Home  |  Miata  |  Stuff  |  Links

Thawte and Mutt - playing nicely?

A how-to for getting Thawte email certificates (S/MIME) to work in Mutt.

There are a few required programs before Mutt will work with s/mime attachments the way we want. You must have OpenSSL, a version of Mutt that supports smime, and the correct root certificates file. On FreeBSD, you'll need the mutt-devel and ca-roots ports in addition to the base system install. If your operating system doesn't appear to have a way to install mutt with the smime patches, try this site. I make no guarantee that these patches will work.

Once you have Mutt with smime, you'll need to get your Thawte certificate. This can be done in a number of ways, but the simplest is probably to have Netscape, Mozilla, or another Mozilla based browser fetch the certificate. You'll have to go to the Thawte site and use their process for registration and importing the certificate to your browser (if using Mozilla or similar, choose the "Netscape" option). Once you have the certificate in your browser, it must be exported to a regular file. The exact method varies slightly between the different browsers, but they're very similar. This is a Mozilla specific guide. Name the file something you can remember - let's say emailcert.p12 (it will be a .p12 file) and remember the password you place on the file.

From here, you have a version of your certificate you can move and import to whatever you want. Some software has simple "import" features. Mutt isn't so nice. Move the certificate (emailcert.p12) to the computer that runs mutt, if it's not already there. We'll have to run a few openssl commands and edit the .muttrc to get everything working.

If you have the right mutt and smime versions installed, you should have an example mutt smime.rc somewhere, on FreeBSD at /usr/local/share/examples/mutt/smime.rc. Edit your .muttrc to use this file (add the line source /usr/local/share/examples/mutt/smime.rc). Once you've added that line, there are a few overrides you'll want to set.

set smime_ca_location="/usr/local/share/certs/ca-root.crt" -- This line tells mutt where to find the root certificates. Without this, it won't know if smime attachments are valid signatures or not.

set crypt_autosign = no
set crypt_replyencrypt = no
set crypt_replysign = no
set crypt_replysignencrypted = no
-- Setting these lines to "no" will allow you to continue to use mutt to send unsigned emails until you're sure you have everything working.

There are a few directories that must be created before we can continue. In your smime.rc, there will be lines that will look something like this:
set smime_certificates="~/.smime/certificates"
set smime_keys="~/.smime/keys"

If these directories do not exist, create them. Also create the files ~/.smime/keys/.index and ~/.smime/certificates/.index if they do not exist. Touch is a great command to make these files. Next, build the certificate. This is done with the command:
smime_keys add_p12 emailcert.p12
You'll have to type the password on the .p12 file, and create a new one. This new password will be typed every time you want to sign or encrypt an email. You'll also be prompted for a label for the certificate being generated. Choose something that makes sense ("me" or "emailcert"). Among the outputs of the program is a line including added private key: followed by a path and a set of numbers ending in .0. You'll need to add those numbers to your .muttrc by adding set smime_sign_as = followed by this set of numbers, including the .0. Once this is done, mutt should be able to find everything it needs to sign emails. Set crypt_autosign back to yes, and run mutt. When you try to send an email, it will prompt you for a password (hit y, type password, email should be sent). If it errors, set crypt_autosign back to no (so you can email regularly again) and debug.


Send corrections and suggestions to equiraptor@equiraptor.com.