Using a smart card reader to digitally sign emails
I use Thunderbird (68.8) on Windows 10, both brand new installs. I need to sign my emails with a "smart card" (not GPG as with Enigmail; that got rejected by the powers that be). I can't find a guide to connect Thunderbird to my smart card reader. Please don't make me use Outlook.
Modified
الحل المُختار
Thanks for all your help, but I think I'm putting the cart before the horse here. I was given a document that shows how to add a "persona" to the card, which I think may be the path to associate the card to my desired email address. But to do that, I need an ID certificate on the card, and that's missing. So unless you can tell me how to get an ID certificate onto the card, I'll let you all go back and (if you're in the U S of A) enjoy your Memorial Day weekend. Thanks for the tips; I may have to review them later.
Read this answer in context 👍 0All Replies (8)
From the Thunderbird Options Menu, navigate to the Advanced section, Certificates tab, click the Security Devices button, then the Load button.
Pick the device driver module for your smart card reader.
Modified
It wants a filename. I have a decision tree:
NSS Internal PKCS #11 Module Generic Crypto Servicesf Software Security Device Builtin Roots Module NSS Builtin Objects
Selecting each of those gives me at least a Load button, but past that I don't know where to go.
Modified
lets back up a little. what do you mean the smart card got rejected by the powers that be. If the provider lost their position as a provider of certificates, then it is highly likely that you don't get a choice.
Sorry. What got rejected was the use of GPG public/private key signing, the "old school" version that doesn't require a "smart card." At first I that would pass for "signing" an email, but no, a "smart card" signature is required. I have the card, I have the reader, I have an ActiveClient Agent, all of which appear to be operational. I have been sent a properly signed email and Thunderbird marks it with a little icon representing an envelope with sealing wax (cute), so I can receive signed email. I just can't coerce TB into letting me sign email with my smart card. I apologize for maybe not getting some of the acronyms involved, but I haven't figured them out yet.
Okay, thanks to https://support.mozilla.org/en-US/questions/752709, I found the ActiveClient DLL and TB agreed to load it as a module, and now TB seems to talk to the card reader. When I launch the email composition window, my card reader flashes. But when I choose Options --> Digitally Sign this message, I'm taken to a screen to set up signing and encryption certificates. I click Select... to set up the signing certificate first, and I get the rejection "Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <x@y.z>", where x@y.z is my desired email address. I naively assumed that I should be able to associate the card's certificate with whatever email address I like.
A valid certificate to encrypt email using s/MIME uses a certificate that is issued on a per email address basis, or for a fee busness/Government can get certificates for all of their domain. This is how the us military ones work, they issue the certificates/card and it has the certification for your .mil email addresses. What I know about these same card tings is minuscule, but I do use s/mime certificates.
Who is the card issuer, and the reader manufacturer. Perhaps I can locate something relevant.
What got rejected was the use of GPG public/private key signing, the "old school" version that doesn't require a "smart card."
S/MIME does not require a smart card. And GPG does support smart cards as well.
But when I choose Options --> Digitally Sign this message, I'm taken to a screen to set up signing and encryption certificates.
At the top right of the Thunderbird window, click the menu button > Options > Account Settings - Security
Select the cert on the smart card to be used for signing, and encryption.
Note, the private key, to which the cert belongs to, also needs to be on the smart card. In fact, that's the whole point of using a smart card - to protect the private key.
Also, this assumes the Common Name of the cert matches your account email address.
الحل المُختار
Thanks for all your help, but I think I'm putting the cart before the horse here. I was given a document that shows how to add a "persona" to the card, which I think may be the path to associate the card to my desired email address. But to do that, I need an ID certificate on the card, and that's missing. So unless you can tell me how to get an ID certificate onto the card, I'll let you all go back and (if you're in the U S of A) enjoy your Memorial Day weekend. Thanks for the tips; I may have to review them later.