Closed Bug 1321977 Opened 8 years ago Closed 8 years ago

Self-signed certificate for email encryption "not found"

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: g8796365, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40

Steps to reproduce:

1. Created a self-signed certificate with OpenSSL using the settings:
  [ usr_cert ]
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectAltName=email:copy
  extendedKeyUsage = emailProtection
  basicConstraints = CA:true
2. Imported pub key under "Authorities" and selected "Trust this certificate can identify email users"
3. Imported priv key under "Your certificates"
4. Selected keys for email account
5. Create new Email to myself, select: Security->Sign, Security->Encrypt
6. Select in compose window: Security->View Security Info


Actual results:

Under Security->View Security Info my key is listed as recipient key but status is "Not Found".
Email encryption fails.


Expected results:

Key should be shown as valid and email encryption should be possible.

TB version 45.5.1
Same key work with older version of TB (38) and also work with Evolution 3.12.9 on Linux.
Corrections and additions: last TB version where SMIME worked for me was 31.8.0
Problem occurs not only with self signed certs but also with Comodo instant certs.
Problem is different from https://bugzilla.mozilla.org/show_bug.cgi?id=531073
where the user had two certs with same email and problem could be solved by creating a new profile. Tried it and does not solve the problem here.
What's a "Comodo instant cert"? I have a free Comodo certificate and that's working.

Also note that all the security components come from Mozilla core software and they are very strict about security. So if a certificate is not working it possibly doesn't fulfil the stringent security requirements.
It's called "Comodo Instant SSL Free Secure Email Certificate" to be precise. Never mind, I created it only for test purposes to be sure the problem is not caused by self-signing. If Mozilla has strict requirements, where are they documented, so that I can generate certs accordingly?
Here are some details of my certificate and it works. I think I got it here:
https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate
My certificate says:
Issued by: COMODO SHA-256 Client Authentication and Secure Email CA

Sadly we don't have security experts on the Thunderbird team, so it's hard for us to work out why some certificates don't work. Some further reading is here: Bug 1312762.
I think I found the solution: behavior of TB has silently changed such that your self-signed certificate and the self-made CA certificate have to be different!

Before you could have one single certificate (with CA:true set), import that under Authorities first, and then import the very same certificate under Own Certificates. This is described in several places.

That's it. 

Trying to close the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Thanks for letting us know, we're slowly learning ;-)
Wow that was a quick response. BTW the problem with the Comodo cert was because I installed it for an alternate identity. There are probably some bugs in that area.

see also Bug 1623568

You need to log in before you can comment on or make changes to this bug.