Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Does not use macos certificate store for recipient public cert

  • 8 replies
  • 2 have this problem
  • 3 views
  • Last reply by kramaric

more options

I have imported a vCard with a public certificate attaced. The person is now in the macos address book, and has a checkmark to the left of the email. This is clickable and shows a valid certificate.

Thunderbird however does not see this certificate, and I am therefore unable to send an signed and encrypted email to this recipient.

If I try to import the certificate into Thunderbirds certificate store through preferences / advanced / certificates / manage certificates / people / import

I have imported a vCard with a public certificate attaced. The person is now in the macos address book, and has a checkmark to the left of the email. This is clickable and shows a valid certificate. Thunderbird however does not see this certificate, and I am therefore unable to send an signed and encrypted email to this recipient. If I try to import the certificate into Thunderbirds certificate store through preferences / advanced / certificates / manage certificates / people / import
Attached screenshots

Modified by kramaric

Chosen solution

Hi Chris,

I found a solution.

After adding both my certificate and the recipient to the Firefox cert store, I was able to add them to Thunderbird. Don't understand why this was necessary at all.

Happy Easter.

Read this answer in context 👍 0

All Replies (8)

more options

There's not much to tell without any more details about the cert.

I am therefore unable to send an signed and encrypted email to this recipient.

You don't need the recipients cert in order to send signed messages.

more options

Hi Chris,

Thanks for trying.

What would you like to know about the cert?

You are right that the recipients public cert is not necessary, but that is not what I am asking for. I need the ability to send it both signed and encrypted.

I can provide the following information if that will help. In Denmark we have a government controlled certificate authority, which can supply any citizen and company entity with a digital certificate to identify them. If one has the need, you can also add an email to the cert, so that encryption is possible as well.

I acces the cert store on the following page, where I search by recipient email:

https://service.nemid.nu/dk-da/support/soeg_certifikat/

In the field "E-mail-adresse" I enter: JJM@JJM-ADV.DK This yields two results. The one I need to send to is the second one:

  Jacqueline Mwenesani
  JJM@JJM-ADV.DK
  JJM Advokatfirma // CVR:37170747

The vCard download will add their public cert along with contact details into the Contacts app. Thunderbird does see the contact detail, but does not appear to access the cert. I then tried to download the cert using "Hent certifikat" and import it straight into Thunderbird. This fails.

This is where I am stuck. I don't what to try next.

more options

Assuming you do have the cert in .pem format. You could put that into an online certificate decoder, and see whether it's readable there. https://www.sslchecker.com/certdecoder

What would you like to know about the cert?

Basically all the cert details, ideally the cert itself.

more options

I gave you the instruction on how to fetch the cert. Let me know if there's another way of getting it to you.

I don't have the cert i pem format.

more options

The cert only has a MD5 and SHA-1 hash. Both hash types are outdated, and are not supported anymore, neither by Firefox nor Thunderbird. https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ As the cert has only been issued in Feb 2018, this whole government controlled certificate authority looks ridiculous to me.

Modified by christ1

more options

I find your statement odd. Why would the cert state that the signature algorithm is: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 ) on my mac's keychain?

more options

I was using the certificate decoder linked above. It did show a SHA-1 and MD5 hash. Using the openssl command it did show 'sha256WithRSAEncryption'.

> openssl x509 -in JacquelineMwenesani.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1467516816 (0x57788790)
    Signature Algorithm: sha256WithRSAEncryption

So the hash thing was a false alarm.

Can you check the error console after trying to import the cert? Press Ctrl-Shift-J

You may still need to import the CA cert first and any intermediate certs in case they exist.

more options

Chosen Solution

Hi Chris,

I found a solution.

After adding both my certificate and the recipient to the Firefox cert store, I was able to add them to Thunderbird. Don't understand why this was necessary at all.

Happy Easter.