Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

PKCS #11 eIDAS compatible Qualified Electronic Signature cannot be used to sign e-mail because Personal certificate for encryption cannot be selected

  • No replies
  • 0 have this problem
  • 11 views
peter.babcsany
peter.babcsany
more options

I have an eIDAS compliant certificate with a Qualified Electronic Signature on a Gemalto PKCS #11 compatible device which is issued by Microsec Ltd. (it is among the accepted CAs of Thunderbird). There are 2 other certs next to this one on the device which is issued by the same CA and can be seen by Thunderbird.

I can select (after unlocking the device of course) the signing certificate but it tells: Certificate Manager can't locate a valid certificate that other people can use to send you encrypted email messages to the address: <MY@EMAIL.ADDRESS>

I thought it should be OK because I would like to sign the e-mails but not necessarily would like an encrypted response (it is a nice to have for me as I would like to sign e-mails because of the legal binding nature of eIDAS QES signatures).

These type of devices do not support exporting the private key as a PKCS #12 file (at least not for consumers - maybe the CA could export it as they probably know the password necessary to do that).

When I try to send an e-mail with S/MIME signature then an error appears and e-mail cannot be sent.

I have an eIDAS compliant certificate with a Qualified Electronic Signature on a Gemalto PKCS #11 compatible device which is issued by Microsec Ltd. (it is among the accepted CAs of Thunderbird). There are 2 other certs next to this one on the device which is issued by the same CA and can be seen by Thunderbird. I can select (after unlocking the device of course) the signing certificate but it tells: Certificate Manager can't locate a valid certificate that other people can use to send you encrypted email messages to the address: <MY@EMAIL.ADDRESS> I thought it should be OK because I would like to sign the e-mails but not necessarily would like an encrypted response (it is a nice to have for me as I would like to sign e-mails because of the legal binding nature of eIDAS QES signatures). These type of devices do not support exporting the private key as a PKCS #12 file (at least not for consumers - maybe the CA could export it as they probably know the password necessary to do that). When I try to send an e-mail with S/MIME signature then an error appears and e-mail cannot be sent.
Attached screenshots