Linux Tutorial Web Site

Home Graphic
Knowledge Is Power

Set Up Digital Certificates with the
Mozilla Thunderbird E-Mail Client

I wanted to get a digital certificate so I could digitally sign my e-mails and possibly encrypt them if necessary. I decided on a GeoTrust My Credential certificate. Yes, it does cost $20 while you can get one from Thawte for free, but if you read carefully you'll see that Thawte's free certificates are based on a WOT (Web of Trust) model which is more a peer trust model than the more secure hierarchical CA model.

Encryption keys are used to encrypt (hide by scrambling) and/or digitally sign (electronic signature) e-mail messages. A certificate is basically an encryption key along with some reassurance that the person using the key is who they claim to be. The reassurance is accomplished when the Certificate Authority (GeoTrust) asks you to verify, using the phone, that you are who you say you are when you apply for the certificate. The reassurance that a certificate provides is especially important for digital signatures which provide proof of who sent the e-mail.

These types of certificates used for e-mail and digital signatures use "asymmetric" encryption which means there are two different keys. When one of the keys is used for encryption, only the other one can be used for decryption. One is called a public key, because anyone can have a copy of it, while the other is called the private key, because only the certificate holder should have it. The certificate holder encrypts an e-mail message using their private key. If you can successfully decrypt the e-mail message using their public key then you know the message must have come from them.

The first problem you may run into is if you use Internet Explorer to order the certificate. The certificate installation is browser-based and you have to use the same browser to install the certificate that you used to order the certificate. If that's IE then Thunderbird knows nothing about your certificate. You have to use IE to export your certificate to a file and then use Thunderbird to import it.

You use your browser to go to www.geotrust.com/signing-products/secure-email/ to order a signing certificate. During this process you go through a telephone verification step where you enter a code shown in your browser. After that you are forwarded to a Web page with an "Install Certificate" button.

If you used Internet Explorer for this you export the certificate by clicking on Tools / Internet Options / Content / Certificates / Personal. Click on your new certificate shown in the list and click on the Export button and export the the certificate with the private key to a file.

Personal Certificate Export

Then go into Thunderbird and click on Tools / Options / Advanced / Certifcates / View Certificates / Your Certificates. Click on the Import button and import the file you just exported. Once imported your certificate should show up in the list of personal certificates. You can now close the Options window.

Personal Certificate Import

Now in Thunderbird click on Tools / Account Settings and click on Security on the left side. On the right side click on the Select button in both the Digital Signing and Encryption areas and select your new certificate. You can now close the Settings window.

Personal Certificate Selection

Now compose a new e-mail to someone and before sending click on the down arrow to the right of the S/MIME button (not the button itself) and select Digitally Sign This Message and then click on the Send button.

If, when you try to send the e-mail, you get the error:

Unable to sign message. Please check that the certificates specified in Mail & Newsgroup Account Setting for this mail account are valid and trusted..

it simply means that the "GeoTrust True Credentials CA 2" Certificate Authority (which is the CA that issues the MyCredential digital certificates) is not listed as a trusted authority in Thunderbird.

To fix this you have to save the CA's root certifcate to a file and import it into Thunderbird. The following is their public certificate. (It is also available at www.geotrust.com/resources/root-certificates/ under "Root 13".) Highlight this text, including the BEGIN and END lines, and copy/paste it into Notepad.

-----BEGIN CERTIFICATE-----
MIICtzCCAiCgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEc
MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBT
ZWN1cmUgZUJ1c2luZXNzIENBLTEwHhcNMDIxMDA3MTQ1NDQ1WhcNMjAwNjIxMDQw
MDAwWjBOMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEnMCUG
A1UEAxMeR2VvVHJ1c3QgVHJ1ZSBDcmVkZW50aWFscyBDQSAyMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCylyylkhKlhf9ompahhxLLIaoVvLc6+x6lHMtFTQQ0
MlHAmjsPAWmKtEU5RCROQpexjoFDNf8J4JGuf2LifLmBxe4jYlLKtKYPChtvCXna
flw8RscZx5vJtZ0p8B/y++TFhSdOYNk+23ahvlE2klN5OKr0yk0IH/kbs5yvWESW
NwIDAQABo4GfMIGcMA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUIoNLTSACDDH0
fFqwGk0VyHhdEUkwDwYDVR0TAQH/BAUwAwEB/zA5BgNVHR8EMjAwMC6gLKAqhiho
dHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2ViaXpjYTEuY3JsMB8GA1UdIwQY
MBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMA0GCSqGSIb3DQEBBAUAA4GBAEtFK0kW
Nxl+B67G8cwvTWaZjUiErkNWACqlCKww/lU15QXd9HQpD938DJwvBLJX7/Y0j4Fk
uVoQVnUAqhQNBp0jetnumbH8FjhBjOpZy0A2RihZ6WiSO8tl/+LVpKspSu/49h8w
qxneFZZPeNpQEyKRaK6cOtRrMTWOGRpr3WSe
-----END CERTIFICATE-----


When saving this file you don't want the usual .txt extension on the file that Notepad adds so you have to enclose the file name in quotes. When you click on File / Save you want to enter into the File Name field the following exactly as shown including the quotes and the .cer extension:

"True-Credential-CA-Cert.cer"

Now you need to import it into your Thunderbird trusted authorities. Click on Tools / Options / Advanced / Certifcates / View Certificates / Authorities. Click on the Import button and select the file you just saved above.

Certificate Authority Import

The CA will show up in the list. However, it will not show up under GeoTrust. It will show up under Equifax Security Inc as "GeoTrust True Credentials CA 2. Now you should be able to send your digitally-signed e-mail.

If, when you try to import your personal certificate you get prompted for:

Master password for security device

and no matter what you enter it won't take it, you'll have to go for the last resort and rename the file that holds it. The bad news is this same file also holds the password for your POP account so you'll be prompted to re-enter that the next time you go to check your mail so make sure you know what that is before proceeding or you won't be able to get your mail.

The file that holds the password is stored in the user profile. To get rid of the "master password for security device" prompt do the following:



Keith's Home Page





Powered by Apache On Debian Linux


Contents, diagrams, and images    Copyright © 2004-2009    Keith Parkansky    All rights reserved.
"Bestdam Logger" and the BDL graphic logo are trademarks of Keith Parkansky.
Certain graphics, symbols, and terms used on this site and in its documents are registered trademarks
of their respective owners and are contained herein for identification purposes only.
No endorsement of this site, its contents, or its documents by these owners is expressed or implied.

LIABILITY
IN NO EVENT WILL KEITH PARKANSKY BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.