Installing an SMIME certificate: Difference between revisions
Rod Whiteley (talk | contribs) (Move info about getting certificates to the right article) |
No edit summary |
||
| Line 4: | Line 4: | ||
==Certificates for your own identities== | ==Certificates for your own identities== | ||
You can import/install your personal [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate by doing the following. '''Important''': you must first set a [[master password]] if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look [[Master password | here]]. | You can import/install your personal [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificate (.p12 contains public and private key) by doing the following. '''Important''': you must first set a [[master password]] if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look [[Master password | here]]. | ||
# Open the Certificate Manager:<br> In Thunderbird 1.5, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Privacy -> Security -> View Certificates".<br> In Thunderbird 2, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...".<br> In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...". | # Open the Certificate Manager:<br> In Thunderbird 1.5, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Privacy -> Security -> View Certificates".<br> In Thunderbird 2, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...".<br> In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...". | ||
| Line 23: | Line 23: | ||
'''Warning''': Only install personally self-signed certificates from people you know and trust. | '''Warning''': Only install personally self-signed certificates from people you know and trust. | ||
The preceeding instructions apply to installing personally self-signed certificates with one exception--you must install a self-signed certificate as a certificate authority ''first''. The PCKS12 cert will not install as a certificate authority. You will need a copy of your self-signed certificate that does not contain your private key information. This is usually in the form of a ".cer" file. | The preceeding instructions apply to installing personally self-signed certificates with one exception--you must install a self-signed certificate as a certificate authority ''first''. The PCKS12 cert will not install as a certificate authority. You will need a copy of your self-signed certificate that does not contain your private key information. This is usually in the form of a ".cer" file. Using the Firefox Add-on [https://addons.mozilla.org/en-US/firefox/addon/4471 Key Manager] is possible to extract the .cer certificate (public) from the .p12 certificate (public + private): Tools - Key Manager Toolbox - Key Manager - Your Keys, select your key, Export and choose X.509 as file format. | ||
# In Thunderbird, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".) | # In Thunderbird, go to "[[Menu differences in Windows, Linux, and Mac |Tools -> Options...]] -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".) | ||
| Line 33: | Line 33: | ||
==Other people's certificates== | ==Other people's certificates== | ||
To send encrypted messages to other people, you must have their public key in the "Other People's" tab of your certificates. Thunderbird automatically adds other people's public keys when they send you a digitally signed, unencrypted message. | To send encrypted messages to other people, you must have their public key (.cer) in the "Other People's" tab of your certificates. Thunderbird automatically adds other people's public keys when they send you a digitally signed, unencrypted message. | ||
If the certificate authority that issued their certificate is not in Thunderbird's "Authorities" tab, their public key will not be added. If you attempt to manually import a public key that was issued by an unrecognized certificate authority, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the public key. | If the certificate authority that issued their certificate is not in Thunderbird's "Authorities" tab, their public key will not be added. If you attempt to manually import a public key that was issued by an unrecognized certificate authority, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the public key. | ||
| Line 39: | Line 39: | ||
This is generally not a problem when receiving public keys issued by approved certificate authorities like Thawte and Verisign but could be a problem if a certificate was issued by an obscure or unrecognized certificate authority. This can also occur if the certificate was personally self-signed (i.e. it has no certificate authority other than itself). | This is generally not a problem when receiving public keys issued by approved certificate authorities like Thawte and Verisign but could be a problem if a certificate was issued by an obscure or unrecognized certificate authority. This can also occur if the certificate was personally self-signed (i.e. it has no certificate authority other than itself). | ||
You will need to acquire and import a certificate from the issuing certificate authority if it is not already present in Thunderbird's "Authorities" tab. In the case of a personally self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add. | You will need to acquire and import a certificate from the issuing certificate authority if it is not already present in Thunderbird's "Authorities" tab. In the case of a personally self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add. | ||
===Other people's self-signed certificates=== | ===Other people's self-signed certificates=== | ||
Revision as of 19:28, 6 July 2007
- The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.
This article describes how to import S/MIME certificates for use in Thunderbird and SeaMonkey. S/MIME certificates are used for digitally signed and encrypted e-mail messages, and to verify web sites and extensions. For information about getting or creating your own S/MIME certificates, see: Getting an S/MIME certificate
Certificates for your own identities
You can import/install your personal S/MIME certificate (.p12 contains public and private key) by doing the following. Important: you must first set a master password if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look here.
- Open the Certificate Manager:
In Thunderbird 1.5, go to "Tools -> Options... -> Privacy -> Security -> View Certificates".
In Thunderbird 2, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...". - Make sure that you are on the "Your Certificates" tab.
- Click on "Import".
- Select the PCKS12 cert.
- It will ask you for the master password for the software security device. Enter your master password and click "OK".
- Next, it will ask you for the password protecting your personal certificate. Enter this password and click "OK".
You should have now imported your S/MIME certificate. If your certificate was not trusted, look here.
Once you have the certificate installed you will need to go to "Tools -> Account Settings..." Then choose "Security" from under the account whose default identity's e-mail address matches that on the certificate and Select the certificate you just installed. The rest of the options should be self explanatory.
Note:
- When you select a certificate in Account Settings, your selection only applies to the account's default identity. There is no user interface for specifying certificates for the account's other identities. This is bug 252250. You can work around it by editing the settings manually, copying the settings from an account's default identity to some other identity. The settings have names ending in: signing_cert_name, sign_mail, encryption_cert_name and encryptionpolicy
Self-signed certificates
Warning: Only install personally self-signed certificates from people you know and trust.
The preceeding instructions apply to installing personally self-signed certificates with one exception--you must install a self-signed certificate as a certificate authority first. The PCKS12 cert will not install as a certificate authority. You will need a copy of your self-signed certificate that does not contain your private key information. This is usually in the form of a ".cer" file. Using the Firefox Add-on Key Manager is possible to extract the .cer certificate (public) from the .p12 certificate (public + private): Tools - Key Manager Toolbox - Key Manager - Your Keys, select your key, Export and choose X.509 as file format.
- In Thunderbird, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".)
- Make sure that you are on the "Authorities" tab.
- Click on "Import".
- Select the ".cer" file.
- It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
- Click "OK" to complete the import.
Other people's certificates
To send encrypted messages to other people, you must have their public key (.cer) in the "Other People's" tab of your certificates. Thunderbird automatically adds other people's public keys when they send you a digitally signed, unencrypted message.
If the certificate authority that issued their certificate is not in Thunderbird's "Authorities" tab, their public key will not be added. If you attempt to manually import a public key that was issued by an unrecognized certificate authority, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the public key.
This is generally not a problem when receiving public keys issued by approved certificate authorities like Thawte and Verisign but could be a problem if a certificate was issued by an obscure or unrecognized certificate authority. This can also occur if the certificate was personally self-signed (i.e. it has no certificate authority other than itself).
You will need to acquire and import a certificate from the issuing certificate authority if it is not already present in Thunderbird's "Authorities" tab. In the case of a personally self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.
Other people's self-signed certificates
Warning: Only install personally self-signed certificates from people you know and trust.
If you wish to install a public key for someone's personally self-signed certificate, they will need to send you their public key as a ".cer" file you can import into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. Once you have imported the self-signed certificate in the "Authorities" tab you will be able to send them encrypted messages using their public key. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab.
