Cannot Send Signed Email via CAC Card
I think I’ve followed all the steps to get Thunderbird signing and encrypting emails using my CAC.
I set up my CAC card reader as a security devise and was able to select one of my CAC certificate as the certificate used to sign emails and one to use for encrypting emails. I’m able to successfully read encrypted emails and I can send encrypted emails to folks but I can’t send a signed email. When I try to do so I first get prompted for my CAC pin and then the following error is presented: “Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.”
I have all the DOD Certificate Authorities installed and I can see them all in the certificate manager. I set all of the DOD Email CA-## certificate trust settings to have the “This certificate can identify mail users” option checked. I also did the same for the DOD Root Certs.
I’m using Thunderbird 52.6.0 (32-bit) on Windows 7.
Can anyone help me with what I’m doing wrong?
All Replies (8)
Are you certain the corresponding private key for the signing cert is on that card?
Yeah, I'm certain. I use the same card to sign emails with outlook and it works.
Did this ever work with Thunderbird before?
Do you need to enable FIPS for your CAC card reader security device? Doesn't have the DOD any instructions or manuals how to set this up properly in Thunderbird?
Since Thunderbird for Windows is 32-bit only, make sure there is no 32-bit / 64-bit mismatch. See https://support.mozilla.org/en-US/questions/752709
Okulungisiwe
Thanks for working with me on this christ1. I'm new to Thunderbird and haven't gotten this to work before. I tried going to my security devices and enabling FIPS mode but I still get the same error. "Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail"
Since I can send encrypted emails it seems that certs can be pulled from my CAC ok but I'm not sure why the cert it pulls off for signing is not recognized as trusted
Please check the entire post above. https://support.mozilla.org/en-US/questions/1205284#answer-1080208
I am using the 32 bit version of the .dll. The module loads fine for me and I can use the certs on the CAC card to encrypt email so I don't think that is the issue.
Since I can send encrypted emails it seems that certs can be pulled from my CAC ok but I'm not sure why the cert it pulls off for signing is not recognized as trusted
Encrypting doesn't require access to the private key. Signing does. So I can only guess that there is still some sort of pin or passphrase required to unlock the private key. Using different certs for encryption and signing sounds odd to me, but this may be intentionally.
My CAC has 3 certs on it and when I'm selecting the certificates in the Security settings I'm not getting to choose the cert it only gives me one cert to choose from for the Digital Signing and it only gives me one choice for Encryption, and the certs it choose are different. I'm guessing it uses the 'Certificate Key Usage' certificate field to determine which one to use.
When I try to send a signed email I am getting prompted for the CACs pin, if that helps any.