How to exchange encryption key/certificate with other users
I have imported a certificate and setup my Thunderbird. When I try to send an email using encryption it won't send and Thunderbird displays the message ' End-to-end ecryption requires resolving certificate issues for XXXX@ddd.com'
How do I resolve this ?
All Replies (13)
I have imported a certificate and setup my Thunderbird.
What cert exactly? Please be specific.
When I try to send an email using encryption it won't send and Thunderbird displays the message ' End-to-end ecryption requires resolving certificate issues for XXXX@ddd.com'
Please post a screenshot of the error. https://support.mozilla.org/kb/how-do-i-create-screenshot-my-problem
In general, you'd have to obtain the cert of the intended recipient and import it into your Thunderbird to be able to send encrypted messages to that recipient.
Thank you for the reply. I have two Certificates one for email signatures and one for Encryption both are from a certified CA. They have functioned well with MS Outlook until Outlook 2016 stopped working for me and Microsoft could not solve the issue. I tried going to the new Outlook (their only possible solution) and the new Outlook does not support Certificates. So I am trying Thunderbird. I have gone trough the Import Certificate and create a backup process to obtain the .p12 format for Thunderbird. When I try to send an email with my signature to an associate I get the "Unable to sign screenshot1" attached here. (Then, as Mozilla tries to save the email as a "draft" I get the "Unable to save Draft Screenshot1" attached here.) My goal is to send signature and Encrypted emails to my customers and associates. When I get an encrypted email from an associate, Thunderbird posts this cannot decrypt message (screenshot attached) "Cannot Decrypt message screenshot1" in the text field of the email.
I have two Certificates one for email signatures and one for Encryption both are from a certified CA.
You may have two files, but there is only one cert. You need to use the file which also includes the private key and import it into Thunderbird.
Then open the Thunderbird Certificate Manager. At the top right of the Thunderbird window, click the menu button ≡ > Settings > Privacy & Security > Certificates > Manage Certificates
Select the "Your Certificates" tab. Do you see your cert? If yes, select it - View.
The Common Name field should be your email address. Does it match your account email address?
Is the cert (still) valid?
Take a screenshot of the "Public Key Info" and "Miscellaneous" sections, and post it here. https://support.mozilla.org/kb/how-do-i-create-screenshot-my-problem
I have gone trough the Import Certificate and create a backup process to obtain the .p12 format for Thunderbird.
Not sure what you're talking about. How can you backup the cert if you haven't imported it into Thunderbird in the first place? Please explain.
Okulungisiwe
In The Certificate Manager. In the Common Name Field I see "my name:certificate number". I do NOT see my email address, colon, followed by the cert number? The cert is still valid, yes. Public Key & Miscellaneous screenshot attached. We went through the "Import/Back-up certificate" process in Thunderbird when I first set it up. Sorry for the confusion. I believe I performed that step correctly as we did see the .p12 file format..
In The Certificate Manager.
Very funny. Once again: The Certificate Manager has multiple tabs. In which tab do you see your cert?
Do you see your email address anywhere in the cert? If so, which field?
We went through the "Import/Back-up certificate" process in Thunderbird when I first set it up.
Import and Backup are separate buttons in the Certificate Manager. So I still have no idea what you're talking about.
I believe I performed that step correctly as we did see the .p12 file format..
I don't understand what that means. You need to be more specific about what you did do when importing the cert.
The cert should also have a "Extended Key Usages" section. It should look like this: Purposes Client Authentication, E-mail Protection
Does your cert have an "E-mail Protection" purpose listed, or something in that sense?
Okulungisiwe
I see the certs in the "Your Certificates" Tab in the Cert Manager. This same tab is where we did the "Backup" to generate the .p12 file using the buttons at the bottom of that tab. The only place I see my email address is when I "view" the certificate (from the same "Your Certificates" tab, and I see my email under, "Subject Alt Names"..
The only place I see my email address is when I "view" the certificate (from the same "Your Certificates" tab, and I see my email under, "Subject Alt Names"..
Good. Does the email address in the cert match your account email?
Now, go to your account settings: At the top right of the Thunderbird window, click the menu button ≡ > Account Settings > End-To-End Encryption > S/MIME.
Did you select the correct cert for both, signing, and encryption?
Okulungisiwe
I believe I have. There are two certs with the same cert number, but they have two different "serial Numbers". Is it possible that I have the cert for encryption selected for signing and the signing selected for encryption?
There are two certs with the same cert number, but they have two different "serial Numbers".
So you do have two different certs.
Check the serial no. of the cert underneath the "Your Certificates" tab in the Certificate Manager.
Then use this cert for both, signing, and encryption in Account Settings.
Delete the other cert in Certificate Manager.
Get a message now cannot locate cert for encryption...(screenshot attached)..
I assume you are using s/mime encryption based on having certificates from a CA.
Encryption requires both you and the recipient to have encryption certificates. You have yours, but you can not send a message to someone encrypted that they will be able to decrypt until you first exchange a non encrypted email with a digital signature as that digital signature is the public key they will use to decrypt your mail. You probably have a long history of personal certificates for correspondents somewhere that is not going to be present in Thunderbird.
See this old discussion on the use of the windows store. https://support.mozilla.org/en-US/questions/1272378
Have you read the prerequisites support article https://support.mozilla.org/en-US/kb/thunderbird-help-cannot-encrypt
Yes, I am using the s/mime encryption. I will go back and read the information in the supplied links. Thank you to both of you for responding. I will check back in after I do some more homework. It is unclear to me if I have two certs one for Encryption and one for Signatures from the CA. I'm far fram being and expert on this stuff, just simply a user!
It is unclear to me if I have two certs one for Encryption and one for Signatures from the CA.
As stated before, there is only one cert for both. More precisely, the private key is for signing, the cert (which is essentially the public key) is for encryption when sending a message. The file you import into Thunderbird needs to have both, the cert, and the private key. Note, when sending messages to other recipients, you'll also need their cert.
It is not clear to me why you think you do need two certs, and what's in the two files you imported into Thunderbird.