Installing certificates
Hello all, can I ask for some advice regarding digital certificate installation. I am running Win 10 (64) with Thunderbird 91.11.0. I have 3 distinct accounts in Thunderbird. On one account I have installed (some years back) my digital certificate which appears to be working eg. the s/mime certificate does get attached to my sent emails. The problem arises with one of my other accounts. I obtained a new certificate from the same authority and cannot seem to install it. When I go to e2ee in Thunderbird setup, I click on Manage S/MIME Certificates and the only one shown is the first account named cert. I try clicking Select instead and Thunderbird reports an error saying Cert Manager cannot find a valid cert with the correct email address. I have checked and the certificate is installed under mmc in Windows and also in Firefox. I’ve been trying to resolve this for days, even got a new cert from the authority (after revoking/deleting the old one). Any suggestions would be appreciated. Thanks
All Replies (19)
Thunderbird has it's own certificate store. So you need to import a new cert first underneath 'Your Certificates'. Whether or not the new cert already exists in the Windows or Firefox certificate store, this is irrelevant to Thunderbird.
Hi Christ1 Thanks for the reply. Sorry I didn't explain better. I do go to Thunderbird setup > e2ee and try with the Thunderbird Cert Manager by both checking Manage S/MIME Certs which, as you have confirmed, will probably not show a Win/FF cert with the correct name, I then try Select in the Thunderbird Cert Manager by browsing to the relevant .p12 file that the authority issued then enter the password (which I know is correct and Thunderbird then reports an error... "The PKCS #12 operation failed for unknown reasons.". Sorry I didn't explain that last bit, but it is all in the Thunderbird Cert Manager and why I mentioned that the cert installed correctly in both Win & FF was to indicate that it is a valid cert with correct password. I've spent a good time googling the "The PKCS #12 operation failed for unknown reasons." error without finding an answer fitting this particular application.
Is the authority in the in build chain of trust, or do you need intermediate or root certificates to make the authority "trusted"?
I have used a number of authorities over the years and found comodo the most difficult to import.
Hi Matt, thanks for the reply. Yes the authority certificates (ACCVCA-120) are installed in Win(FF at least... I don't see a way to install those in Thunderbirds Cert Manager options. It is a local authority (Spanish Government) issued certificate the same as the one that is working for my first email account in Thunderbird.
In the Certificate Manager window select the 'Authorities' tab, and press 'Import' at the bottom of the window.
Hi Christ1 Thanks again for replying. I checked the 'Authorities' tab and the 'Authority Certificates' (ACCA-###) are already installed. I checked the validation dates and all are valid. It takes me back to what is bugging me... a Cert from the same authority is already working with my other account in the same installation of Thunderbird the only difference I can think of was that 1st certificate was installed some time ago and perhaps it a Thunderbird version thing that has changed.
When I go to e2ee in Thunderbird setup, I click on Manage S/MIME Certificates and the only one shown is the first account named cert.
Please post a screenshot. https://support.mozilla.org/kb/how-do-i-create-screenshot-my-problem
I then try Select in the Thunderbird Cert Manager by browsing to the relevant .p12 file that the authority issued
I don't follow what exactly you're doing. Please be more specific. Screenshots may help. As said before, you need to import the cert underneath the 'Your Certificates' tab. There is an 'Import' button for this.
Hi Christ1 Apologies if not clear. I am trying to import the certificate in Thunderbirds Certificate Manager (it is already installed in both Windows and Firefox).
In Thunderbirds e2ee (End-To-End-Encryption) setting under S/MIME -> "Personal certificate for digital signing" I choose "Select" and Thunderbird reports it cannot find a certificate with the email address.
OK, so now I go to the "Manage S/MIME certificates" option, still in Thunderbirds e2ee settings. Under "Your Certificates" I choose "Import" and browse to the .p12 certificate I downloaded from the authority. I enter the certificate password, click "Sign In" and I get an error message "The PKCS #12 operation failed for unknown reasons"
Still in Thunderbirds Certificate Manager -> "Manage S/MIME certificates" I click the "Authorities" tab and the relevant Authority Certificates are installed and date valid.
As I say, I have 3 mail accounts in this installation of Thunderbird. One account already has a certificate from the same authority installed and functioning. I am trying to install this certificate in one of the other accounts.
Is there anything related in the error Console (Ctrl-Shift-J) when you attempt to import the cert?
Christ1 You may have hit on something. I've never used the error consol before and I am not sure which of the consol tabs is most relevant, but I do see the logs in the image. I also saw once (I tried a second time and it didn't log it again!) something in the log like... 'block something - signature disabled', sorry can't reproduce that error message or recall it exactly .
Christ1 Tried a few more times with the error consol and eventually got the extra message I was talking about... "thunderbird/hijack-blocklists has signature disabled". Another image attached.
got the extra message I was talking about... "thunderbird/hijack-blocklists has signature disabled".
I don't think that's related.
I'm running out of ideas. What happens when you try to import the cert into Firefox?
Scrap this, you already mentioned there's no problem with Firefox.
christ1 moo ko soppali ci
One more thing you could try. Create a new profile, and start Thunderbird with the new profile. No need to create any accounts, just try to import the cert. Is there any difference? https://support.mozilla.org/kb/using-multiple-profiles
Hi Christ1 Sorry it is an awkward one, but thank you for your patience and trying.
Yep, the certificate I am trying to install into Thunderbird successfully installed in both Windows and Firefox (shown in Cert Managers in Both).
I tried your suggestion by creating another profile and it is exactly the same problem.
I am a still wondering about your previous suggestion with the error consol and the fact that it reports... "thunderbird/hijack-blocklists has signature disabled", this I feel is where Thunderbird is blocking the certificate, why because... it is when I go to e2ee -> Manage S/MIME Certificates (Your certs) -> Import -> browse to .p12 -> Enter Passwod/Sign is exactly where it fails with the error "The PKCS #12 operation failed for unknown reasons" (ie: accepting the password). HOWEVER, I know the password is correct because if I try entering a wrong password Thunderbird gives an addition error message saying password may be wrong.
I do think you hit on narrowing it down with the error consol, but I don't know how to investigate that further. Is it possible (I'm not a programmer) for me to search the Thunderbird program code and see if there is a hijack-blocklists switch set... grasping at straws!
This is not a self signed cert?
Hello Wayne Thanks for your response. Am I correct that "self signed" is a kind of user created certificate?. If so then it isn't self signed, it has been issued by a certification authority (ACCA) and the authority certificates have been installed under Thunderbirds Certificate Manager. It all appears to boil down to Thunderbird's reporting "The PKCS #12 operation failed for unknown reasons" when trying to import the certificate, but I can't find any further information on how to diagnose this error in Thunderbird.
As a last resort you may try to post your problem to the Thunderbird e2ee mailing list. https://thunderbird.topicbox.com/groups/e2ee
Hi Christ1
Thank you for the suggestion. I have posted the topic on that forum.
In case you are interested in any outcome:- https://thunderbird.topicbox.com/groups/e2ee/T44b9cdef00d023f9/the-pkcs-12-operation-failed-for-unknown-reasons
Thank you also for the time and effort you took to try and resolve the problem, it was much appreciated.
Christ1 & Matt
Thank you for your responses to this problem, especially Christ1 where you tried all options to help.
For information and in case anyone else comes across this in the future... I appear to have resolved it :-)
I didn't get any response from the ee2e forum, so I began experimenting again. I mentioned that the certifcate was issued in a .p12 format, which I beleive should be importable into Thunderbird. Anyway, I also mentioned that it had imported successfully into Windows (10), so what I tried and found to work was...
... export/backup the certificate from Windows which created a .pfx format file. This file then imported first time into Thunderbird with no errors and it functions as should. :-)
Perhaps this might help someone else some day, but much thanks again to Christ1 and Matt.