Signed mail with S/MIME
Hello, I want to use S/MIME in Thunerbird 78.10.1 (64-bit). In my account settings i've import a .pfx-file. I created this certificate with openssl. I choose this personal certificate for digital signature and encryption (i want to use end-to-end encryption).
If I try to send a signed mail I got an error message: "Application could not find the signing certificate which I choose in my account settings [...]" --> imprecise wording, I am using Thunderbird in German
But I only got this error message, if I choose as encryption technology S/MIME. When I choose OpenPGP as encryption technology I got no error message and the e-mail is sent digital signed.
Where is the problem?
Thanks for help.
Greetings
Wubrane rozwězanje
Now I got it :)
When importing the cert into the Thunderbird certificate store, did you import it as a personal cert underneath the 'Your Certificates' tab?
Nope, that was not the problem. My problem was this: I created a certificate and imported it. The problem was, nowhere was it written who issued me the certificate. I had to create a CA certificate first, and then use it to sign my own certificate. So that Thunderbird can handle it, I not only have to import my signed certificate, but also add my self-created CA certificate to the list of trusted CAs :)
Toś to wótegrono w konteksće cytaś 👍 0Wšykne wótegrona (9)
In my account settings i've import a .pfx-file. I created this certificate with openssl.
Not sure what exactly this means. In order to be able to digitally sign messages you'd also need to import the private key along with the cert.
Wót christ1
The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file.
When importing the certificate, I also had to enter the password (so that Thunderbird can access the private key).
Is there anything related in the Error Console (Ctrl+Shift+J) when you attempt to sign a message?
Good idea, I would try that, but unfortunately, I won't be back at my private PC for a week. I will write in a week.
can an openpgp key be used to sign with s/mime? I would have thought it would fail the oscp test.
For the openPGP key I would have though the open PGP manager and signing would be the way you had to go.
Hi Matt,
Matt schrieb
can an openpgp key be used to sign with s/mime? I would have thought it would fail the oscp test.
No, as far as I know that is not possible. S/MIME and OpenPGP use the same cryptographic algorithms, but the internal structure is different.
Matt schrieb
For the openPGP key I would have though the open PGP manager and signing would be the way you had to go.
Yeah, thats the way. I only tried a combination to find out how thunderbird behaves.
Hi christ1,
christ1 schrieb
Is there anything related in the Error Console (Ctrl+Shift+J) when you attempt to sign a message?
When I choose OpenPGP as encryption technology for the signed e-mail (only signed, no encryption) I got no error message and the e-mail is sent digital signed. For more details, see the appendix.
When I choose S/MIME as encryption technology for the signed e-mail (only signed, no encryption) I got no logs in the Error Console :/ I just get the message: "Failed to send the message. You chose to digitally sign this message, but the application could not find the signature certificate you specified in your account settings, or the certificate has expired."
"... You chose to digitally sign this message, but the application could not find the signature certificate you specified in your account settings, or the certificate has expired."
For signing a message you do need the private key. So either something is missing, or there's a problem with your cert. Without further details this is anyone's guess. I wouldn't be surprised if it's related to:
I created this certificate with openssl.
When importing the cert into the Thunderbird certificate store, did you import it as a personal cert underneath the 'Your Certificates' tab?
Wót christ1
Wubrane rozwězanje
Now I got it :)
When importing the cert into the Thunderbird certificate store, did you import it as a personal cert underneath the 'Your Certificates' tab?
Nope, that was not the problem. My problem was this: I created a certificate and imported it. The problem was, nowhere was it written who issued me the certificate. I had to create a CA certificate first, and then use it to sign my own certificate. So that Thunderbird can handle it, I not only have to import my signed certificate, but also add my self-created CA certificate to the list of trusted CAs :)