Can't install Thawte personal e-mail certificate on Windows Vista

RESOLVED INVALID

Status

Tech Evangelism Graveyard
English US
RESOLVED INVALID
10 years ago
3 years ago

People

(Reporter: Pepijn Schmitz, Unassigned)

Tracking

Details

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

When I use Firefox 2.0.0.7 running on Microsoft Windows Vista 32-bit Home Edition to request a personal e-mail / web of trust certificate from Thawte Firefox does not allow me to install it after it has been issued by Thawte.

When Thawte issues the certificate it provides a download link for it. Upon opening the link Firefox is supposed to download and install the certificate. Instead what happens (on Vista) is that Firefox wants to download a "mycert.spc" file, which I cannot do anything with. According to Thawte customer support, this is due to the security settings on Vista being "very strict and prohibitive".

Reproducible: Always

Steps to Reproduce:
1. If necessary, open a web of trust account with Thawte (https://www.thawte.com/wot/index.html)
2. Using Firefox 2.0.0.7 running on Microsoft Windows Vista 32-bit Home Edition, request a certificate
3. When it is issued try to install it by opening the link from the email, or by going to the status page of the requested certificate (from https://www.thawte.com/cgi/personal/cert/status.exe) and clicking on "fetch"
Actual Results:  
Firefox downloads a "mycert.spc" file to the harddisk. The certificate is not installed in Firefox' certificate store.

Expected Results:  
Nothing should be downloaded. The certificate should be installed in Firefox' certificate store.

Comment 1

10 years ago
I can confirm this, I have the same problem.

I tried to install the downloaded files from localhost, and I still got the download dialog.

Now the interesting part: I changed the extension to .xxx1 but still served it with the application/x-pkcs7-signeddata (just like Thawte does), and then the installation was successful!

So apparantly Firefox for some reason looks at the file extension and ignores the MIME type. That can’t be good.


~Grauw

Comment 2

10 years ago
It is nice to know I am not alone in this vexing problem.  I have been investigating this issue sporadically for the past month.

1) -- The downloaded file was stuck with an SPC extension.  
2) -- Works like a charm if the download is expedited via Internet Explorer and attached to Outlook Express.
3) -- It is a failure with Firefox.  Any attempt to import the file results in a blank result.  No error messages.

Thawte provided this suggestion:
"To sign on other machines, request and install a certificate via Windows XP. The certificate can then be exported as a .pfx file and installed into Windows Vista."

I'm going to try this and let you know if it works.

Comment 3

10 years ago
Affirmed -- the problem is with Vista.  Conducted the certificate integration procedure with Thawte using my Windows XP station.  Went without a hitch.  I initialized Firefox, logged into my e-mail site and clicked the certificate link to Thawte.  Integration was automatic.

Next, I created a backup copy of the certificate and stored it on my thumb drive.  I went over to the Vista station, activated Thunderbird, and imported the certificate without any problems.

Comment 4

10 years ago
Also encountered this problem with Vista and Firefox 2.0.0.12. The suggested methods did not work for me, but had success with the following method:
1) Download the cert from Thawte and save as mycert.spc
2*) Create the following PHP script to change the MIME type (or rename the file and reconfigure your server, but PHP seemed quickest):
   <?php
       header("Content-type: application/x-x509-user-cert");
       include("mycert.spc");
   ?>
3) Upload the PHP script and the file to your local/secure server.
4) Access the script; which installs the cert into Firefox.
5) Using the FF cert manager, export a backup copy.
6) Import the backup into Thunderbird or other client.

*Note, changing the MIME type to the x509 e-mail cert gave an error that the cert could not be verified and would not be imported. Spec'ing it as a user cert allowed the import!

Good luck.

Comment 5

10 years ago
can confirm I've got the same problem.

(Reporter)

Comment 6

10 years ago
*BUMP*

What's going on with this bug? It still doesn't work in 3.0 RC1, and yet the bug is still unconfirmed and unassigned?

Comment 7

10 years ago
Confirming in Firefox 3.0 RC2

Comment 8

10 years ago
Second confirmation in Firefox 3.0 RC2.

Comment 9

10 years ago
Nominating for fixing so the development team can decide if it may be interesting since affects general security practices, the most current Windows OS and it's been a long time without confirmation
Flags: blocking-firefox3?
--> Tech Evang

Based on comment 4 it looks like the servers haven't gotten their MIME type set correctly, and I don't think Firefox is registered to handle that sort of file. Dragging and dropping the certificate into a Firefox window might work?

Anyway, we should get in touch with Thawte.
Status: UNCONFIRMED → NEW
Component: Security → English US
Ever confirmed: true
Flags: blocking-firefox3?
Product: Firefox → Tech Evangelism
(Reporter)

Comment 11

10 years ago
That contradicts comment 1, which states that if the file is served with a MIME type of application/x-pkcs7-signeddata (which it says it what Thawte does), but a different extension than spc, Firefox does import the certificate, suggesting that Firefox is being confused by the extension.

Which MIME type *should* it be? Comment 1 mentions application/x-pkcs7-signeddata, comment 4 says application/x-x509-user-cert.
I'm not sure what happened with comment 1, but it's from long enough ago that I can believe some of our "respect mime-type" patches may have changed behaviour in the interim.  The x-x509-* group are certainly the mime types I would expect to see for delivery of x509 certs. x-pkcs7-signeddata is sort of a rarity, I think.
(Reporter)

Comment 13

10 years ago
Looks like you're right, I did a test with some different extensions and MIME types:

mycert.spc, application/x-pkcs7-signeddata: Firefox offers to download the file
mycert.xxx, application/x-pkcs7-signeddata: Firefox offers to download the file
mycert.spc, application/x-x509-user-cert: Firefox installs the certificate
mycert.xxx, application/x-x509-user-cert: Firefox installs the certificate

So it does look like Thawte are using the wrong MIME type, or at least a different one than Firefox expects.

Comment 14

10 years ago
I will see if I can reproduce my issue sometime later today, or tomorrow.

Comment 15

10 years ago
Before anyone gets in touch with Thawte, can someone confirm that there are specific standards for which MIME types are to be associated with which file types?

For example, would it be more correct to ask Thawte to change to appplication/x-x509-email-cert or ...-user-cert? If email-cert then FF would need an update to handle this type correctly (assuming the ver 3 behavior is the same as ver 2, which did not work with email-cert)

Better to change it once and keep with a standard if such a standard exists. Who is responsible for MIME types?
(Reporter)

Comment 16

10 years ago
Well, I did find this while Googling this problem: http://wp.netscape.com/eng/security/comm4-cert-download.html. It only mentions the x-x509-* MIME types.

What's more, Googling for "x-pkcs7-signeddata" finds *ZERO* results, so it is apparently unknown throughout the entire Internets... :-)

I can't confirm that Thawte is using that MIME type though. Since it's a TLS connection I can't sniff it and the Firefox Web Developer extension only shows the request headers, not the response headers. Perhaps someone with the right setup can double-check which MIME type Thawte is using?

Comment 17

10 years ago
I have found an easy way around this problem.
Right click the Firefox shortcut and select properties.
Select the compatibility tab.
Select Run this program in compatibility mode for Windows XP (Service Pack 2)
The certificates will now install.
Reset Firefox compatibility mode.

Comment 18

10 years ago
Does Frank's comment mean, the thawte server changes the delivery mime type based on the operating system version in the user agent field?
The document at the URL cited in comment 16 no longer exists at that URL.
See an updated version of it at 
http://developer.mozilla.org/en/docs/NSS_Certificate_Download_Specification

Comment 20

10 years ago
I can confirm that importing a cert works on OSX using FF3.0.1.  I didn't go through the entire login process, but I did login to my account and download my cert to FF.

The answer to Kai's question in comment 18 seems to be clearly: yes.  
To prove it, one could use one of the browser extensions that allows one
to completely replace his browser's user agent string, and try the 
operation several times, with the user agent string modified to pretend
to be different OSes, and see what effect that has on the downloaded 
MIME content type.

Comment 22

10 years ago
I can confirm that this is an error in the Thawte server software.

When fetching a certificate through regular means, I get the following error:

> System Error
> 
> An error occurred while we were processing your form. The system has already
> emailed our support, testing and development teams a report of the error, and
> they will try to resolve it as soon as possible!
> 
> The exact error message given was:
> 
> Unable to build chain for <some long number here>
> 
> Please accept our apologies for the inconvenience.
> 
> The thawte team
> thawte Digital Certificates

However, when I use User Agent Switcher to spoof Firefox 3.0 on a Windows XP system, the certificate installs without any issues.

So this is definitely a Tech Evangelism bug. I hope someone from the evangelism team can contact Thawte on this subject, it is rather embarassing on their part that this issue (and such a strange, simple one) has been around for over a year now!

~Grauw

Comment 23

10 years ago
As the latest opinion is, this bug is an issue on the thawte server side, I'm adding the tawte contacts from bug 424152 to the cc list.

Jay, Rick, would you be able to escalate this issue to the thawte server operation team? Apparently on Windows Vista (only) their server sends out the user's certificate with an incorrect mime type, causing the installation in Firefox to fail.

Comment 24

9 years ago
The Thawte page lists an (ugly!) workaround now:

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO10195

> 1. Right click the Firefox shortcut and select properties.
> 2. Select the compatibility tab.
> 3. Select Run this program in compatibility mode for Windows XP (Service Pack 2)
> 4. To request a new Personal Email Certificate follow the instructions below:
> https://search.thawte.com/support/ssl-digital-certificates/(...)
> 5. Reset Firefox compatibility mode.

I guess it’s better than nothing.

By the way, I no longer get the error mentioned in comment 22 above when trying to download on Firefox 3/Vista. Instead it now offers for download a mycert.spc file which I don’t really know what to do with.

~Laurens

Comment 25

9 years ago
Ugly workaround that has my personal preference (without using User Agent Switcher):

1. Go to about:config
2. Right-click and select New / String
3. Enter name: general.useragent.override
4. Enter value: Mozilla/5.0 (Windows; U; Windows NT 5.0; nl; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
5. Install certificate
6. Reset configuration key through right-clicking on it and selecting reinit

Comment 26

8 years ago
Visiting Thawte's cert page shows that they are no longer issuing free certs.

https://www.thawte.com/resources/personal-email-certificates/index.html
"Thawte has discontinued Personal Email Certificates and the Web of Trust (WOT) certification system."

Marking INVALID.  :-(
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID

Comment 27

8 years ago
(In reply to comment #26)
> Visiting Thawte's cert page shows that they are no longer issuing free certs.
> 
> https://www.thawte.com/resources/personal-email-certificates/index.html
> "Thawte has discontinued Personal Email Certificates and the Web of Trust (WOT)
> certification system."
> 
> Marking INVALID.  :-(

But for a limited time, users of Thawte Personal Email and Web of Trust certs can get a free VeriSign Class 1 certificate. See
  https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12704

-Rick
(Assignee)

Updated

3 years ago
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.