I had to generate some SSL certificates and use them to sign emails for a class recently. After creating the PKCS#12 file and importing it into Thunderbird I tried sending an email, which resulted in an error message:
Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted.
First I tried adding the Certificate Authority that had signed my SSL certificate into Thunderbird's Certificate Manager, under the Authorities tab. Thunderbird complained about it already being in the list though. So I searched the list for it (why the hell isn't it filterable? There's tonnes of Authorities ugh) and after quite a while —I wasn't sure whether it was going to be listed under the SSL cert's OU, the CA's OU or the root CA's OU— I finally found the cursed CA under the root CA's OU. Along with the root CA.
Upon clicking "Edit" on both CAs I got a lovely window with three unchecked options:
- This certificate can identify web sites.
- This certificate can identify mail users.
- This certificate can identify software makers.
I guess that's why Thunderbird wasn't able to sign my test email. Checking the second one fixed my problems.
Just as well Thunderbird didn't ask me whether I trust the CA (and its parent CA) that issued my SSL cert when I added it. It might have been a painless experience.
This post brought to you by