Instructions for obtaining a personal S/MIME certificate by creating a CSR

Obtaining a personal S/MIME certificate is a multi-step process, which is documented on this page.

A personal certificate is required for using end-to-end encryption and digital signatures with the S/MIME technology.

A certificate involves a pair of a secret key and a public key. The keys will be randomly created by Thunderbird on your computer. The private key will be stored by Thunderbird, optionally protected by the Primary Password. The public key will be included in the certificate. Prior to obtaining the certificate, the public key must be summitted to a Certificate Authority (CA) as part of a Certificate Signing Request (CSR), which Thunderbird will create for you.

In Thunderbird's Account Settings, navigate to the email account (or identity) for which you wish to obtain a personal certificate, and select the End-To-End Encryption section.

In the S/MIME section, click the button that offers to generate a CSR.

As a first step, you will be asked to select a directory and a filename in which the CSR text will be saved. You should remember what you enter here, because at a later time, you will have to use your computer's file explorer to locate this file and open it, because you will need to submit the contents of this file to a CA.

In a second step, you will be asked several questions about the cryptographic type and strength of the S/MIME certificate that you wish to obtain. Unless you have a detailed understanding of your requirements, keep the default choices that are offered in the prompts.

After you have answered all questions, Thunderbird will proceed with an intensive calculation process, during which your new key pair will be randomly created. Please be patient while this operation executes, Thunderbird may appear to be stuck for a few seconds, but it should be done within a minute on modern computers.

Thunderbird will show a confirmation after the operation has completed.

The next step is that you get in contact with a Certificate Authority (CA) of your choice. If you are associated with a company or an organization, you may wish to ask your staff which CA you should use. If you are acting as an individual, you may wish to search the web for CAs that issue S/MIME certificates and that accept a CSR. (At this time, Thunderbird doesn't recommend any specific CA.)

The process to obtain a certificate may require you to setup a user account with a CA, register your personal details, setup a payment method, and it typically involves verification of your email address.

Eventually the CA should ask you to submit your CSR. At this point, use your computer's file management tool, and open the file that Thunderbird had saved earlier, in the directory and using the filename that you had chosen. Your computer should show you the contents of the file. The first line of the file will contain the text "-----BEGIN CERTIFICATE REQUEST-----". Please select the full contents of the file, and use the copy command to copy all of the text. Then navigate back to your interaction with the CA (for example to the web form in your browser, on the CA's web page, which asks to you submit the CSR), and paste the text into that location, and continue.

After your interaction with the CA is complete, it should notify you that the certificate has been issued. It may offer you the certificate for download, or send it to you by email.

Save the file you have received to your local computer and remember where you have saved it. If you're using Firefox, it might save it in your Downloads folders.

If you're downloading from a web page using your browser, check whether that page lists additional intermediate certificates, which you also might have to download.

(Note: If the CA is delivering the certificate to you in a file with a filename extension .p12 or .pfx, it may indicate that the CA didn't use the key that you had submitted, but rather generated a secret key on their systems. This may not be what you want.)

Now it is time to import the certificate back into Thunderbird.

Open Thunderbird's Account Settings and nagivate to the same section that you had used earlier. Click the button labeled "Manage S/MIME Certificates".

(If the certificate manager window is shown in a small size, you may wish to drag its lower right corner to increase the window size.)

The top of certificate manager has 5 sections. Select the "People" section. Click the "Import" button at the bottom of the section. Select the file that you have obtained from the CA, and confirm. (If the import was successful, no further information will be shown, you'll simply return to the certificate manager window.)

(Because Thunderbird still had remembered the corresponding secret key, which was created during the initial steps of this process, Thunderbird should have been able to combine it with the certificate you just imported. )

Still in certificate manager, click the tab "Your Certificates". You should see your new personal certificate in the list.

Now that you have the full personal certificate inside Thunderbird (both secret key and public certificate combined), you should create a backup. Select the entry that shows your new personal certificate, and click the "Backup" button. First, you will be asked to select the directory and the filename in which the backup will be stored. Then follow the steps shown on screen, which includes defining a password of your choice to protect the backup file, to complete the backup procedure. Make sure to save the backup file to an appropriate location, such as a flash drive on which you keep important backups.

Now it is time to tell Thunderbird that you wish to use S/MIME security with your email account. In Account Settings, End-To-End Encryption, in the section below the S/MIME heading, you will find two selection boxes labeled "personal certificate for digital signing" and "personal certificate for encryption". Click the "Select" button that is shown to the right. A list will be shown with your personal certificates for this email address. The certificate that you have just obtained should be offered in that list. Select it and confirm it. Thunderbird may ask you to use the same certificate for both encryption and signing, which usually you should confirm.

From this time, you should be able to use your personal certificate for sending digitally signed email, and for receiving encrypted email using the S/MIME technology, as long as the certificate has not expired. Once the certificate expires, you will have to repeat the procedure to obtain a new personal certificate.

(If your CA had offered you additional intermediate (or subordinate) certificates to download, click the "Authorities" tab, click the Import button, and import them one after the other. Note that when importing a CA in this place, Thunderbird will offer you to mark a CA as trusted, and also warn you about the associated risks. Please leave the checkboxes unchecked, do NOT check them. Confirm with OK which will import the intermediate without assigning explicitly trust.)