This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

I've picked certificates from my cert card which Thunderbird can see but it can't actually decrypt or sign with them. (Encrypt works)

  • 2 cavab
  • 1 has this problem
  • 2 views
  • Last reply by Matt

more options

Thunderbird 31.3.0 Win7 Enterprise, SP1 (all patches, corporate maintained) ActivClient x64 - 7.0.2.403

I just got a new machine from corporate. The old one had ActivClient 6.2.0.133 and I had it working there. With my cert card inserted, TB can see the certs on the card. It lists them in the "Your Certificates" tab in the cert manager. And in the account settings, security section it lets me pick certs for digital signing and encryption. But when I try to use them to sign or decrypt an email it doesn't work. It does let me encrypt an email which others can read. I've checked about:config and it matches what I picked in account settings.

When I try to decrypt it gives me the boilerplate: " Thunderbird cannot decrypt this message

The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key. Possible solutions:

   If you have a smartcard, please insert it now.
   If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12"."

If I try to sign it says "Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail." TB only lets me pick the cert named "Digital Signature" for use in the first place! And the cert's properties according to TB are "This certificate has been verified for the following uses: SSL Client Certificate, Email Signer Certificate". So TB knows it is good for signing. I'm out of things to try at this point.

Thanks for the help.

Thunderbird 31.3.0 Win7 Enterprise, SP1 (all patches, corporate maintained) ActivClient x64 - 7.0.2.403 I just got a new machine from corporate. The old one had ActivClient 6.2.0.133 and I had it working there. With my cert card inserted, TB can see the certs on the card. It lists them in the "Your Certificates" tab in the cert manager. And in the account settings, security section it lets me pick certs for digital signing and encryption. But when I try to use them to sign or decrypt an email it doesn't work. It does let me encrypt an email which others can read. I've checked about:config and it matches what I picked in account settings. When I try to decrypt it gives me the boilerplate: " Thunderbird cannot decrypt this message The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key. Possible solutions: If you have a smartcard, please insert it now. If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12"." If I try to sign it says "Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail." TB only lets me pick the cert named "Digital Signature" for use in the first place! And the cert's properties according to TB are "This certificate has been verified for the following uses: SSL Client Certificate, Email Signer Certificate". So TB knows it is good for signing. I'm out of things to try at this point. Thanks for the help.

All Replies (2)

more options

I've found a bit more information. When I'm trying to sign an email and check the cert info from the compose message window->security->view the cert that TB is trying to use, it is using the wrong cert and not the one I selected! No wonder it doesn't work! It is using a cert only specified for "Email Recipient Certificate" instead of the one I selected in account settings that is for "Signing, Non-repudiation" according to account settings and "SSL Client Certificate" + "Email Signer Certificate" according to the certificate manager.

This pretty clearly seems like a bug. I've never submitted a bug to TB before. Can I get some help doing that? I'm not a SW developer of any kind. This is completely breaking my ability to use TB. Half of my email traffic is encrypted.

more options

Nevermind on the last part. TB is telling me what certificate of the recipient it is using, not the certificate of mine it is using to encrypt or sign. I confused the issue because I was trying to send test messages to myself.