Does not use macos certificate store for recipient public cert
I have imported a vCard with a public certificate attaced. The person is now in the macos address book, and has a checkmark to the left of the email. This is clickable and shows a valid certificate.
Thunderbird however does not see this certificate, and I am therefore unable to send an signed and encrypted email to this recipient.
If I try to import the certificate into Thunderbirds certificate store through preferences / advanced / certificates / manage certificates / people / import
Modified
Chosen solution
Hi Chris,
I found a solution.
After adding both my certificate and the recipient to the Firefox cert store, I was able to add them to Thunderbird. Don't understand why this was necessary at all.
Happy Easter.
Read this answer in context 👍 0All Replies (8)
There's not much to tell without any more details about the cert.
I am therefore unable to send an signed and encrypted email to this recipient.
You don't need the recipients cert in order to send signed messages.
Hi Chris,
Thanks for trying.
What would you like to know about the cert?
You are right that the recipients public cert is not necessary, but that is not what I am asking for. I need the ability to send it both signed and encrypted.
I can provide the following information if that will help. In Denmark we have a government controlled certificate authority, which can supply any citizen and company entity with a digital certificate to identify them. If one has the need, you can also add an email to the cert, so that encryption is possible as well.
I acces the cert store on the following page, where I search by recipient email:
https://service.nemid.nu/dk-da/support/soeg_certifikat/
In the field "E-mail-adresse" I enter: JJM@JJM-ADV.DK This yields two results. The one I need to send to is the second one:
Jacqueline Mwenesani JJM@JJM-ADV.DK JJM Advokatfirma // CVR:37170747
The vCard download will add their public cert along with contact details into the Contacts app. Thunderbird does see the contact detail, but does not appear to access the cert. I then tried to download the cert using "Hent certifikat" and import it straight into Thunderbird. This fails.
This is where I am stuck. I don't what to try next.
Assuming you do have the cert in .pem format. You could put that into an online certificate decoder, and see whether it's readable there. https://www.sslchecker.com/certdecoder
What would you like to know about the cert?
Basically all the cert details, ideally the cert itself.
I gave you the instruction on how to fetch the cert. Let me know if there's another way of getting it to you.
I don't have the cert i pem format.
The cert only has a MD5 and SHA-1 hash. Both hash types are outdated, and are not supported anymore, neither by Firefox nor Thunderbird. https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ As the cert has only been issued in Feb 2018, this whole government controlled certificate authority looks ridiculous to me.
Modified
I find your statement odd. Why would the cert state that the signature algorithm is: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 ) on my mac's keychain?
I was using the certificate decoder linked above. It did show a SHA-1 and MD5 hash. Using the openssl command it did show 'sha256WithRSAEncryption'.
> openssl x509 -in JacquelineMwenesani.cer -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1467516816 (0x57788790) Signature Algorithm: sha256WithRSAEncryption
So the hash thing was a false alarm.
Can you check the error console after trying to import the cert? Press Ctrl-Shift-J
You may still need to import the CA cert first and any intermediate certs in case they exist.
Chosen Solution
Hi Chris,
I found a solution.
After adding both my certificate and the recipient to the Firefox cert store, I was able to add them to Thunderbird. Don't understand why this was necessary at all.
Happy Easter.