Which advanced tab should I import the cert to in TB? IE: My certs, websites, authorities ?

Underneath 'Your certificates'.

You'll also need to link the cert to your account. Account Settings - Security

And you'll need to import the server certificate as well.

When I try to import dovecot-TB-cert.pem to "Your certificates" I get this error.

Is there an example of openssl command needed to create the TB client cert? Any how-to explaining the procedure to do this?

You need to import the cert along with the private key, typically in PKCS#12 format. To achieve this, convert the certificate and private key file into a p12 bundle.

$> openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name "name for certificate"

Note, the private key should always be protected with a passphrase.

Ok got a little further this time. I think I need to provide more details.

I have 2 different certs. One is used for TB TLS "not shown here" that works ok. The second cert is for TB client usage. Meaning TB is suppose to present a cert to Dovecot after TLS handshake completes and before login process starts.

The following is the script I run on my host to create the TB dovecot-TB-cert.p12 client cert.

cd /usr/local/etc/dovecot/cert-key

echo " " echo " " echo "Creating Key & Cert signing request at same time for TB-client."

openssl req -new -nodes -days 3650 -extensions v3_ca \

  -out dovecot-TB-cert.csr \
  -keyout dovecot-TB-key.pem \
  -subj '/C=US/ST=Ohio/L=Cleveland/O=powerman/CN=bob'

echo " " echo " " echo "Signing the TB-client cert signing request"

openssl ca -extensions v3_ca \

  -config /root/bin/dovecot.openssl.cnf \
  -in  dovecot-TB-cert.csr \
  -out dovecot-TB-cert.pem \
  -cert dovecot-cacert.pem \
  -keyfile dovecot-cakey.pem

echo " " echo " " echo "Creating empty certificate revoke list [ CRL ]"

openssl ca -gencrl -crldays 3650 \

   -config /root/bin/dovecot.openssl.cnf \
   -out dovecot-TB-crl.pem

echo " " echo " " echo "Convert CRL pem formate to der format required by TB."

openssl crl -outform der \

   -in dovecot-TB-crl.pem \
   -out dovecot-TB-crl.der

echo " " echo " " echo "Append the empty CRL to TB-cert.pem"

cat dovecot-TB-crl.der >> dovecot-TB-cert.pem

echo " " echo " " echo "Convert TB-cert.pem to pkcs12 for Thunderbird"

openssl pkcs12 -export -chain \

  -CAfile dovecot-cacert.pem \
  -in  dovecot-TB-cert.pem \
  -inkey dovecot-TB-key.pem \
  -name "TB-client-cert" \
  -out dovecot-TB-cert.p12

cp -vp dovecot-TB-cert.p12 /usr/local/etc/dovecot

Then in TB I import dovecot-TB-cert.p12 into 'My Certification" and this works. Then from TB accounts/security I select that same cert. I also import dovecot-cacert.pem to Authorities.

When I click on get mail button I get window saying "This site has requested that you identify your self with a certificate". The info shown is the cert I imported to "Your certs" so I click OK. Then it asks for a password. After entering it I get this TB error. "Sending of user name did not succeed. Mail server xxx responded: Client didn't present valid ssl certificate."

The host dovecot log shows this. Jun 21 10:44:00 dovecot: pop3-login: Invalid certificate: unable to get local issuer certificate: /C=US/ST=Ohio/O=powerman/CN=bob

Jun 21 10:44:00 dovecot: pop3-login: Invalid certificate: certificate not trusted: /C=US/ST=Ohio/O=powerman/CN=bob

Jun 21 10:44:00 dovecot: pop3-login: Invalid certificate: unable to get certificate CRL: /C=US/ST=Ohio/O=powerman/CN=bob

Jun 21 10:44:00 dovecot: pop3-login: Invalid certificate: unable to verify the first certificate: /C=US/ST=Ohio/O=powerman/CN=bob

Jun 21 10:44:17 dovecot: pop3-login: Disconnected (client sent an invalid cert): user=<>, method=PLAIN, TLS, session=<JFGXMAgZ+QAKAAoF>

The last host dovecot log msg has user<> which may mean TB did not take the CN value of bob and send it. Or TB don't like the way the CRL is appended to the imported dovecot-TB-cert.p12.

What do you suggest I do?

I don't think Thunderbird has a problem here. The problem is on the server, and it appears to be related to the CRL check. I suppose you'd need to supply the CRL to the server as well. On the other hand, you don't need a CRL unless you do have any revoked certificates.

So this has turned into finger pointing. I point to TB and you point to cert problem. I needed some way to test the certs to verify they are correct and that my host dovecot pop3 server is configured correctly to require the client to present a client cert. My solution is to use s_client to test this out.

openssl s_client -connect host-ip-address:995 -state -debug -cert TB-cert.pem -key TB-key.pem

In the output I see the server request a client cert which is supplied by the -cert content / -key content followed by TLS handshake resulting in the "+OK Dovecot ready." prompt. The TB-cert.pem has a crl appended to it.

To me this is hard proof that dovecot config and the client cert is correct and working correctly.

So that leaves the conversion of the client cert to pkcs12 format which is required by the windows version of TB. I used this

openssl pkcs12 -export -chain \

 -CAfile cacert.pem \
 -in  TB-cert.pem \
 -inkey TB-key.pem \
 -name "TB-client-cert" \
 -out TB-cert.p12

I have imported the TB-cert.p12 file into 2 different xp laptops. One is running TB version 24.6 and the other is running TB version 38.0.1 which should be the most current version available to date. The cert import works and is loaded into the "Your Certificates" tab. When I click on get mail button I get msg ""Sending of user name did not succeed. Mail server xxx responded: Client didn't present valid ssl certificate.". This happens on both versions of TB. Dovecot is not requesting a user name, just a cert to match to the one on file with the host dovecot server,

SO once again I am pointing the finger at TB. TB is not correctly determining that the pop3 server is requesting a client cert to be sent, TB fails to send the client cert it has stored in "Your Certificates". BY any definition this is a BUG.

On the other hand TLS does work in TB and by changing the TLS port number that dovecot listens on from 995 to say 99995 camouflages the open port from the script kiddies and port scanners providing some additional security in light of TB client cert not working.

If some TB developer wants to work on the code to fix this problem I am willing to be the tester providing feedback.

If someone knows of a howto showing the openssl commands to create the pkcs12 file needed by TB to get client certs to work I am willing to give it a try. Other than that I am pretty much at wits end and can not bet this dead horse any longer.

To other reader who are reading this because you have the same problem. Take note: TB client cert function is broken. Don't waste your time fooling around trying trial and error method to get it working. Forget it and move on, I am sure you have other things that need your attention. Good luck.

You can raise a bug. https://bugzilla.mozilla.org/