Reinstallation of authority Certificates for X2-01

Similar Messages

• Anyone know how to renew an apple authority certificate on my computer so i can access a application form for website?

  Anyone know how to renew an apple authority certificate on my computer so i can access a application form for website?

  have you tried a hard reset, if not try this
  it doesn't matter whether the phone is on or not to start with
  Press-hold the Home button (big circle below the screen) and the Sleep/Wake button (on top of the iPhone) simultaneously.
  Continue holding both buttons (Ignore the "Slide to power off") until the iPhone shuts off and begins to restart.
  You may let go when you see the silver Apple logo.
  You have completed a hard reset successfully.

• Request Smartcard Logon certificates for more than 2 years from Certificate Authority

  Dear all,
  I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
  http://ipofdomainserver/certsrv using the SmartCard logon custom template.
  The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years. 
  I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
  What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
  Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?

  I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
  1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
  Created the file CAPolicy.inf in %SYSTEMROOT% with following content
  [Version]
  Signature=”$Windows NT$”
  [certsrv_server]
  RenewalValidityPeriod=Years
  RenewalValidityPeriodUnits=20
  2. Renew CA root using this guide  https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
  Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
  Renew CA certificate
  3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
  Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from 
  Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
  4. I performed a reboot here
  5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
  6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
  to value 10 for 10 years.
  7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
  smartcard (I was making sure there is no other certificate on the smartcard)
  8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
  account type. This is becuase we need to enroll it again for domain authentication
  9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
  Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
  Now you should be able to login using your smartcard and 10 years generated certificate.
  Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
  validity is restored automatically, but the certificates are generated for 10 years.
  What am I doing wrong ? How can I delete the lower validity root CA ?

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• HOW TO INSTALL ROOT (Authority) CERTIFICATES ON S4...

  Recently i bought a 6500 Classic and stupidly deleted my Authority Certificates.
  After trwaling the net for info on how to re-install certificates i couldnt find an answer apart from NO YOU CANT DO THIS.
  Well to that i say NUTS!!! because you can and i will show you how by simply following these steps.
  1. Create a New Folder on your desktop and call it whatever you like.
  2. Open notepad on your computer.
  3. Copy the text below into the Notpad file. (I got this from some website as they were using it for smething else but it does work so thanks to them or thanks to you if this is yours)
   <?xml version="1.0"?>
  <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>Install root CA</title>
  </head>
  <body>
  <p>
  <a href="der1.cer">Download a CA Cert1</a>
  <a href="der2.cer">Download a CA Cert2</a>
  <a href="der3.cer">Download a CA Cert3</a>
  <a href="der4.cer">Download a CA Cert4</a>
  <a href="der5.cer">Download a CA Cert5</a>
  <a href="der6.cer">Download a CA Cert6</a>
  <a href="der7.cer">Download a CA Cert7</a>
  <a href="der8.cer">Download a CA Cert8</a>
  <a href="der9.cer">Download a CA Cert9</a>
  <a href="der10.cer">Download a CA Cert10</a>
  <a href="der11.cer">Download a CA Cert11</a>
  </p>
  </body>
  </html>
  4. Save the Notpad file as type ALL FILES but when naming it just call it cert.html and save it to the folder you created on your desktop earlier.
  5. Now downlaod the Root Certificates you need to the same folder on your Desktop.
  6. When saving the first Certificate to the folder call it der1 ((make sure not to take out the file extension eg .cer)) then the second der2, third der3 and so on and so on till you get to der11. (Dont worry this will not rename the certificate when it installs on your phone.)
   Example of what the files in your Desktop folder should be called der1.cer, der2.cer etc etc.
  7. Now transfer the whole folder from your Desktop to your Mobile phone. (I did this by using Nokia PC Suite.)
   8. When the folder with the certificates and hmtl we made have been transfered to you phone navigate using your phone to that folder.
  9. Go into the folder and open the cert.html file. (Your browser will now open a page with 11 download links available)10. Now all you have to do is click on each link and accept each certificate remembering to save and they will install on your phone. (On my 6500 Classic i can check this by Navigating through my phone to Menu>Settings>Security>Authority Certificates)
   Notes:- Some errors you may receive when trying to download the certificates through your phone browser may be Already Exists, Expired Certificate and the most annoying is Corrupted Certificate.
  Already Exists - Shouldt allow you to save (DO NOT SAVE IF IT ALLOWS YOU)
  Expired Certificate - (DO NOT SAVE)
  Corrupted Certificate - Install the certificate on your computer first, then go to Tools>Internet Options>Content>Certificates.
  (save the certificate to other people tab) Browse for the certificate you installed then export it in DER format to the Desktop Folder you created then start process over again to get it onto your phone.
  Remember to delete any certificates as you go that you have already installed so you dont get mixed up.
  Any issues reply and i will do what i can to help and if anyone has Hutchinson 3G Root Certificates please let me know.
  Thanks.
  Message Edited by andyhardie on 15-Jul-2009 04:05 PM

  I have nokia 6300 s40v3 and when I tried to open cert.html it showed format unknown.
  What should I do. Can you tell me the format of bookmark so that can rename it to cer.(format)
  sir please give some guidense its very urgent
  reply at *******
  MODERATOR'S NOTE:
  Personal details removed by a moderator. We kindly ask you not to share your personal e-mail address or any other personal information publicly on this forum. This is for your personal safety and privacy.
  Message edited by Aikin19

• Certificate for Portal and BackendSystems. What do I have to take careAbout

  Hello,
  I would like to buy a certificate for the secured HTTP but I don't know what I have to take care about?
  Where do you buy your certificates? Can I use "wildcards"-certificates for the portal and the backend-systems.
  Is there a good shop for buying a certificate in Germany?
  Thanks, Vanessa

  Vanessa,
  You can approach both Verisign and Thawte and collect information.
  In case of Thawte, you can just go their site and there is an option for an online free chat with a Thawte associate. He/she will then guide you further.
  They will also share the details required for the certificate to get authorized.
  Plus before ordering, you can also check the correctness of ur certificate for free on their site.
  Hope this helps.
  Regards,
  Ritu

• Self assigned or trusted certificate for no Gateway scenario

  hi,
  1.  RDS server 2012 R2 is deployed and I can access published app by
  https://servername/rdweb
  2.  RD Gateway will be never used (only LAN connections)
  3. Would self signed certificate prevent to achieve THE GOAL:
  need to publish an app by providing shortcut on user desktop in completely transparent for user manner.
  There is no problem with purchasing a Trusted certificate. I thought that trusted will be necessary (less hassle) if RD Gateway is in place. But still have a feeling that even for publishing a shortcut there will be some pop up after user click on an icon
  if Self Assigned will be present.
  Please clarify.
  Thanks.
  &quot;When you hit a wrong note it's the next note that makes it good or bad&quot;. Miles Davis

  Hi,
  Thank you for posting in Windows Server Forum.
  As per my research, I can say that to work with RemoteApp we must have trusted certificate. By default, the self-signed certificate is not a trusted certificate, and self-signed certificates are recommended only for testing and evaluation purposes. We must
  need to purchase trusted certificate from trusted root certification authority. After we have obtained a trusted certificate for the RD Web Access server, we must import the certificate onto the RD Web Access server, and then use the Internet Information Services
  (IIS) Manager tool to associate the certificate with the RD Web Access Web site.
  More information.
  About RemoteApp and Desktop Connection Security
  http://technet.microsoft.com/en-us/library/ee216760.aspx
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• ISE Certificate Authority Certificate

  I'm confussed about the certificates:
  Some weeks ago a certificate was installed in the ISE to avoid the browser certificate error when the customer access the sponsor portal ...
  Now, the customer is requesting to authenticate the sponsor users through LDAPS ... I understand Active Directory or LDAP as External Identity Sources are not secure. So, in order to enable LDAPS we must check the Secure Atuthentication box in the LDAP configuration, but a ROOT CA must be chooseen also.
  I understand the ISE should validate the customer PKI in order to validate the user certificate ... Am I right?
  Do I need request the customer to provide me the "Certificate Authority Certificate" from its PKI ??
  Is it a file completely different to the certificate already loaded in the ISE ??
  With this certificate, would the ISE validate the user's computer certificate additional to user and password ??
  Would the user must use a computer with certificate in order to access the sponsor portal ??
  Thanks in advance.
  Regards
  Daniel Escalante.

  Please follow the "secure authentication tab" in the below table( highlighted)
  go to >LDAP Connection Settings
  Table lists the fields in the LDAP connection tab and their descriptions.
  Table :     LDAP Connection Tab 
  Option Description
  Enable Secondary Server
  Check this option to enable the secondary LDAP server to be used as a  backup in the event that the primary LDAP server fails. If you check  this check box, you must enter configuration parameters for the  secondary LDAP server.
  Primary and Secondary Servers
  Hostname/IP
  (Required) Enter the IP address or DNS name of the machine that is  running the LDAP software. The hostname can contain from 1 to 256  characters or a valid IP address expressed as a string. The only valid  characters for hostnames are alphanumeric characters (a to z, A to Z, 0  to 9), the dot (.), and the hyphen (-).
  Port
  (Required) Enter the TCP/IP port number on which the LDAP server is  listening. Valid values are from 1 to 65,535. The default is 389, as  stated in the LDAP specification. If you do not know the port number,  you can find this information from the LDAP server administrator.
  Access
  (Required) Anonymous Access—Click to ensure that searches on the LDAP  directory occur anonymously. The server does not distinguish who the  client is and will allow the client read access to any data that is  configured as accessible to any unauthenticated client. In the absence  of a specific policy permitting authentication information to be sent to  a server, a client should use an anonymous connection.
  Authenticated Access—Click to ensure that searches on the LDAP directory  occur with administrative credentials. If so, enter information for the  Admin DN and Password fields.
  Admin DN
  Enter the DN of the administrator. The Admin DN is the LDAP account that  permits searching of all required users under the User Directory  Subtree and permits searching groups. If the administrator specified  does not have permission to see the group name attribute in searches,  group mapping fails for users who are authenticated by that LDAP.
  Password
  Enter the LDAP administrator account password.
  Secure Authentication
  Click to use SSL to encrypt communication between Cisco ISE and the  primary LDAP server. Verify that the Port field contains the port number  used for SSL on the LDAP server. If you enable this option, you must  choose a root CA.
  Root CA
  Choose a trusted root certificate authority from the drop-down list box  to enable secure authentication with a certificate.
  See the "Certificate Authority  Certificates" section on page 12-17 and "Adding a Certificate  Authority Certificate" section on page 12-19 for information  on CA certificates.
  Server Timeout
  Enter the number of seconds that Cisco ISE waits for a response from the  primary LDAP server before determining that the connection or  authentication with that server has failed. Valid values are 1 to 300.  The default is 10.
  Max. Admin Connections
  Enter the maximum number of concurrent connections (greater than 0) with  LDAP administrator account permissions that can run for a specific LDAP  configuration. These connections are used to search the directory for  users and groups under the User Directory Subtree and the Group  Directory Subtree. Valid values are 1 to 99. The default is 20.
  Test Bind to Server
  Click to test and ensure that the LDAP server details and credentials  can successfully bind. If the test fails, edit your LDAP server details  and retest.

• Authority certificate problem

  I am use nokia 2700 classic mobile. Oneday i give flash into my mobile for start my mobile. After switch on my mobile i can see that i have only 9 authority certificate instead of 29 certificate.how can i install this certificate. Please suggest of anybody. 
  Moderator's Note: Phone number was removed. It is unwise to publish personal contact information on a public forum.

  Sir the certificates are very small. You able to upload the ".cer"
  you are speechless person.....
  you no need to help your consumer.
  And frndz here some certificates I uploaded. but it does not solve your real problem..
  A big thanks to NOKIA DISCUSSIONS for the priceless discussion..........
  Attachments:
  Certificates - for Nokia phones.zip ‏21 KB

• X2-01 authority certificates delete

  my x2-01 mobile authority certificates is deleted..... i follow ur discussion... ie, i reinstall my software
  there is no changes... some problems like E-mail,social community,chat & some softwares not supports..
  plz help me..

  Hi Jeffrey6125,
  Welcome to the Nokia Support Discussions!
  Did something happen on the phone prior to that? Did you perform a reset or a software update? You may try these steps provided by ng85: http://discussions.nokia.com/t5/Pool-of-Knowledge/Certificate-not-on-phone-or-SIM-for-S40-phones/td-.... 
  Let us know if this resolves your issue. 

• How to filter list of digital certificates for signing PDF

  Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
  The filtered list will appear when users attempt to select a certificate for digitally signing a document.
  Thanks.

  Hi Carla,
  Unfortunately, Extended Key Usage is not one of the properties you can enforce.
  The things you can set are:
  appearanceFilter (i.e. enforce the use of a custom signature appearance)
  certspec(i.e. the signing certificate must meet some specific criteria)  <<<----- This is what you are more interested in, more below
  digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
  filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
  legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
  lockDocument (i.e. enforce any further changes to the document after the signature is applied)
  mdp (i.e. the rules for changing the document applied as part of a certifying signature)
  reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
  shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
  subFilter (i.e. require the use of a specific signature format. This is very arcane)
  timeStampspec (i.e. require the use of a specific time stamp server)
  version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
  The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
  Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
  issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
  keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
  oid (i.e. require that the Certificate Policy extension contain a specific value)
  subject (i.e. require that the document is signed by one specific person using one specific digital ID)
  subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
  url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
  urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
  That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
  Steve

• No certificate for identifier "iPhone Developer"

  Hi,
  I have a problem, although I successfully registered as a iPhone Developer I cannot test my applications on my iPod Touch. I get the build error: +no certificate for identifier "iPhone Developer"+...
  When I first connected my iPod Touch to my Mac when I had opened Xcode, I got promted If I wanted to use it as a developing device. I clicked on "no", thinking I would be asked the next tme again but I was never again asked. How do I configure my iPod Touch so that I can develop on it?
  The only relating certificate in my tool chain is called:
  "+Apple Worldwide Developer Relations Certification Authority+"
  But putting this in the info.plist file as "Any iPhone OS Device" doesn't help either, nor does my name do.
  Thanx for any help!
  cheers Sebus

  Hi,
  now after installing the beta 7, I get this message when I try to build on the iPodTouch:
  "+No provisioned iPhone OS device is connected.+"
  My iPod Touch is connected...
  I know this is very basic but I want to start get going and not be held up at this stage...
  thank you very much!
  sebus

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• Can't get Mail to recognize Thawte certificate for signing and encrypting

  I got a certificate from Thawte and double clicked on the p12 file. This installed the certificate in the login section of the Keychain. I read in several places that it must be in the X509Anchors chain in order to work. However, whenever I try to import it or copy it there I can't get past the authentication screen. I give it the password to decrypt the p12 file and that works, but then it asks for a password for the X509Anchors keychain. I'm giving it my login password, but that doesn't work. What am I doing wrong?

  You shouldn't have to do anything with the X509Anchors keychain. The X509Anchors keychain contains certificate authority (CA) certificates, i.e., certificates associated with CA's that sign certificates. In it you'll find various CA certificates for thawte among others.
  After you've successfully imported your thawte cert into your login chain, restart mail (I don't think you need to restart keychain access, but it wouldn't hurt).
  Now when you compose a message, you should see encrypt and sign buttons to the right and below the subject line. This of course assumes the email address configured in mail is the same as the one in the thawte certificate.