We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

PKCS11 cert to digitally sign email

  • 9 replies
  • 1 has this problem
  • 2 views
  • Last reply by christ1

more options

Hello.

I'm trying to add a certificate through PKCS11 in order to digitally sign emails in Thunderbird. I get an error stating "Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <email>".

I have added the Security Device (I used the same driver in Firefox and it works fine) and I can list the certificates without problems.

I have tried to create the certificate with my email in all those fields:

- Subject > E - Subject > CN - Issuer > E (it's self-signed) - Issuer > CN (it's self-signed) - Name of the certificate - Certificate Subject alt name

I keep receiving this error and I'd like to know which field is Thunderbird checking.

When I open the certificate view inside Thunderbird itself:

Key usage:

- Critical - Signing - Key Encipherment - Data Encipherment

Extended Key usage:

- Not critical - TLS Web Server Authentication - TLS Web Client Authentication


Thanks in advance.

Hello. I'm trying to add a certificate through PKCS11 in order to digitally sign emails in Thunderbird. I get an error stating "Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <email>". I have added the Security Device (I used the same driver in Firefox and it works fine) and I can list the certificates without problems. I have tried to create the certificate with my email in all those fields: - Subject > E - Subject > CN - Issuer > E (it's self-signed) - Issuer > CN (it's self-signed) - Name of the certificate - Certificate Subject alt name I keep receiving this error and I'd like to know which field is Thunderbird checking. When I open the certificate view inside Thunderbird itself: Key usage: - Critical - Signing - Key Encipherment - Data Encipherment Extended Key usage: - Not critical - TLS Web Server Authentication - TLS Web Client Authentication Thanks in advance.

Chosen solution

I've already managed to get it working. I'm not sure if it's due to some changes on the PKCS11 provider or just restarting Thunderbird, but I can do what I expected now.

Thanks for your replies anyway.

Best regards.

Read this answer in context 👍 0

All Replies (9)

more options

Why are you trying to use a self signed certificate for you email? How is the receiving party to determine your certificate is anything but bad?

I think you probably need to install enigmail if you want to issue your own certificates.

more options

Matt said

Why are you trying to use a self signed certificate for you email? How is the receiving party to determine your certificate is anything but bad? I think you probably need to install enigmail if you want to issue your own certificates.

Sorry, the certificate is just a development test. I'm not actually concerned about trust in this certificate.

more options

I am no expert, but I do not think Thunderbird will accept a self signed certificate for the purpose of s/mime. You would need certifying authority and intermediate certificates for the email cert at the very least.

Just go to comodo and get a free personal use one for your development requirements.

Looking at my own signing certificates, they appear to be PKCS12.

more options

Matt said

I am no expert, but I do not think Thunderbird will accept a self signed certificate for the purpose of s/mime. You would need certifying authority and intermediate certificates for the email cert at the very least. Just go to comodo and get a free personal use one for your development requirements. Looking at my own signing certificates, they appear to be PKCS12.

Are you sure I can't use a self-signed certificate? Because that does not make sense at all for me. When you are browsing you have an icon which lets you know if the server's certificate is valid or not, but it won't prevent you from connecting right away. It should advice the recipient that the certificate is expired/invalid/self-signed/whatever but why shouldn't it be allowed? And more importantly, why wouldn't it throw a more descriptive error?

I appreciate your answer but I can't use PKCS12 certificate, I need to use PKCS11 provider.

Thanks.

more options
I'm trying to add a certificate through PKCS11 in order to digitally sign emails in Thunderbird.

What exactly are you trying to achieve? Accessing a cert (and private key) on a smartcard through a PKCS11 interface, or importing a cert and private key stored in a PKCS12 file into the Thunderbird certificate store? Also see https://kbdeveloper.qoppa.com/difference-between-pkcs11-and-pkcs12/

When you are browsing you have an icon which lets you know if the server's certificate is valid or not,

That alone would be pretty much useless. The whole point of using a cert is to assure that it has been issued by a CA you trust.

more options

christ1 said

I'm trying to add a certificate through PKCS11 in order to digitally sign emails in Thunderbird.

What exactly are you trying to achieve? Accessing a cert (and private key) on a smartcard through a PKCS11 interface, or importing a cert and private key stored in a PKCS12 file into the Thunderbird certificate store? Also see https://kbdeveloper.qoppa.com/difference-between-pkcs11-and-pkcs12/

Hello christ1.

What I'm trying to achieve is Thunderbird digitally signing an email with a cert stored in a device accessed through PKCS11. I know the difference between PKCS11 and PKCS12. I'm not trying to store the cert, I'm creating the cert inside the security device and trying to use it through PKCS11.

I can do this with Firefox, and I can successfully manage certificates inside Thunderbird after I added my security device, the point is that I can't just select it to digitally sign.

When you are browsing you have an icon which lets you know if the server's certificate is valid or not,

That alone would be pretty much useless. The whole point of using a cert is to assure that it has been issued by a CA you trust.

My point is that there's no need to directly block it. Why wouldn't you want to decide yourself whether you want to trust a certain certificate or not?

Regards.

more options

As a test, can you try to create a keypair outside of the security device. Then generate the cert as before, and import the cert and private key in PKCS12 format into the Thunderbird certificate store. Can you use the cert for signing?

If so, delete the cert from the Thunderbird certificate store. Import the cert and private key into your security device. Connect the security device, so that Thunderbird can access it. Can you use the cert for signing now?

Why wouldn't you want to decide yourself whether you want to trust a certain certificate or not?

Typically you can do that by creating a security exception. I don't think the problem here is your self-signed cert. I was simply responding to your statement about 'an icon which lets you know if the server's certificate is valid or not'. Even if a cert is valid, it isn't necessarily one you should trust.

Does this problem sound similar to yours? https://support.mozilla.org/en-US/questions/1205284

more options

Chosen Solution

I've already managed to get it working. I'm not sure if it's due to some changes on the PKCS11 provider or just restarting Thunderbird, but I can do what I expected now.

Thanks for your replies anyway.

Best regards.

more options

When your problem is fixed, can you mark the topic as 'Solved' please? Thank you.