Using S/MIME encryption LDAP does not fetch X.509 certificates of intermediate CAs.



11 years ago
10 years ago


(Reporter: gellert, Unassigned)


1.8 Branch

Firefox Tracking Flags

(Not tracked)




11 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20071015 SUSE/ Firefox/
Build Identifier: version (20070801)

I imported the root certificate of some CA. When I try to send an email to someone with a certificate from this certificate hierarchy, Thunderbird fetches the correct certificate from the configured LDAP server. But it cannot verify it because it simply does not try to fetch certificates of intermediate CAs.

When opening the "S/MIME -> Security Informatio" window, Thunderbird tries to validate the certificate and displays the error message:

"This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved."

It should be easy to implement a recursive LDAP search that searches for missing issuer certificates up to the (already imported and trusted) root certificate.

Reproducible: Always

Steps to Reproduce:
1. Save the root certificate ("Wurzelzertifikat") from this page and import it
   into Thunderbird:
2. Import the first intermediate CA certificate (DFN-PCA Zertifikat) from the
   same page.
3. Use the following LDAP server configuration:
   Name: DFN-PKI
   BaseDN: o=DFN-Verein,c=DE
   Port Number: 389
   Bind DN: <empty>

   and make this an active LDAP server.

3. Try to send an email to "olaf.gellert" (the rest of the email
   will be substitued after a firts LDAP search).

Actual Results:  
The correct certificate will be fetched but not imported (with the error message
from above).

Expected Results:  
After fetching the email recipients certificate Thunderbird should try to fetch
the issuer certificate from the same LDAP server. The it would work. To test this manually, you can import the missing intermediate CAs certificate (named
"CA-Zertifikat") from

Fetching and importing the certificate will be successful.

Comment 1

10 years ago
More like enhancement request, can you give a try using TB3 beta 2?
Component: Address Book → LDAP Integration
Product: Thunderbird → MailNews Core
QA Contact: address-book → ldap-integration
Version: unspecified → 1.8 Branch
You need to log in before you can comment on or make changes to this bug.