Using Self-Signed S/MIME Certificates in Thunderbird

This guide describes the process for using self-signed S/MIME certificates with Mozilla Thunderbird on Windows 10. If you need an S/MIME certificate, please follow the guide to Create Self-Signed S/MIME Certificates. Certificates allow you to both send digitally signed messages and receive encrypted messages as part of public-key cryptography (also known as asymmetric cryptography). By creating and self-signing your own certificates, you avoid paying recurring fees but you lose the inherent trust that comes with a certificate generated by a well-known certificate company. After having written similar guides for iOS / iPadOS and Outlook, in my opinion, Thunderbird is probably the easiest to establish trust and set up your own certificates.

Part 1 – Trusting Self-Signed S/MIME Personal Certificates

Step 1 – Account Settings

From the Thunderbird menu (the hamburger icon button or collapsed menu icon button), select Account Settings.

Thunderbird – Account Settings Menu
Thunderbird – Account Settings Menu

Step 2 – End-To-End Encryption

The Account Settings screen is displayed. Select End-To-End Encryption from the account settings menu. Click the Manage S/MIME Certificates button.

Account Settings – End-To-End Encryption
Account Settings – End-To-End Encryption

Step 3 – Establish Personal Certificate Trust

The Certificate Manager window is displayed. From the available tabs, select Your Certificates followed by the Import… button. The Certificate File to Import window is displayed. Find the .p12 file containing the appropriate self-signed certificate for this e-mail account and click the Open button.

Certificate Manager
Certificate Manager

The Password Required prompt is displayed. Enter the password set when the .p12 package was created and then click the Sign in button.

PKCS12 Package Password
PKCS12 Package Password

The personal certificate is now displayed in the Your Certificates tab of the Certificate Manager.

Certificate Manager – Personal Certificates
Certificate Manager – Personal Certificates

Step 4 – Establish Certificate Authority Trust

Now the certificate authority certificate needs to be added to the Certificate Manager so that the personal certificate can be trusted. Select the Authorities tab and click the Import… button.

Certificate Authorities – Authorities
Certificate Authorities – Authorities

The Select File containing CA certificate(s) to import window is displayed. Find the .crt file containing the appropriate certificate authority certificate used to create the personal certificate and click the Open button. If the guide Create Self-Signed S/MIME Certificates was followed, then the file is named ca.crt.

Added Certificate Authority Certificate
Added Certificate Authority Certificate

The Downloading Certificate prompt is displayed. Confirm the displayed information and CA certificate are correct. The Trust this CA to identify email users checkbox should be checked. Click the OK button when complete.

Downloading Certificate – Authority Certificate
Downloading Certificate – Authority Certificate

The certificate authority certificate is now displayed in the Certificate Manager window on the Authorities tab. In this example, the certificate authority certificate was established using the Organization Name as TEST COMPANY and the Common Name as TEST COMPANY CERTIFICATE AUTHORITY. Click the OK button to close the Certificate Manager window.

Added Certificate Authority Certificate
Added Certificate Authority Certificate

Step 5 – S/MIME Settings for Digital Signing and Encryption

Now that trust has been established for the certificate authority certificate as well as the personal certificate, the S/MIME section of the End-To-End Encryption settings screen can be completed.

Account Settings – End-To-End Encryption (Completed)
Account Settings – End-To-End Encryption (Completed)

In the Personal certificate for digital signing field, click the Select… button next to the field. The Select Certificate prompt is displayed. Select the appropriate certificate from the drop-down list and confirm the displayed details. Click the OK button.

Digital Signature Certificate
Digital Signature Certificate

A prompt may be displayed asking “You should also specify a certificate for other people to use when they send you encrypted messages. Do you want to configure an encryption certificate now?” Click the Yes button. The Personal certificate for encryption field is populated with the same certificate specified for the digital signature.

Configure Encryption Certificate
Configure Encryption Certificate

If the question prompt was not displayed, Thunderbird returns to the End-To-End Encryption settings screen. If the Personal certificate for encryption is not populated in the S/MIME section, then click the Select… button next to the Personal certificate for encryption field. The Select Certificate prompt is displayed. Select the appropriate certificate from the drop-down list and confirm the displayed details. Click the OK button. I can’t think of a reason why the digital signature and encryption fields would use different certificates, but I’m sure someone has an edge case where the distinction is needed. Generally, I would expect both fields to reference the same personal certificate.

Encryption Certificate
Encryption Certificate

Close the Account Settings screen.

Part 2 – Sending a Digitally Signed and Encrypted Message

At this point, trust has been established for both the certificate authority certificate and the personal certificate. The personal certificate has been established for use in digital signatures as well as encryption and Thunderbird is ready to send a digitally signed message.

Step 1 – Draft New Message

Click the Write button to draft a new message. A new message window opens.

Step 2 – Set Security Options

In the Options menu for the message, select Digitally Sign This Message.

Message Options
Message Options

I was also able to select Require Encryption because the sender and recipient are the same e-mail address in this example (I sent an e-mail to myself). Since the sender and recipient are the same, Thunderbird already has a trusted recipient certificate. If Require Encryption is selected and a recipient certificate isn’t available, then Thunderbird displays the error “Sending of the message failed. You specified encryption for this message, but the application failed to find an encryption certificate for <e-mail address>.”

Encryption Error
Encryption Error

The Digitally Sign This Message and Require Encryption options may also be set by clicking the Security button. View Security Info will display the recipient certificate, if available.

Message Security Options
Message Security Options

Step 3 – Send Message

Complete drafting the message and click the Send button. A Message Security prompt is displayed. Confirm the displayed information is correct and click the OK button to send the message.

Send Message – Security Warning
Send Message – Security Warning

Result

The recipient receives a digitally signed message using the sender’s self-signed certificate. In this example, since the sender and recipient are the same, the recipient also received an encrypted message.

Digitally Signed and Encrypted Message
Digitally Signed and Encrypted Message

Further Reading