Installing an SMIME certificate

From MozillaZine Knowledge Base

The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.

This article describes how to import S/MIME certificates for use in Thunderbird and SeaMonkey. S/MIME certificates are used for digitally signed and encrypted e-mail messages. For information about getting or creating your own S/MIME certificates, see: Getting an S/MIME certificate

Installing an SMIME Certificate For Your Own Identity

Important: Before you can create or import your own certificate and private key, you must first set a master password if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look here.

You may have your own personal certificate and private key in a .p12 or .pfx file, and you may wish to import it into ThunderBird and/or SeaMonkey. Once you have set a Master Password, you can import/install your personal S/MIME certificate from a .p12 or .pfx file by doing the following steps.

  1. Open the Certificate Manager:
    In Thunderbird 1.5, go to "Tools -> Options... -> Privacy -> Security -> View Certificates".
    In Thunderbird 2, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
    In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
  2. Go to the tab named "Your Certificates".
  3. Click on "Import".
  4. Select the PCKS12 certificate file (.pfx or .p12).
  5. It will ask you for the master password for the software security device. Enter your master password and click "OK".
  6. Next, it will ask you for the password protecting your personal certificate. If your .p12 or .pfx file has a password, enter it here, otherwise leave this field empty. Then click "OK".

You should have now imported your S/MIME certificate. If your certificate was not trusted, look here.

Once you have the certificate installed you will probably want to configure ThunderBird or SeaMonkey to use that certificate for signing and/or decrypting email. To do that, go to "Tools -> Account Settings..." in ThunderBird, or to "Edit -> Mail & Newsgroups Account Settings..." in SeaMonkey's Mail window. Then find the account with the email address that matches the email address in the certificate you just installed. Choose "Security" under that account and select the certificate you just installed. The rest of the options should be self explanatory.

Note for ThunderBird users:

  • When you select a certificate in Account Settings, your selection only applies to the account's default identity. There is no user interface for specifying certificates for the account's other identities. This UI limitation is the subject of bug 252250. You can work around it by editing the settings manually, copying the settings from an account's default identity to some other identity. The settings have names ending in: signing_cert_name, sign_mail, encryption_cert_name and encryptionpolicy.

Installing a Self-Signed SMIME Certificate for Your Own Identity

If the SMIME certificate in your .p12 or .pfx file is a self-signed certificate for your own identity, then before you can install that file into the tab named "Your Certificates", you must first install that certificate as a certificate authority in the "Authorities" tab. The PKCS12 certificate file will not install into the "Authorities" tab. You will need a copy of your self-signed certificate that does not contain your private key. This is usually in the form of a ".cer" file. One way to obtain the .cer form of your certificate from the .p12 file is to use the Firefox Add-on Key Manager to extract the .cer certificate from the .p12 file. With that Add-on installed in Thunderbird, go to Tools -> Key Manager Toolbox -> Key Manager -> Your Keys, select your key, select Export and choose X.509 as file format.

  1. In Thunderbird, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
    In SeaMonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
  2. Go to the "Authorities" tab.
  3. Click on "Import".
  4. Select the ".cer" file.
  5. It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
  6. Click "OK" to complete the import.

Other people's certificates

To send encrypted messages to other people, you must have their SMIME encryption certificate (.cer) in the "Other People's" tab of your Certificate Manager. Thunderbird automatically adds other people's SMIME certificates to that tab when you receive form them a digitally signed message with a valid signature and with an SMIME certificate issued by a recognized and trusted Certificate Authority (CA). CA certificates that appear in ThunderBird's "Authorities" tab are recognized, and may also be trusted. CA certificates that do not appear in that tab are considered "unrecognized".

An SMIME certificate that was issued by an unrecognized CA will not be automatically added to the "Other People's" tab of your Certificate Manager. If you attempt to manually import an SMIME certificate that was issued by an unrecognized CA, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the SMIME certificate. This is generally not a problem when receiving an SMIME certificate that was issued by a trusted Certificate Authority (CA) such as Thawte and Verisign, but could be a problem for a certificate that was issued by an unrecognized or untrusted CA, or for a certificate that is self-signed (i.e. it has no CA other than itself).

So, before you can import an SMIME certificate that is issued by an unrecognized CA or is self-signed, you must first acquire and import the certificate for the issuing CA. In the case of a self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.

Other people's self-signed certificates

Warning: Only install personally self-signed certificates from people you know and trust. Be sure that you verify the actual SMIME certificate contents with the person whose email address appears in the SMIME certificate before you import and trust that certificate. Otherwise, someone could possibly fool you into accepting and trusting an SMIME certificate that is NOT for the perty named in it.

If you wish to install an SMIME certificate for another person, and that certificate was self-signed, you will need a copy of their SMIME certificate as a ".cer" file. You can import it into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab. Once you have imported a self-signed SMIME certificate into the "Authorities" tab, and have marked it trusted for SMIME email, you will be able to send encrypted messages to the email address in that certificate.

See also

External links