Creating SMIME certificates

From MozillaZine Knowledge Base
Jump to: navigation, search
The title of this article omits the slash from S/MIME because a slash is a special character in file names and URLs.

Note: The information in this article dates from 2007.

This article and the related articles describe how to use some freely-available programs to create your own S/MIME certificates that you can use in Mozilla applications. This article provides general information, and each related article provides step-by-step instructions for using a particlar program.

Creating your own certificates is not necessary if you sign up for certificates from one of the many certificate authority organizations. For more information, see: Getting an SMIME certificate

Software choices

Choose a program to create your own certificates. The following programs are available in various free software packages. Each package is is available for many operating system platforms:

  • certutil a command-line tool in Mozilla's own NSS package
  • openssl a command-line tool in OpenSSL, an open source security package
  • KeyMan, a colorful Java program from IBM

In addition, Mac OS X provides a program that can create S/MIME certificates, but there is no related article here:

  • Keychain Access for Mac OS X

Details of how to install and use each program are in related articles, but read the rest of this this article first, because it contains general information common to all the programs:

If you have to download one of the packages using a slow connection, and if you already have Java installed, then IBM KeyMan is the smallest download. Mozilla NSS is the smallest stand-alone download, but Mozilla only supplies binaries for Linux, some HP-UX platforms and Windows.

The following sections explain some other considerations that might affect your choice.

About certificates

If you use Mozilla NSS, then you can store certificates directly in a Mozilla application's profile (for example, a Thunderbird profile) without creating certificate files and importing them. If you use any other software to create the certificates, then you create them first as files and import the files into your Mozilla application. However, you always need separate certificate files to transfer between profiles, to send to other people, or to publish on your web site.

To use your own S/MIME certificate from imported files, you need to generate two files—a certificate authority file, and a password-protected file containing information that identifies you (including your private key).

You can generate both files from the same information. In this case your certificate is self-signed. You might prefer to do this if you only want to create one certificate for one identity.

If you want to create more than one certificate for any reason, then you might prefer to create a certificate authority (CA) and use it to sign all your certificates. By doing this you end up with fewer files. For example, you might choose to do this if you prefer separate certificates for signing and encryption, or if you want to create certificates for many identities.

Naming conventions

These articles suggest the following file name extensions:

.cert   A self-signed certificate or CA certificate (but you can use .cer or .crt if you prefer)
.key A password-protected file that identifies you or your CA
.p12 A password-protected PKCS#12 file that identifies you or your CA
.txt A human-readable file for any purpose

In addition, these articles suggest some other extensions for temporary files. All the file types except .p12 contain plain text, but only .txt files are intended to be human-readable.

Mozilla applications can import .cert and .p12 files, and they can export .p12 files as backups. Mozilla NSS can export both .cert and .key files from a Mozilla application's profile—for example, to import into another profile. Mozilla NSS and OpenSSL can extract .cert and .key files from .p12 files.

The examples in these articles suggest file names, such as myname as the file name for your own certificates, and caname as the file name for your certificate authority (CA). Change any of the file names if you wish.

Information in a certificate

The certificates that you create will contain information about you. You must supply this information when you create certificates. So before you create any certificates, think about what information you want them to contain:

  • Your name (or the name of your CA)
  • Your e-mail address
  • Your password (to protect your private key)
  • The file name to use for certificate files
  • A nickname or alias that identifies the certificate

When you import your certificate into a Mozilla mail application, and associate it with one of your identities there, your name and e-mail address in the certificate should normally match your name and e-mail address in the identity.

Certificates can also contain other information about you, but it is optional.

Some programs use standard codes for the pieces of information:

CN Your name (or the name of your CA)
E e-mail address
O Organization
OU Organizational unit
L Locality or city
ST State or province
C Country code (2 characters)

Unicode support

All the programs support Unicode characters. IBM KeyMan has a user interface where you type information directly. The other programs support Unicode in the form of UTF-8 files.

If your text editor supports UTF-8, and you are using Mozilla NSS or OpenSSL, then you can store information in files that use UTF-8.

If your text editor does not support UTF-8, then you can use Thunderbird or SeaMonkey to create UTF-8 text. Write a plain text e-mail message and type the information that you need for your certificate. Choose Options – Character Encoding – Unicode (UTF-8). Save the message as a draft. Now find the the message in your Drafts folder and view it. Choose View – Character Encoding – Western (ISO-8859-1). You see the message's UTF-8 encoding. Copy and paste the encoded text into your text editor.

For example, if your name is Zoë then it is encoded in UTF-8 as: Zoë


Files that identity you or your CA are usually password-protected.

If you are certain that your system is secure, then you can use some programs without passwords. For example, you might choose to do this if you already have hard disk and system passwords to protect your data.


The examples in these articles specify options that you might want to change:

  • The key strength is 1024 bits.
  • Certificates are valid for 1 year.
  • The use of the certificate is unrestricted.

See also

The related articles:

External links

  • bug 202329 Ability to create self-signed user certificates
  • [2] Mac OS X Keychain Access