Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How to use my certificate to sign digitally

more options

Hi, I've been looking for the way to sign digitally my emails using my personal certificate (given to me by the government), but unfortunately I didn't found it. Several tutorials indicate that the way to do this is configuring the certificate in Account settings -> Security, but for me there is no such option. The last group of settings for each account I have in my Thunderbird is "Return Receipts". Maybe I'm missing something?

Thank you for your help and time :)

Attached screenshots

Chosen solution

I've noticed something suspicious: when I go to the "Authorities" tab, select my certificate issuer, and click "Edit Trust...", the text that displays the CA certificate is empty (second screenshot).

I was going to ask about this next. Thunderbird attempts to verify the entire certificate chain, up to the root CA. In other words, you need to have all CA certs of the certificate chain for your personal cert present in the Thunderbird 'Authorities' tab.

If the 'AC FNMT Usoarios' cert is the root CA, then it's just that. I'd guess that cert does not ship by default with Thunderbird, so you'd need to import it. May be it's not there at all, or you did import the wrong one. Certs can be identified using the fingerprint information.

The fact that the text that displays the CA certificate is empty isn't normal.

Read this answer in context 👍 1

All Replies (12)

more options

Before anything else you'll have to import the cert along with the private key into Thunderbird. After that you can link the cert to an account. In your screenshot that's underneath 'End-to-End Encryption.

Helpful?

more options

christ1 said

Before anything else you'll have to import the cert along with the private key into Thunderbird. After that you can link the cert to an account. In your screenshot that's underneath 'End-to-End Encryption.

Thank you for your fast and helpful response christ1!. I have successfully imported my certificate in Account settings -> <my email account> -> End-To-End Encryption -> S/MIME. Now I have the option to digitally sign my mails when I start composing one, but unfortunately an error pops up the moment I try to send it. The error says:

"Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail."

I have checked my CA Trust settings and this error still appears even having "This certificate can identify mail users."

Helpful?

more options
I have successfully imported my certificate

Did this include the private key?

Helpful?

more options

christ1 said

I have successfully imported my certificate

Did this include the private key?

How can I do that having a .p12 certificate? I don't know where is the button to import the private key in the Thunderbird config.

Thanks for the help!

Helpful?

more options

The Thunderbird Certificate Manager has multiple tabs: Your Certificates, Authentication Decisions, People, Servers, Authorities

Which tab did you use when importing your cert into Thunderbird?

Helpful?

more options

christ1 said

The Thunderbird Certificate Manager has multiple tabs: Your Certificates, Authentication Decisions, People, Servers, Authorities Which tab did you use when importing your cert into Thunderbird?

I did it in "Your Certificates". Afterwards I went to my CA in "Authorities" and checked "This certificate can identify mail users".

Helpful?

more options

Good. Have you been prompted for a passphrase when importing the cert into Thunderbird?

Helpful?

more options

christ1 said

Good. Have you been prompted for a passphrase when importing the cert into Thunderbird?

Yes, and entered successfully the passphrase.

Helpful?

more options

So you do have the private key.

Please open your personal cert in the Thunderbird Certificate Manager. Create a screenshot with the Issuer and Validity fields visible and post that in your reply.

Helpful?

more options

christ1 said

So you do have the private key. Please open your personal cert in the Thunderbird Certificate Manager. Create a screenshot with the Issuer and Validity fields visible and post that in your reply.

Here's the screenshot (the first one).

I've noticed something suspicious: when I go to the "Authorities" tab, select my certificate issuer, and click "Edit Trust...", the text that displays the CA certificate is empty (second screenshot). When I do the same thing with another CA certificate, its name displays correctly (third screenshot).

Once again, thanks for your help :)

Helpful?

more options

Chosen Solution

I've noticed something suspicious: when I go to the "Authorities" tab, select my certificate issuer, and click "Edit Trust...", the text that displays the CA certificate is empty (second screenshot).

I was going to ask about this next. Thunderbird attempts to verify the entire certificate chain, up to the root CA. In other words, you need to have all CA certs of the certificate chain for your personal cert present in the Thunderbird 'Authorities' tab.

If the 'AC FNMT Usoarios' cert is the root CA, then it's just that. I'd guess that cert does not ship by default with Thunderbird, so you'd need to import it. May be it's not there at all, or you did import the wrong one. Certs can be identified using the fingerprint information.

The fact that the text that displays the CA certificate is empty isn't normal.

Helpful?

more options

christ1 said

I've noticed something suspicious: when I go to the "Authorities" tab, select my certificate issuer, and click "Edit Trust...", the text that displays the CA certificate is empty (second screenshot).

I was going to ask about this next. Thunderbird attempts to verify the entire certificate chain, up to the root CA. In other words, you need to have all CA certs of the certificate chain for your personal cert present in the Thunderbird 'Authorities' tab.

If the 'AC FNMT Usoarios' cert is the root CA, then it's just that. I'd guess that cert does not ship by default with Thunderbird, so you'd need to import it. May be it's not there at all, or you did import the wrong one. Certs can be identified using the fingerprint information.

The fact that the text that displays the CA certificate is empty isn't normal.

Yep! It was that :) The CA certificate was not imported at all. I've just downloaded it from their website, imported it, and now everything works fine. I can send digitally signed mails!

Thank you for your help, I hope this thread is helpful for other people with the same issue.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.