Installing an SMIME certificate: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(Add intro and structure headings)
(Move info about getting certificates to the right article)
Line 1: Line 1:
:''The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.''
:''The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.''


This article describes how to import [[wikipedia:S/MIME|S/MIME]] certificates for use in Thunderbird and SeaMonkey.  S/MIME certificates are used for digitally signed and encrypted e-mail messages, and to verify web sites and extensions.
This article describes how to import [[wikipedia:S/MIME|S/MIME]] certificates for use in Thunderbird and SeaMonkey.  S/MIME certificates are used for digitally signed and encrypted e-mail messages, and to verify web sites and extensions. For information about getting or creating your own S/MIME certificates, see: [[Getting an SMIME certificate|Getting an S/MIME certificate]]


==Certificates for your own identities==
==Certificates for your own identities==
Line 17: Line 17:
Once you have the certificate installed you will need to go to "Tools -> Account Settings..." Then choose "Security" from under the account whose default identity's e-mail address matches that on the certificate and Select the certificate you just installed. The rest of the options should be self explanatory.  
Once you have the certificate installed you will need to go to "Tools -> Account Settings..." Then choose "Security" from under the account whose default identity's e-mail address matches that on the certificate and Select the certificate you just installed. The rest of the options should be self explanatory.  


'''Notes:'''<br>
'''Note:'''<br>
*As of May 23, 2005, the [http://www.thawte.com/email/index.html Thawte site] does not offer Thunderbird in its list of what software you might be using when you sign up for a personal certificate there.  It does offer Netscape/Messenger as possibilities.  If you use Firefox to get your certificate and take the Netscape/Messenger option, a certificate silently installs into Firefox.  There is no fanfare at all, but it works.  To find that certificate and get a file that you can import into Thunderbird using the directions above, go, in Firefox, into "Tools -> Options -> Advanced".  Scroll down and click "Manage Certificates".  Highlight the certificate and click "Backup." Follow the prompts to produce the necessary file.
*When you select a certificate in Account Settings, your selection only applies to the account's default identity.  There is no user interface for specifying certificates for the account's other identities.  This is [https://bugzilla.mozilla.org/show_bug.cgi?id=252250 bug&nbsp;252250]. You can work around it by editing the [[Editing configuration|settings]] manually, copying the settings from an account's default identity to some other identity.  The settings have names ending in: <tt>signing_cert_name</tt>, <tt>sign_mail</tt>, <tt>encryption_cert_name</tt> and <tt>encryptionpolicy</tt>
*When you select a certificate in Account Settings, your selection only applies to the account's default identity.  There is no user interface for specifying certificates for the account's other identities.  This is [https://bugzilla.mozilla.org/show_bug.cgi?id=252250 bug&nbsp;252250]. You can work around it by editing the [[Editing configuration|settings]] manually, copying the settings from an account's default identity to some other identity.  The settings have names ending in: <tt>signing_cert_name</tt>, <tt>sign_mail</tt>, <tt>encryption_cert_name</tt> and <tt>encryptionpolicy</tt>


Line 32: Line 31:
# It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
# It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
# Click "OK" to complete the import.
# Click "OK" to complete the import.
===Self-signed certificates in Mac OS X 10.4===
You can [http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2139.html create your own self-signed certificate] using the ''Keychain Access'' application's ''Certificate Assistant''. To export your certificate as a PCKS12 file for import into Thunderbird, click "My Certificates" in the ''Keychain Access'' window. Select your self-signed certificate. Then from the menu bar select "File -> Export". You will be asked for a password to protect this file. This is the password you will require when importing the certificate into the "Your Certificates" tab of Thunderbird after entering your master password.
To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the ''Keychain Access'' window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.


==Other people's certificates==
==Other people's certificates==

Revision as of 12:39, 6 April 2007

The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.

This article describes how to import S/MIME certificates for use in Thunderbird and SeaMonkey. S/MIME certificates are used for digitally signed and encrypted e-mail messages, and to verify web sites and extensions. For information about getting or creating your own S/MIME certificates, see: Getting an S/MIME certificate

Certificates for your own identities

You can import/install your personal S/MIME certificate by doing the following. Important: you must first set a master password if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look here.

  1. Open the Certificate Manager:
    In Thunderbird 1.5, go to "Tools -> Options... -> Privacy -> Security -> View Certificates".
    In Thunderbird 2, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
    In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
  2. Make sure that you are on the "Your Certificates" tab.
  3. Click on "Import".
  4. Select the PCKS12 cert.
  5. It will ask you for the master password for the software security device. Enter your master password and click "OK".
  6. Next, it will ask you for the password protecting your personal certificate. Enter this password and click "OK".

You should have now imported your S/MIME certificate. If your certificate was not trusted, look here.

Once you have the certificate installed you will need to go to "Tools -> Account Settings..." Then choose "Security" from under the account whose default identity's e-mail address matches that on the certificate and Select the certificate you just installed. The rest of the options should be self explanatory.

Note:

  • When you select a certificate in Account Settings, your selection only applies to the account's default identity. There is no user interface for specifying certificates for the account's other identities. This is bug 252250. You can work around it by editing the settings manually, copying the settings from an account's default identity to some other identity. The settings have names ending in: signing_cert_name, sign_mail, encryption_cert_name and encryptionpolicy

Self-signed certificates

Warning: Only install personally self-signed certificates from people you know and trust.

The preceeding instructions apply to installing personally self-signed certificates with one exception--you must install a self-signed certificate as a certificate authority first. The PCKS12 cert will not install as a certificate authority. You will need a copy of your self-signed certificate that does not contain your private key information. This is usually in the form of a ".cer" file.

  1. In Thunderbird, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".)
  2. Make sure that you are on the "Authorities" tab.
  3. Click on "Import".
  4. Select the ".cer" file.
  5. It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
  6. Click "OK" to complete the import.

Other people's certificates

To send encrypted messages to other people, you must have their public key in the "Other People's" tab of your certificates. Thunderbird automatically adds other people's public keys when they send you a digitally signed, unencrypted message.

If the certificate authority that issued their certificate is not in Thunderbird's "Authorities" tab, their public key will not be added. If you attempt to manually import a public key that was issued by an unrecognized certificate authority, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the public key.

This is generally not a problem when receiving public keys issued by approved certificate authorities like Thawte and Verisign but could be a problem if a certificate was issued by an obscure or unrecognized certificate authority. This can also occur if the certificate was personally self-signed (i.e. it has no certificate authority other than itself).

You will need to acquire and import a certificate from the issuing certificate authority if it is not already present in Thunderbird's "Authorities" tab. In the case of a personally self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.

Other people's self-signed certificates

Warning: Only install personally self-signed certificates from people you know and trust.

If you wish to install a public key for someone's personally self-signed certificate, they will need to send you their public key as a ".cer" file you can import into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. Once you have imported the self-signed certificate in the "Authorities" tab you will be able to send them encrypted messages using their public key. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab.

See also

External links