Search Support

Beware of phishing attacks: Mozilla will never ask you to call a number or visit a non-Mozilla website. Please ignore such requests.

Learn More

Using a smart card reader to digitally sign emails

  • 8 replies
  • 1 has this problem
  • 36 views
  • Last reply by daryl2

more options

I use Thunderbird (68.8) on Windows 10, both brand new installs. I need to sign my emails with a "smart card" (not GPG as with Enigmail; that got rejected by the powers that be). I can't find a guide to connect Thunderbird to my smart card reader. Please don't make me use Outlook.

Modified by daryl2

Chosen solution

Thanks for all your help, but I think I'm putting the cart before the horse here. I was given a document that shows how to add a "persona" to the card, which I think may be the path to associate the card to my desired email address. But to do that, I need an ID certificate on the card, and that's missing. So unless you can tell me how to get an ID certificate onto the card, I'll let you all go back and (if you're in the U S of A) enjoy your Memorial Day weekend. Thanks for the tips; I may have to review them later.

Read this answer in context 👍 0

All Replies (8)

more options

From the Thunderbird Options Menu, navigate to the Advanced section, Certificates tab, click the Security Devices button, then the Load button.
Pick the device driver module for your smart card reader.

Modified by christ1

Helpful?

more options

It wants a filename. I have a decision tree:

 NSS Internal PKCS #11 Module
     Generic Crypto Servicesf
     Software Security Device
 Builtin Roots Module
     NSS Builtin Objects

Selecting each of those gives me at least a Load button, but past that I don't know where to go.

Modified by daryl2

Helpful?

more options

lets back up a little. what do you mean the smart card got rejected by the powers that be. If the provider lost their position as a provider of certificates, then it is highly likely that you don't get a choice.

Helpful?

more options

Sorry. What got rejected was the use of GPG public/private key signing, the "old school" version that doesn't require a "smart card." At first I that would pass for "signing" an email, but no, a "smart card" signature is required. I have the card, I have the reader, I have an ActiveClient Agent, all of which appear to be operational. I have been sent a properly signed email and Thunderbird marks it with a little icon representing an envelope with sealing wax (cute), so I can receive signed email. I just can't coerce TB into letting me sign email with my smart card. I apologize for maybe not getting some of the acronyms involved, but I haven't figured them out yet.

Helpful?

more options

Okay, thanks to https://support.mozilla.org/en-US/questions/752709, I found the ActiveClient DLL and TB agreed to load it as a module, and now TB seems to talk to the card reader. When I launch the email composition window, my card reader flashes. But when I choose Options --> Digitally Sign this message, I'm taken to a screen to set up signing and encryption certificates. I click Select... to set up the signing certificate first, and I get the rejection "Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <x@y.z>", where x@y.z is my desired email address. I naively assumed that I should be able to associate the card's certificate with whatever email address I like.

Helpful?

more options

A valid certificate to encrypt email using s/MIME uses a certificate that is issued on a per email address basis, or for a fee busness/Government can get certificates for all of their domain. This is how the us military ones work, they issue the certificates/card and it has the certification for your .mil email addresses. What I know about these same card tings is minuscule, but I do use s/mime certificates.

Who is the card issuer, and the reader manufacturer. Perhaps I can locate something relevant.

Helpful?

more options
What got rejected was the use of GPG public/private key signing, the "old school" version that doesn't require a "smart card."

S/MIME does not require a smart card. And GPG does support smart cards as well.

But when I choose Options --> Digitally Sign this message, I'm taken to a screen to set up signing and encryption certificates.

At the top right of the Thunderbird window, click the menu button > Options > Account Settings - Security
Select the cert on the smart card to be used for signing, and encryption.
Note, the private key, to which the cert belongs to, also needs to be on the smart card. In fact, that's the whole point of using a smart card - to protect the private key.
Also, this assumes the Common Name of the cert matches your account email address.

Helpful?

more options

Chosen Solution

Thanks for all your help, but I think I'm putting the cart before the horse here. I was given a document that shows how to add a "persona" to the card, which I think may be the path to associate the card to my desired email address. But to do that, I need an ID certificate on the card, and that's missing. So unless you can tell me how to get an ID certificate onto the card, I'll let you all go back and (if you're in the U S of A) enjoy your Memorial Day weekend. Thanks for the tips; I may have to review them later.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.