We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How to use a PKCS#12/PFX Bundle to encrypt and sign emails, both CA Signed and Self-Signed.

more options

I am on an OSX Machine, and I believe this will probably go for my Ubuntu setup as well where they already have GnuPG installed. Is there anyway to get those GPG Keys and Certificates presented to Thunderbird without having to use extra software?

When I was looking at importing a new Certificate bundle for signing, I saw that it was asking for a PKCS#12 or PFX bundle. I made a Self-Signed Certificate Bundle. Then I imported it into Thunderbird and it took. However, when I use that Certificate Bundle to sign my emails, I get the following error:

Sending of the message failed. Unable to sign message. Please check that the certificate specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.

So I went into on OSX Thunderbird -> Preferences -> Advanced -> Certificates -> Manage Certificates. Then I tried to add my Self-Signed Certificate to the Authorities list, but it says that it already exists, but as I went through all the Authorities listed my certificate was not present. Where should I look, or do I have to use the GPG Tools detailed in this Support Page: https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages#thunderbird:mac:tb52 ?

I am on an OSX Machine, and I believe this will probably go for my Ubuntu setup as well where they already have GnuPG installed. Is there anyway to get those GPG Keys and Certificates presented to Thunderbird without having to use extra software? When I was looking at importing a new Certificate bundle for signing, I saw that it was asking for a PKCS#12 or PFX bundle. I made a Self-Signed Certificate Bundle. Then I imported it into Thunderbird and it took. However, when I use that Certificate Bundle to sign my emails, I get the following error: Sending of the message failed. Unable to sign message. Please check that the certificate specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail. So I went into on OSX Thunderbird -> Preferences -> Advanced -> Certificates -> Manage Certificates. Then I tried to add my Self-Signed Certificate to the Authorities list, but it says that it already exists, but as I went through all the Authorities listed my certificate was not present. Where should I look, or do I have to use the GPG Tools detailed in this Support Page: https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages#thunderbird:mac:tb52 ?

All Replies (2)

more options
I made a Self-Signed Certificate Bundle.

What exactly does this mean, and what's inside that bundle?

... they already have GnuPG installed.

If you want to use a S/MIME certificate, you don't need GnuPG. If you want to use GnuPG with OpenPGP keys, you'd need to install the Enigmail add-on for Thunderbird.

Then I imported it into Thunderbird and it took.

Imported to which tab in the Certificate Manager? You'll need to import your cert and private key underneath the 'Personal' tab.

Sending of the message failed. Unable to sign message.

In order to be able to sign messages, you'll also need to import the private key. Typically cert and private key are bundled. You may be missing the private key though.

do I have to use the GPG Tools

No, not for S/MIME certs.

more options

christ1 said

...

For the Self-Signed Certificate Bundle I did the following

openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365 -nodes openssl pkcs12 -export -out keyStore.pfx -inkey myKey.pem -in cert.pem
After seeing you say something about S/MIME Certificates, I probalby don't have the correct certificate then in my PFX bundle.