of this setup. Nothing seems to get Mail to recognize the thing.

• SBS 11 - Exchange 2010 and SSL certificates - Event ID 12014

  I've recently upgraded my Exchange '10 to SP3 on our SBS11 server and I've noticed an event ID 12014:
  Microsoft Exchange could not find a certificate that contains the domain name
  mail.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Send
  SERVERNAME with a FQDN parameter of mail.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate
  with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
  I currently have a third-party cert installed on this server with SMTP, POP, IMAP, and IIS services attached to it. The cert is for
  remote.mydomain.com
  I do not have a cert installed (self-signed or otherwise) for mail.mydomain.com
  My send connector HELO/ELHO is mail.mydomain.com
  My receive connector  HELO/ELHO is SERVERNAME.mydomain.local
  My MX record at NS is pointing to mail.mydomain.com
  My question is should I change both my send and receive connectors to
  remote.mydomain.com?
  Would I then change my MX record with NS to point to
  remote.mydomain.com? Any potential errors with doing this?
  Should I buy another third-party cert for mail.mydomain.com and install that cert for mail services? (Although it seems SBS hates using more than one third-party cert).
  What's my best option here and what is best practice?
  Thanks in advance!

  I'm using SBS 2008 but it should be the same
  Send Connector
  Send -> remote.xxxxxx.com
  Receive Connector
  Default SBServer -> SBServer.xxxxx.local
  Windows SBS Internet Receive SBSERVER -> remote.xxxxxxx.com
  Windows SBS Fax Sharepoint Receive SBSERVER - > SBSERVER.xxxxx.Local
  Network Solutions
    A Record
       remote.xxxxxxxxxxxxxxxxx.com  Points to   SBS server ip address
    MX Record
       Points to remote.xxxxxxxxxxxxxxxxx.com

• Nokia N82 and Microsoft certificate install

  I got my N82 after using Windows Mobile for over 6 years I decided to get a phone that does email not the otherway round. I install MfE or Mail for Exchange and started sync'ng and was told to install a certificate. After spending the best part of a week trying to get the certificate installed I am stuck. The best resource I have found online so far is http://www.redelijkheid.com/symcaimport/ which allows you to upload a .cer file and then download it to your file. All the other sites talk about modify web sites and playing with the MIME, etc. That just disable the Exchange Sync default website since you need to overwrite the SSL port. Cannot use OpenSSL is I run Windows XP not linux. I see a N95 user had the same problem. If you copy the cer file, even if it is renamed it does not open on the phone if you export a .p12 it wants you to enter a "new key store password". I know with my last phone an imate I had to get a certificate install package, is there any such thing.
  Anyone out there got any ideas or pointers
  Unhappy email user, happy phone user

  Might not help a great deal but you can use OpenSSL on Windows, but you'll need to compile it. How you do that, I haven't got a clue as I normally use Linux for that kind of thing my self.
  Owned: Nokia 3510i, Nokia 3120, Nokia 6230i, Nokia 6233, Nokia N73, Nokia N82.
  Current: Nokia N900!

• Tomcat, servlet, cacerts, client authentication and Thawte...

  Hello all,
  the steps and code samples below (well known to you) work fine for a VeriSign Personal Digital Id trial and a GlobalSign PersonalSign demo certificate. However:
  1) how can I make Tomcat or JSSE use both my default keystore and the cacerts file?
  The VeriSign class 1 root is in this cacerts file, but still I need to import the very same root into my own keystore to accept the client certificate. Also, importing the GlobalSign root into cacerts does not help me; instead I am required to import it into my default keystore.
  I know I can set the keystore parameter in the Tomcat server.xml -- but that does not feel right... When I import a cert using "keytool -trustcacerts" then I get "Certificate already exists in system-wide CA keystore under alias <verisignclass1ca> Do you still want to add it to your own keystore?" This gives me the feeling that the system knows where to find the cacerts file, but Tomcat somehow does not use it...
  2) anyone used Thawte Personal Freemail with Tomcat?
  Even when I import the Thawte root certificate into my own keystore, a Thawte Personal Freemail cert is never accepted. In Internet Explorer, although having three certificates installed, the popup dialog that prompts me to choose one only shows the VeriSign and GlobalSign things. When using "TOMCAT_OPTS=-Djavax.net.debug=all" I see that Tomcat "proposes" all three roots to the client browser:
    *** CertificateRequest
    Cert Types: DSS, RSA,
    Cert Authorities:
    <CN=GlobalSign Root CA, OU=Root CA,
       O=GlobalSign nv-sa, C=BE>
    <OU=Class 1 Public Primary Certification Authority,
       O="VeriSign, Inc.", C=US>
    <[email protected],
       CN=Thawte Personal Freemail CA,
       OU=Certification Services Division,
       O=Thawte Consulting, L=Cape Town,
       ST=Western Cape, C=ZA>
    *** ServerHelloDoneAll details below.
  Thanks,
  Arjan.
  - JDK 1.4 beta. I also have 1.3 installed; I did not try 1.3 with the JSSE extension available at http://java.sun.com/products/jsse/index-102.html
  - JAVA_HOME and PATH are set allright.
  - Tomcat 3.2.1
  Steps taken:
  VeriSign
  - free trial at http://www.verisign.com/client/enrollment
  - export the VeriSign root certificate from the global CA certificates. The password defaults to changeit
  - import the exported root into the default key store
    cd /jdk1.4/jre/lib/security
    keytool -export -keystore cacerts -alias verisignclass1ca -file myverisignroot.cer
    keytool -import -alias myverisignroot -trustcacerts -file myverisignroot.cerAbove, the -trustcacerts is only added to show you the warning I mentioned above...
  GlobalSign
  - free trial at http://www.globalsign.com/secure_demo.cfm
  - get the root certificate at http://secure.globalsign.net/en/trust
  - import the root certificate into the default keystore
    keytool -import -alias myglobalsignroot -file root.cacert
  Thawte
  - free certificate at http://thawte.com/getinfo/products/personal
  - the Personal Freemail root certificate at http://www.thawte.com/certs/trustmap.html
  - import the Personal Freemail root certificate into the default keystore
    keytool -import -alias mythawteroot -file persfree.crt
  Tomcat
  - uncomment the SSL Connector section in server.xml, except for keystore and keypass (the password is still the default, being changeit)
  - to the very same Connector section, add
    <Parameter name="clientAuth" value="true"/>- create a security certificate, as mentioned in server.xml as well. When using JDK 1.4, one does not need to set the classpath or change java.security. So:
    keytool -genkey -alias tomcat -validity 180 -keyalg RSA- to see debug info:
    set TOMCAT_OPTS=-Djavax.net.debug=all- make sure the VeriSign etc. roots are imported
  - restart Tomcat
  - connect to the servlet at port 8443, using https. You will see security warnings because your browser does not know the Tomcat certificate.
  Servlet
  Finally the code, as you may know it:
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.*;
  // For Tomcat: javax.security, not java.security
  import javax.security.cert.X509Certificate;
  import javax.security.cert.Certificate;
  import java.security.Principal;
  // JSSE classes
  import javax.net.*;
  import javax.net.ssl.*;
  public class sslTest extends HttpServlet
    private static final String CONTENT_TYPE = "text/html";
    public void init(ServletConfig config) throws ServletException
      super.init(config);
    private void printCert(PrintWriter pw, Object obj)
      if(obj instanceof Certificate)
        pw.println("<>---------------------------------------<>");
        if(obj instanceof X509Certificate)
          X509Certificate cert = (X509Certificate)obj;
          Principal principal = cert.getIssuerDN();
          pw.println("  Principal Name : " + principal.getName());
          pw.println("  Version        : " + cert.getVersion());
          pw.println("  Serial Number  : " + cert.getSerialNumber());
          pw.println("  Issue DN       : " + cert.getIssuerDN());
          pw.println("  Subject DN     : " + cert.getSubjectDN());
          pw.println("  Not Before     : " + cert.getNotBefore());
          pw.println("  Not After      : " + cert.getNotAfter());
          pw.println("<>---------------------------------------<>");
          pw.println(cert.toString());
        else
          Certificate cert = (Certificate)obj;
          pw.println(cert.toString());
    private void printCertificateDetails(String attributeName,
      HttpServletRequest req, PrintWriter pw)
      Object obj=req.getAttribute(attributeName);
      if(obj instanceof Certificate[])
        if(obj instanceof X509Certificate[])
          pw.println("<h1>Client X509Certificate Chain</h1>");
        else
          pw.println("<h1>Client Certificate Chain</h1>");
        Certificate[] array = (Certificate[])obj;
        for (int x=0; x < array.length; x++)
          printCert(pw, array[x]);
      else if(obj instanceof Certificate)
        if(obj instanceof X509Certificate)
          pw.println("<h1>Client X509Certificate</h1>");
        else
          pw.println("<h1>Client Certificate</h1>");
        printCert(pw, obj);
      else
        if (obj != null)
          pw.println("Client Certificate Attribute "
            + attributeName
            + ", type \""
            + obj.getClass().getName()
            + "\":\n" + obj);
        else
          pw.println (attributeName + " attribute not set");
    /**Process the HTTP Get request*/
    public void doGet(HttpServletRequest req, HttpServletResponse resp)
      throws ServletException, IOException
      PrintWriter pw = resp.getWriter();
      pw.println("<html><head><title>SSL Details</title></head><body><pre>");
      if (req.isSecure())
        pw.println("Got a secure connection.");
      else
        pw.println("This connection is not secure.");
      pw.println("IP address: " + req.getRemoteAddr());
      pw.println("User: " + req.getRemoteUser());
      pw.println("Subject: " + req.getHeader("CERT_SUBJECT")); // null for Tomcat
      pw.println("Issuer: " + req.getHeader("CERT_ISSUER"));   // null for Tomcat
      pw.println("\nAvailable attributes:");
      Enumeration attributeNames = req.getAttributeNames();
      while(attributeNames.hasMoreElements())
        pw.println("  " + attributeNames.nextElement().toString());
      pw.println("\n");
      Object obj;
      obj = req.getAttribute("javax.net.ssl.cipher_suite");
      if(obj instanceof String)
        pw.println("Cipher Suite: " + obj);
      else
        if(obj instanceof String[])
          pw.print("Cipher Suite: { ");
          String[] otherArray= (String[])obj;
          for (int x=0; x<otherArray.length; x++)
            pw.print(otherArray[x].toString() + " ");
          pw.println("}");
        else
          if (obj != null)
            pw.println("SSL Session Attribute javax.net.ssl.cipher_suite, type \""
              + obj.getClass().getName() + "\":\n" + obj.toString() );
          else
            pw.println ("javax.net.ssl.cipher_suite attribute not set");
      obj = req.getAttribute("javax.net.ssl.session");
      if(obj instanceof SSLSession)
        pw.println("SSL session:");
        SSLSession session = (SSLSession)obj;
        pw.println("Cipher Suite: " + session.getCipherSuite());
        pw.println("Peer Host: " + session.getPeerHost());
        pw.println("ID: " + new String(session.getId()));
      else
        if (obj != null)
          pw.println("SSL Session Attribute javax.net.ssl.session, type \""
            + obj.getClass().getName() + "\":\n" + obj);
        else
          pw.println ("javax.net.ssl.session attribute not set");
      // JSSE recommends �javax.net.ssl.peer_certificates� as the attribute name.
      // However, some web servers do not support these generic names. Like the
      // "javax.net.ssl.peer_certificates" is said to work for WebSphere 3.5 but
      // not for Tomcat 3.2.1.
      // "The javax.security.cert.X509Certificate class is similar to the newer
      // java.security.cert.X509Certificate. New applications should use the newer
      // java.security version". However, Tomcat does not support that:
      printCertificateDetails("javax.net.ssl.peer_certificates", req, pw);
      printCertificateDetails("javax.servlet.request.X509Certificate", req, pw);
      printCertificateDetails("tomcat.request.X509CertificateChain", req, pw);
      pw.println("</pre></body></html>");
    /**Clean up resources*/
    public void destroy()
  }

  Heya,
  Well, this is a pretty complete description of the problem, unfortunately I am not able to comment on the Tomcat side of things, but this makes for interesting reading nonetheless.
  One thing I must mention is that the Thawte Personal certs are indeed chained, and the Personal Freemail cert is the intermediate root CA which is in turn signed by the Personal Basic root (the link I have posted to you in your trouble ticket with us.)
  What may be happening is that the Personal Freemail cert is not completing the chain back to the Personal Basic root, and any cert signed with this may not be displayed as the Issuer is in doubt.
  If your Personal Cert has been issued within the last few months it has ben signed by the Personal Freemail 08.03.2000, and many versions of browsers have not got this particular root installed, could you verify that pls? I can send this particular root to you if you would like to test this theory out.
  There should bo no problems with using a Thawte certificate with your particular software, so we should hopefulyy be able to figure somehting out.
  Regards,

• Mail repeatedly asks to verify certificate

  Hi
  Using Mail 3.6 on 10.5.8
  When I send from my .me account I am repeatedly ask to verify the recipient, with an oval connect button.
  Can I stop mail from asking me this every time?
  AS

  To Clarify,
  "Mail can't verify the identitiy of "smtp.mail.me.com".
  The certificate for this serve was signed by an unknown certifying authority.  You might be connecting to a server that is pretending to be "smtp.mail.me.com" which could put your confidential information at risk.  Would you like to connect to the server anyway?
  I get three balloons to chose from, show certificate, cancel, and connect.

• Why are security headers not visible when viewing "sent" mail for mail sent with S/MIME certificates?

  I am using an S/MIME certificate to sign my emails using Mail on Mountain Lion 10.8.2.  I have a trusted S/MIME certificate for each of my email accounts.  The certs and private keys are properly installed in the keychain.  I am able to successfully send signed (and optionality encrypted) email and the recipients are all all receiving the emails showing a trusted signed email without having to acknowledge or trust the signature.  So technically the certificates are working.  Obviously the encryption option is only offered when I also have the recipients certficate in my keychain.
  What I am noticing is that when I look in my sent items - (regardless of which email I used as the "sender") - I don't see any indication in the mail headers that the mail was sent with a signed certificate - even though I know the recipient is seeing that the mail is signed with a cert.  I have no way of telling whether I sent the mail as "signed" or "unsiged".  The default is to use the certificate for all outbound emails - unless I specifically uncheck the secure signing option before sending.  In mail that I recieve - sent from others with certs or sent from one of my email accounts to the other - I see the the certificate indication in the email header.
  On rare occasion - I do see the certificate when viewing sent mail - but only for  random sent mails - and so far I believe I have only seen the certificate show up in mail that is sent from my iCloud account.  I can send subsequent mail from iCloud - and still not see the certificate in the sent items.
  Why am I not seeing the Security Header showing the certificate when viewing mail that I have sent in my sent items folder?  Is there some setting that I am not seeing that controls this - or is this a bug in Mac Mail?  Also why does the security header show up for just a handful of sent emails - when hundreds of signed emails have been successfully sent.
  Any help would be appreciated.  The behavior is the same on my other Macs - at least the ones on which the certificates are also installed.
  Also - I don't have my certs installed on my iPhone yet - so I can't tell on the iPhone if the certs are showing up in the sent folder - but I can see the certs on mail that I send to myself from the Mac but receive on the iPhone.
  ~Scott

  I stopped using the S/MIME certs and stopped signing my emails.  Too many recipients were receiving them as "attachements" especially if the recipients email account was on an Exchange server.  My certs have since expired and I have not done anything to further analyze the situation.  My original post was over a year ago and I have long since been on Mavericks.
  To: iddontknowwhoiamsowhat ... I am not totally following your response.  You say you are seeing the exact same issue - yet you are also saying you can look at the sent mails from os x and ios - does this mean that you see the security badges on the sent emails in both os x and ios?  I assume you are on Mavericks?