Installing an SMIME certificate: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
 
(11 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=Installing SMIME certificates=
__NOTOC__
You can import/install your personal [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate by doing the following. '''Important''': you must first set a [[master password]] if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look [[Master password | here]].


# In Thunderbird, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".)
:''The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.''
# Make sure that you are on the "Your Certificates" tab.
 
This article describes how to import [[wikipedia:S/MIME|S/MIME]] certificates for use in Thunderbird and SeaMonkey.  S/MIME certificates are used for digitally signed and encrypted e-mail messages.  For information about getting or creating your own S/MIME certificates, see: [[Getting an SMIME certificate|Getting an S/MIME certificate]]
 
==Installing an SMIME Certificate For Your Own Identity==
'''Important''': Before you can create or import your own certificate and private key, you must first set a [[master password]] if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look [[Master password | here]].
 
You may have your own personal certificate and private key in a .p12 or .pfx file, and you may wish to import it into ThunderBird and/or SeaMonkey. Once you have set a Master Password, you can import/install your personal [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate from a .p12 or .pfx file by doing the following steps.
# Open the Certificate Manager:<br> In Thunderbird 1.5, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Privacy -> Security -> View Certificates".<br> In Thunderbird 2, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...".<br> In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
# Go to the tab named "Your Certificates".
# Click on "Import".
# Click on "Import".
#Select the PCKS12 cert.
# Select the PCKS12 certificate file (.pfx or .p12).
# It will ask you for the master password for the software security device. Enter your master password and click "OK".
# It will ask you for the master password for the software security device. Enter your master password and click "OK".
# Next, it will ask you for the password protecting your personal certificate. Enter this password and click "OK".
# Next, it will ask you for the password protecting your personal certificate. If your .p12 or .pfx file has a password, enter it here, otherwise leave this field empty. Then  click "OK".


You should have now imported your S/MIME certificate. If your certificate was not trusted, look [[Thunderbird : FAQs : Import CA Certificate | here]].
You should have now imported your S/MIME certificate. If your certificate was not trusted, look [[Thunderbird : FAQs : Import CA Certificate | here]].


Once you have the certificate installed you will need to go to "Tools -> Account Settings..." Then choose "Security" from under the account whose e-mail matches that on the certificate and Select the certificate you just installed. The rest of the options should be self explainatory.  
Once you have the certificate installed you will probably want to configure ThunderBird or SeaMonkey to use that certificate for signing and/or decrypting email.  To do that, go to "Tools -> Account Settings..." in ThunderBird, or to "Edit -> Mail & Newsgroups Account Settings..." in SeaMonkey's Mail window. Then find the account with the email address that matches the email address in the certificate you just installed.  Choose "Security" under that account and select the certificate you just installed. The rest of the options should be self explanatory.  


Note: As of May 23, 2005, the [http://www.thawte.com/email/index.html Thawte site] does not offer Thunderbird in its list of what software you might be using when you sign up for a personal certificate there. It does offer Netscape/Messenger as possibilities.  If you use Firefox to get your certificate and take the Netscape/Messenger option, a certificate silently installs into FirefoxThere is no fanfare at all, but it works.  To find that certificate and get a file that you can import into Thunderbird using the directions above, go, in Firefox, into "Tools -> Options -> Advanced".  Scroll down and click "Manage Certificates".  Highlight the certificate and click "Backup." Follow the prompts to produce the necessary file.
'''Note for ThunderBird users:'''<br>
*When you select a certificate in Account Settings, your selection only applies to the account's default identity.  There is no user interface for specifying certificates for the account's other identities.  This UI limitation is the subject of [https://bugzilla.mozilla.org/show_bug.cgi?id=252250 bug&nbsp;252250]. You can work around it by editing the [[Editing configuration|settings]] manually, copying the settings from an account's default identity to some other identityThe settings have names ending in: <tt>signing_cert_name</tt>, <tt>sign_mail</tt>, <tt>encryption_cert_name</tt> and <tt>encryptionpolicy</tt>.


=Installing self-signed certificates=
===Installing a Self-Signed SMIME Certificate for Your Own Identity===
'''Warning''': Only install personally self-signed certificates from people you know and trust.
If the SMIME certificate in your .p12 or .pfx file is a self-signed certificate for your own identity, then before you can install that file into the tab named "Your Certificates", you must first install that certificate as a certificate authority in the "Authorities" tab. The PKCS12 certificate file will not install into the "Authorities" tab. You will need a copy of your self-signed certificate that does not contain your private key. This is usually in the form of a ".cer" file. One way to obtain the .cer form of your certificate from the .p12 file is to use the Firefox Add-on [https://addons.mozilla.org/en-US/firefox/addon/4471 Key Manager] to extract the .cer certificate from the .p12 file. With that Add-on installed in Thunderbird, go to Tools -> Key Manager Toolbox -> Key Manager -> Your Keys, select your key, select Export and choose X.509 as file format.  


The preceeding instructions apply to installing personally self-signed certificates with one exception--you must install a self-signed certificate as a certificate authority ''first''. The PCKS12 cert will not install as a certificate authority. You will need a copy of your self-signed certificate that does not contain your private key information. This is usually in the form of a ".cer" file.
# In Thunderbird, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...". <br>In SeaMonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
 
# Go to the "Authorities" tab.
# In Thunderbird, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".)
# Make sure that you are on the "Authorities" tab.
# Click on "Import".
# Click on "Import".
#Select the ".cer" file.
# Select the ".cer" file.
# It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
# It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
# Click "OK" to complete the import.
# Click "OK" to complete the import.


==Self-signed certificates in Mac OS X 10.4==
==Other people's certificates==
You can [http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2139.html create your own self-signed certificate] using the ''Keychain Access'' application's ''Certificate Assistant''. To export your certificate as a PCKS12 file for import into Thunderbird, click "My Certificates" in the ''Keychain Access'' window. Select your self-signed certificate. Then from the menu bar select "File -> Export". You will be asked for a password to protect this file. This is the password you will require when importing the certificate into the "Your Certificates" tab of Thunderbird after entering your master password.
To send encrypted messages to other people, you must have their SMIME encryption certificate (.cer) in the "Other People's" tab of your Certificate Manager. Thunderbird automatically adds other people's SMIME certificates to that tab when you receive form them a digitally signed message with a valid signature and with an SMIME certificate issued by a recognized and trusted Certificate Authority (CA). CA certificates that appear in ThunderBird's "Authorities" tab are recognized, and may also be trusted. CA certificates that do not appear in that tab are considered "unrecognized".
 
To export your certificate as a ".cer" file for use as a certificate authority, select "Certificates" in the ''Keychain Access'' window. Select your self-signed certificate. Then from the menu bar select "File -> Export". Be sure ".cer" is selected as the appropriate file type in the save dialog.
 
=Installing other people's certificates=
To send encrypted messages to other people, you must have their public key in the "Other People's" tab of your certificates. Thunderbird automatically adds other people's public keys when they send you a digitally signed, unencrypted message.
 
If the certificate authority that issued their certificate is not in Thunderbird's "Authorities" tab, their public key will not be added. If you attempt to manually import a public key that was issued by an unrecognized certificate authority, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the public key.


This is generally not a problem when receiving public keys issued by approved certificate authorities like Thawte and Verisign but could be a problem if a certificate was issued by an obscure or unrecognized certificate authority. This can also occur if the certificate was personally self-signed (i.e. it has no certificate authority other than itself).
An SMIME certificate that was issued by an unrecognized CA will not be automatically added to the "Other People's" tab of your Certificate Manager. If you attempt to manually import an SMIME certificate that was issued by an unrecognized CA, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the SMIME certificate. This is generally not a problem when receiving an SMIME certificate that was issued by a trusted Certificate Authority (CA) such as Thawte and Verisign, but could be a problem for a certificate that was issued by an unrecognized or untrusted CA, or for a certificate that is self-signed (i.e. it has no CA other than itself).


You will need to acquire and import a certificate from the issuing certificate authority if it is not already present in Thunderbird's "Authorities" tab. In the case of a personally self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.
So, before you can import an SMIME certificate that is issued by an unrecognized CA or is self-signed, you must first acquire and import the certificate for the issuing CA. In the case of a self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.  


==Installing other people's self-signed certificates==  
===Other people's self-signed certificates===
'''Warning''': Only install personally self-signed certificates from people you know and trust.
'''Warning''': Only install personally self-signed certificates from people you know and trust.  Be sure that you verify the actual SMIME certificate contents with the person whose email address appears in the SMIME certificate before you import and trust that certificate.  Otherwise, someone could possibly fool you into accepting and trusting an SMIME certificate that is NOT for the perty named in it.


If you wish to install a public key for someone's personally self-signed certificate, they will need to send you their public key as a ".cer" file you can import into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. Once you have imported the self-signed certificate in the "Authorities" tab you will be able to send them encrypted messages using their public key. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab.
If you wish to install an SMIME certificate for another person, and that certificate was self-signed, you will need a copy of their SMIME certificate as a ".cer" file. You can import it into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab. Once you have imported a self-signed SMIME certificate into the "Authorities" tab, and have marked it trusted for SMIME email, you will be able to send encrypted messages to the email address in that certificate.


=See also=
==See also==
* [[Getting an SMIME certificate | Getting an S/MIME certificate]]
* [[Getting an SMIME certificate | Getting an S/MIME certificate]]
==External links==
* [http://www.mozilla.org/projects/security/pki/psm/help_21/using_certs_help.html#using_certs_devices Using certificates with Mozilla]
* [http://forums.mozillazine.org/viewtopic.php?f=39&t=2946149 Issues using pk12util to install a certificate]


[[Category:Privacy and security]]
[[Category:Privacy and security]]
[[Category:Privacy and security (Thunderbird)]]

Latest revision as of 17:00, 20 July 2015


The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.

This article describes how to import S/MIME certificates for use in Thunderbird and SeaMonkey. S/MIME certificates are used for digitally signed and encrypted e-mail messages. For information about getting or creating your own S/MIME certificates, see: Getting an S/MIME certificate

Installing an SMIME Certificate For Your Own Identity

Important: Before you can create or import your own certificate and private key, you must first set a master password if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look here.

You may have your own personal certificate and private key in a .p12 or .pfx file, and you may wish to import it into ThunderBird and/or SeaMonkey. Once you have set a Master Password, you can import/install your personal S/MIME certificate from a .p12 or .pfx file by doing the following steps.

  1. Open the Certificate Manager:
    In Thunderbird 1.5, go to "Tools -> Options... -> Privacy -> Security -> View Certificates".
    In Thunderbird 2, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
    In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
  2. Go to the tab named "Your Certificates".
  3. Click on "Import".
  4. Select the PCKS12 certificate file (.pfx or .p12).
  5. It will ask you for the master password for the software security device. Enter your master password and click "OK".
  6. Next, it will ask you for the password protecting your personal certificate. If your .p12 or .pfx file has a password, enter it here, otherwise leave this field empty. Then click "OK".

You should have now imported your S/MIME certificate. If your certificate was not trusted, look here.

Once you have the certificate installed you will probably want to configure ThunderBird or SeaMonkey to use that certificate for signing and/or decrypting email. To do that, go to "Tools -> Account Settings..." in ThunderBird, or to "Edit -> Mail & Newsgroups Account Settings..." in SeaMonkey's Mail window. Then find the account with the email address that matches the email address in the certificate you just installed. Choose "Security" under that account and select the certificate you just installed. The rest of the options should be self explanatory.

Note for ThunderBird users:

  • When you select a certificate in Account Settings, your selection only applies to the account's default identity. There is no user interface for specifying certificates for the account's other identities. This UI limitation is the subject of bug 252250. You can work around it by editing the settings manually, copying the settings from an account's default identity to some other identity. The settings have names ending in: signing_cert_name, sign_mail, encryption_cert_name and encryptionpolicy.

Installing a Self-Signed SMIME Certificate for Your Own Identity

If the SMIME certificate in your .p12 or .pfx file is a self-signed certificate for your own identity, then before you can install that file into the tab named "Your Certificates", you must first install that certificate as a certificate authority in the "Authorities" tab. The PKCS12 certificate file will not install into the "Authorities" tab. You will need a copy of your self-signed certificate that does not contain your private key. This is usually in the form of a ".cer" file. One way to obtain the .cer form of your certificate from the .p12 file is to use the Firefox Add-on Key Manager to extract the .cer certificate from the .p12 file. With that Add-on installed in Thunderbird, go to Tools -> Key Manager Toolbox -> Key Manager -> Your Keys, select your key, select Export and choose X.509 as file format.

  1. In Thunderbird, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
    In SeaMonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
  2. Go to the "Authorities" tab.
  3. Click on "Import".
  4. Select the ".cer" file.
  5. It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
  6. Click "OK" to complete the import.

Other people's certificates

To send encrypted messages to other people, you must have their SMIME encryption certificate (.cer) in the "Other People's" tab of your Certificate Manager. Thunderbird automatically adds other people's SMIME certificates to that tab when you receive form them a digitally signed message with a valid signature and with an SMIME certificate issued by a recognized and trusted Certificate Authority (CA). CA certificates that appear in ThunderBird's "Authorities" tab are recognized, and may also be trusted. CA certificates that do not appear in that tab are considered "unrecognized".

An SMIME certificate that was issued by an unrecognized CA will not be automatically added to the "Other People's" tab of your Certificate Manager. If you attempt to manually import an SMIME certificate that was issued by an unrecognized CA, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the SMIME certificate. This is generally not a problem when receiving an SMIME certificate that was issued by a trusted Certificate Authority (CA) such as Thawte and Verisign, but could be a problem for a certificate that was issued by an unrecognized or untrusted CA, or for a certificate that is self-signed (i.e. it has no CA other than itself).

So, before you can import an SMIME certificate that is issued by an unrecognized CA or is self-signed, you must first acquire and import the certificate for the issuing CA. In the case of a self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.

Other people's self-signed certificates

Warning: Only install personally self-signed certificates from people you know and trust. Be sure that you verify the actual SMIME certificate contents with the person whose email address appears in the SMIME certificate before you import and trust that certificate. Otherwise, someone could possibly fool you into accepting and trusting an SMIME certificate that is NOT for the perty named in it.

If you wish to install an SMIME certificate for another person, and that certificate was self-signed, you will need a copy of their SMIME certificate as a ".cer" file. You can import it into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab. Once you have imported a self-signed SMIME certificate into the "Authorities" tab, and have marked it trusted for SMIME email, you will be able to send encrypted messages to the email address in that certificate.

See also

External links