This guide describes the process for using self-signed S/MIME certificates with Mozilla Thunderbird on Windows 10. If you need an S/MIME certificate, please follow the guide to Create Self-Signed S/MIME Certificates. Certificates allow you to both send digitally signed messages and receive encrypted messages as part of public-key cryptography (also known as asymmetric cryptography). By creating and self-signing your own certificates, you avoid paying recurring fees but you lose the inherent trust that comes with a certificate generated by a well-known certificate company. After having written similar guides for iOS / iPadOS and Outlook, in my opinion, Thunderbird is probably the easiest to establish trust and set up your own certificates.
Part 1 – Trusting Self-Signed S/MIME Personal Certificates
Step 1 – Account Settings
From the Thunderbird menu (the hamburger icon button or collapsed menu icon button), select Account Settings.
Step 2 – End-To-End Encryption
The Account Settings screen is displayed. Select End-To-End Encryption from the account settings menu. Click the Manage S/MIME Certificates button.
Step 3 – Establish Personal Certificate Trust
The Certificate Manager window is displayed. From the available tabs, select Your Certificates followed by the Import… button. The Certificate File to Import window is displayed. Find the .p12 file containing the appropriate self-signed certificate for this e-mail account and click the Open button.
The Password Required prompt is displayed. Enter the password set when the .p12 package was created and then click the Sign in button.
The personal certificate is now displayed in the Your Certificates tab of the Certificate Manager.
Step 4 – Establish Certificate Authority Trust
Now the certificate authority certificate needs to be added to the Certificate Manager so that the personal certificate can be trusted. Select the Authorities tab and click the Import… button.
The Select File containing CA certificate(s) to import window is displayed. Find the .crt file containing the appropriate certificate authority certificate used to create the personal certificate and click the Open button. If the guide Create Self-Signed S/MIME Certificates was followed, then the file is named ca.crt.
The Downloading Certificate prompt is displayed. Confirm the displayed information and CA certificate are correct. The Trust this CA to identify email users checkbox should be checked. Click the OK button when complete.
The certificate authority certificate is now displayed in the Certificate Manager window on the Authorities tab. In this example, the certificate authority certificate was established using the Organization Name as TEST COMPANY and the Common Name as TEST COMPANY CERTIFICATE AUTHORITY. Click the OK button to close the Certificate Manager window.
Step 5 – S/MIME Settings for Digital Signing and Encryption
Now that trust has been established for the certificate authority certificate as well as the personal certificate, the S/MIME section of the End-To-End Encryption settings screen can be completed.
In the Personal certificate for digital signing field, click the Select… button next to the field. The Select Certificate prompt is displayed. Select the appropriate certificate from the drop-down list and confirm the displayed details. Click the OK button.
A prompt may be displayed asking “You should also specify a certificate for other people to use when they send you encrypted messages. Do you want to configure an encryption certificate now?” Click the Yes button. The Personal certificate for encryption field is populated with the same certificate specified for the digital signature.
If the question prompt was not displayed, Thunderbird returns to the End-To-End Encryption settings screen. If the Personal certificate for encryption is not populated in the S/MIME section, then click the Select… button next to the Personal certificate for encryption field. The Select Certificate prompt is displayed. Select the appropriate certificate from the drop-down list and confirm the displayed details. Click the OK button. I can’t think of a reason why the digital signature and encryption fields would use different certificates, but I’m sure someone has an edge case where the distinction is needed. Generally, I would expect both fields to reference the same personal certificate.
Close the Account Settings screen.
Part 2 – Sending a Digitally Signed and Encrypted Message
At this point, trust has been established for both the certificate authority certificate and the personal certificate. The personal certificate has been established for use in digital signatures as well as encryption and Thunderbird is ready to send a digitally signed message.
Step 1 – Draft New Message
Click the Write button to draft a new message. A new message window opens.
Step 2 – Set Security Options
In the Options menu for the message, select Digitally Sign This Message.
I was also able to select Require Encryption because the sender and recipient are the same e-mail address in this example (I sent an e-mail to myself). Since the sender and recipient are the same, Thunderbird already has a trusted recipient certificate. If Require Encryption is selected and a recipient certificate isn’t available, then Thunderbird displays the error “Sending of the message failed. You specified encryption for this message, but the application failed to find an encryption certificate for <e-mail address>.”
The Digitally Sign This Message and Require Encryption options may also be set by clicking the Security button. View Security Info will display the recipient certificate, if available.
Step 3 – Send Message
Complete drafting the message and click the Send button. A Message Security prompt is displayed. Confirm the displayed information is correct and click the OK button to send the message.
The recipient receives a digitally signed message using the sender’s self-signed certificate. In this example, since the sender and recipient are the same, the recipient also received an encrypted message.