PKCS #11 eIDAS compatible Qualified Electronic Signature cannot be used to sign e-mail because Personal certificate for encryption cannot be selected
I have an eIDAS compliant certificate with a Qualified Electronic Signature on a Gemalto PKCS #11 compatible device which is issued by Microsec Ltd. (it is among the accepted CAs of Thunderbird). There are 2 other certs next to this one on the device which is issued by the same CA and can be seen by Thunderbird.
I can select (after unlocking the device of course) the signing certificate but it tells: Certificate Manager can't locate a valid certificate that other people can use to send you encrypted email messages to the address: <MY@EMAIL.ADDRESS>
I thought it should be OK because I would like to sign the e-mails but not necessarily would like an encrypted response (it is a nice to have for me as I would like to sign e-mails because of the legal binding nature of eIDAS QES signatures).
These type of devices do not support exporting the private key as a PKCS #12 file (at least not for consumers - maybe the CA could export it as they probably know the password necessary to do that).
When I try to send an e-mail with S/MIME signature then an error appears and e-mail cannot be sent.