Installing an SMIME certificate

From MozillaZine Knowledge Base
Revision as of 12:39, 6 April 2007 by Rod Whiteley (talk | contribs) (Move info about getting certificates to the right article)
Jump to navigationJump to search
The title of this article omits the slash from S/MIME because a slash is a special character in URLs and file names.

This article describes how to import S/MIME certificates for use in Thunderbird and SeaMonkey. S/MIME certificates are used for digitally signed and encrypted e-mail messages, and to verify web sites and extensions. For information about getting or creating your own S/MIME certificates, see: Getting an S/MIME certificate

Certificates for your own identities

You can import/install your personal S/MIME certificate by doing the following. Important: you must first set a master password if you have not already done so. The master password is needed so that imported certificates are stored securely. If you need instructions for setting a master password, look here.

  1. Open the Certificate Manager:
    In Thunderbird 1.5, go to "Tools -> Options... -> Privacy -> Security -> View Certificates".
    In Thunderbird 2, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...".
    In Seamonkey, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".
  2. Make sure that you are on the "Your Certificates" tab.
  3. Click on "Import".
  4. Select the PCKS12 cert.
  5. It will ask you for the master password for the software security device. Enter your master password and click "OK".
  6. Next, it will ask you for the password protecting your personal certificate. Enter this password and click "OK".

You should have now imported your S/MIME certificate. If your certificate was not trusted, look here.

Once you have the certificate installed you will need to go to "Tools -> Account Settings..." Then choose "Security" from under the account whose default identity's e-mail address matches that on the certificate and Select the certificate you just installed. The rest of the options should be self explanatory.

Note:

  • When you select a certificate in Account Settings, your selection only applies to the account's default identity. There is no user interface for specifying certificates for the account's other identities. This is bug 252250. You can work around it by editing the settings manually, copying the settings from an account's default identity to some other identity. The settings have names ending in: signing_cert_name, sign_mail, encryption_cert_name and encryptionpolicy

Self-signed certificates

Warning: Only install personally self-signed certificates from people you know and trust.

The preceeding instructions apply to installing personally self-signed certificates with one exception--you must install a self-signed certificate as a certificate authority first. The PCKS12 cert will not install as a certificate authority. You will need a copy of your self-signed certificate that does not contain your private key information. This is usually in the form of a ".cer" file.

  1. In Thunderbird, go to "Tools -> Options... -> Advanced -> Certificates -> Manage Certificates...". (In Mozilla Suite, go to "Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates...".)
  2. Make sure that you are on the "Authorities" tab.
  3. Click on "Import".
  4. Select the ".cer" file.
  5. It will ask you for what purposes you want to trust the certificate. Select "Trust this CA to identify email users."
  6. Click "OK" to complete the import.

Other people's certificates

To send encrypted messages to other people, you must have their public key in the "Other People's" tab of your certificates. Thunderbird automatically adds other people's public keys when they send you a digitally signed, unencrypted message.

If the certificate authority that issued their certificate is not in Thunderbird's "Authorities" tab, their public key will not be added. If you attempt to manually import a public key that was issued by an unrecognized certificate authority, nothing will happen--literally. Thunderbird will not even display an error dialog. It will just not import the public key.

This is generally not a problem when receiving public keys issued by approved certificate authorities like Thawte and Verisign but could be a problem if a certificate was issued by an obscure or unrecognized certificate authority. This can also occur if the certificate was personally self-signed (i.e. it has no certificate authority other than itself).

You will need to acquire and import a certificate from the issuing certificate authority if it is not already present in Thunderbird's "Authorities" tab. In the case of a personally self-signed certificate, you will need to acquire a ".cer" file from the individual whose certificate you wish to add.

Other people's self-signed certificates

Warning: Only install personally self-signed certificates from people you know and trust.

If you wish to install a public key for someone's personally self-signed certificate, they will need to send you their public key as a ".cer" file you can import into your "Authorities" tab. Thunderbird will not import a self-signed certificate in the "Other People's" tab. Once you have imported the self-signed certificate in the "Authorities" tab you will be able to send them encrypted messages using their public key. A self-signed certificate will not appear in the "Other People's" tab; it will only appear in the "Authorities" tab.

See also

External links