When you were asked to install a cert, I suppose we're talking about S/MIME (as opposed to PGP)? Please confirm. Did you receive any specific instructions? What exact steps did you try, and were did you get stuck? In order to be able to receive encrypted messages, you'd need to have a private key and a cert for yourself. Messages from the factory would then need to be encrypted to your public key (your cert).

Davey58 said

I am a HVAC distributor and our factory is setting up encrypted email for invoicing. I cannot get Thunderbird to use the certificate information they sent me. The certificates show up in the certificate file and I have them coded as trusted, but it doesn't seem to help. I have been working on this for 3 days now and hate to bother you guys but I am completely at a loss. The factory suggests that I switch to Outlook, but my skin crawls at the thought. Can I set this up on Thunderbird? Help ME! Thanks for any help.

Thanks for the reply. It is a s/mime certificate that I was sent in a zip file. three .cer files and a .p12 file. I imported them and they show up in the certs folder as trusted certificates. Thunderbird still will not recognize the test encrypted email the company sent to me. I have several computers that need different information from this same certificate source and I have Thunderbird on all of them. I was just wondering if there is a simple solution that will work for all of them.. Thanks again

Did you receive any instructions what the files are? Can you describe 'I imported them' in more detail? You'll also need to set up your account to use the cert. Tools (Alt-T) - Options - Account Settings - Security Also see http://kb.mozillazine.org/Installing_an_SMIME_certificate

Yes there were instructions. Once I unzipped the file there were 4 files. I opened them and followed the bouncing ball to install each. The .p12 file required a password which they provided and I successfully installed it. I then checked the certificate file and all of the files were listed and coded as trusted certificates. The problem is I do not have a personal certificate. We use several computers for the communications with the factory and I want to be able to use any of them. What I think I am hearing is that each individual computer will have to have a personal certification to do that. I installed the pgp4win file and generated a certificate and then added the enigmail add on. Still didn't work. I was hoping to find a solution so I could just receive the incoming encrypted messages without worrying about my outgoing emails, which will contain no vital information anyway. I probably will not even use it for outgoing email. I don't think it is possible at this point. I appreciate the help. I have read a lot about certificates now and understand a good bit more. Outlook does not require me to have an outgoing certificate, so I guess i will configure one of our work stations with Outlook. I hate it, but life has its challenges sometimes. Thanks again for your interest and support.

The problem is I do not have a personal certificate.

Well, this IS your personal certificate. Just don't use it for any sensitive communication other than with the factory.

What I think I am hearing is that each individual computer will have to have a personal certification

No, you can use the same cert on multiple computers. The cert is your public key. The factory encrypts messages to this cert (or public key). The (password protected) private key you installed on your computer when importing the cert is then used to decrypt the message.

I installed the pgp4win file and generated a certificate and then added the enigmail add on.

That is a completely different encryption system, and has got nothing to do with S/MIME. Thunderbird supports S/MIME out of the box. There is no need to install any additional software.

I was hoping to find a solution so I could just receive the incoming encrypted messages without worrying about my outgoing emails, which will contain no vital information anyway.

This is the way it works. You'd need the recipients cert (or public key) in order to be able to send encrypted messages to others.

Outlook does not require me to have an outgoing certificate

There is no such thing as an 'outgoing certificate'. Wrt S/MIME Outlook doesn't work any different than Thunderbird, even though the GUI is different.

I really appreciate your time and help. I guess I am just thoroughly confused. I just checked and I have the certs the factory sent in my certificate file. They are supposed to send me another test message and I will see if they work. I thought I was getting this a little, but I guess not. I sure hope that it decrypts the email this time. It would make life so much easier. If you don't mind I will let you know if it works this time. Thanks again...

You imported these into Thunderbird?

I've just gone round the loop of creating and downloading a free s/mime cert from Comodo, to remind myself how it works. It arrives in such a way that it installs into the browser, so to use it for signing email, I have to create a backup and then import that backup into Thunderbird.

I imagine that the process you need to follow picks up where I import into Thunderbird, since, I presume, the relevant certs have been provided to you.

One of the keys sent to you will be your private key, since messages sent to you would be encrypted using your public key. They have almost certainly included their own public key, which Thunderbird could use to encrypt your messages to them. Setting up Thunderbird to sign and/or encrypt really requires very little work on your part. All you'd have to do, I think, is enable s/mime support (in account settings) on the account you use to communicate with them. I think you need to do this to decrypt incoming messages too.

Zenos, I cannot find a way to enable s/mime support. I went into options, and looked at the email account that I will use and can not find anywhere in account settings that even addresses s/mime. Where would I find the support location??Thanks...

... can not find anywhere in account settings that even addresses s/mime.

I thought we covered that before.

https://support.mozilla.org/en-US/questions/1042650#answer-681044

Christ1, I did what you suggested, but I still could not read the encrypted message. I have requested that they send me another test Monday. I hope to try it again. But I also do not see where there is s/mime support on Thunderbird. I will be the first to admit that my learning curve on these issues is extraordinarily steep. But I keep trying. I appreciate any and all help and will gladly help where I can as payback. Sorry not trying to go over the same info twice.

Ok, I have just reinstalled my certificates... My start.com account lapsed because it was Christmas. The limits of free accounts... it lapses if I do not log in every year.

S/Mime does in fact require two certificates. The question is, was the .p12 file they sent you your personal certificate or theirs.

So I will backup just a little in the hope of making it clearer in the end.

Go to your certificate store in Thunderbird. Under the your certificates is there an entry?

Assuming there is, click view and in the details tab, is your email address shown in the Subject entry in the certificate fields? if not whose is?

Under the People tab in certificate manager, is the factory listed? Whatever that email address is!

Background info.

S/Mime is a public private key encryption. A certificate is issued on a per mail account basis. Once you have a certificate you set Thunderbird to digitally sign email using this certificate. If you use 10 computers in your office you need to either enable roaming profiles on your server. Or install the certificate on all of them. (One of the reasons businesses use servers and roaming profiles)

So if we say your bill@somewhere.net and the factory is factory@ somewhere.net. t6here will be two certificates, one for each email address.

When you send a mail to the factory with your digital signature, that certificate (your public one) is saved on the recipients certificate store (in the case of Thunderbird under the people tab)

When the factory goes to reply, they have a public certificate for you in their people tab. They are also digitally signing their mail, using the certificate that appears in their "Your certificates" . So they can encrypt the mail using your public key in their store and send it. When you get it, you can decrypt it. You have the relevant private key. You can also now encrypt mail to the factory because you got their certificate with the mail you received.

The critical part is to set the digital signatures first, exchange an email with a reply and then try encrypting. None of the documentation I see talks about the digital signing, almost as if they expect everyone to know.

I did what you suggested

Can you explain in more detail what you did?

I have requested that they send me another test Monday.

I don't think they need to send you new messages for testing. You should be able to decrypt every message sent to you which was encrypted with your public key.

But I also do not see where there is s/mime support on Thunderbird.

There's nothing special with it, it's built-in. But you do need to tell Thunderbird to use your cert (the one you received from the factory) for your account. Did you find the 'Security' setting underneath 'Account Settings'?

Did you read (and understand) the support article 'Installing an SMIME Certificate For Your Own Identity' linked above?

I went to Comodo and got my own cert and imported it. Works great. Since the Comodo certs are only good for a year, I guess in a year I need to do it again. Thanks for all the help guys. This is a great community. /david