Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How to exchange encryption key/certificate with other users

  • 13 odgovori
  • 0 ima ovaj problem
  • Posljednji odgovor poslao christ1

more options

I have imported a certificate and setup my Thunderbird. When I try to send an email using encryption it won't send and Thunderbird displays the message ' End-to-end ecryption requires resolving certificate issues for XXXX@ddd.com'

How do I resolve this ?

I have imported a certificate and setup my Thunderbird. When I try to send an email using encryption it won't send and Thunderbird displays the message ' End-to-end ecryption requires resolving certificate issues for XXXX@ddd.com' How do I resolve this ?

All Replies (13)

more options
I have imported a certificate and setup my Thunderbird.

What cert exactly? Please be specific.

When I try to send an email using encryption it won't send and Thunderbird displays the message ' End-to-end ecryption requires resolving certificate issues for XXXX@ddd.com'

Please post a screenshot of the error. https://support.mozilla.org/kb/how-do-i-create-screenshot-my-problem

In general, you'd have to obtain the cert of the intended recipient and import it into your Thunderbird to be able to send encrypted messages to that recipient.

Helpful?

more options

Thank you for the reply. I have two Certificates one for email signatures and one for Encryption both are from a certified CA. They have functioned well with MS Outlook until Outlook 2016 stopped working for me and Microsoft could not solve the issue. I tried going to the new Outlook (their only possible solution) and the new Outlook does not support Certificates. So I am trying Thunderbird. I have gone trough the Import Certificate and create a backup process to obtain the .p12 format for Thunderbird. When I try to send an email with my signature to an associate I get the "Unable to sign screenshot1" attached here. (Then, as Mozilla tries to save the email as a "draft" I get the "Unable to save Draft Screenshot1" attached here.) My goal is to send signature and Encrypted emails to my customers and associates. When I get an encrypted email from an associate, Thunderbird posts this cannot decrypt message (screenshot attached) "Cannot Decrypt message screenshot1" in the text field of the email.

Helpful?

more options
I have two Certificates one for email signatures and one for Encryption both are from a certified CA.

You may have two files, but there is only one cert. You need to use the file which also includes the private key and import it into Thunderbird.

Then open the Thunderbird Certificate Manager. At the top right of the Thunderbird window, click the menu button ≡ > Settings > Privacy & Security > Certificates > Manage Certificates

Select the "Your Certificates" tab. Do you see your cert? If yes, select it - View.

The Common Name field should be your email address. Does it match your account email address?

Is the cert (still) valid?

Take a screenshot of the "Public Key Info" and "Miscellaneous" sections, and post it here. https://support.mozilla.org/kb/how-do-i-create-screenshot-my-problem

I have gone trough the Import Certificate and create a backup process to obtain the .p12 format for Thunderbird.

Not sure what you're talking about. How can you backup the cert if you haven't imported it into Thunderbird in the first place? Please explain.

Izmjenjeno od strane christ1

Helpful?

more options

In The Certificate Manager. In the Common Name Field I see "my name:certificate number". I do NOT see my email address, colon, followed by the cert number? The cert is still valid, yes. Public Key & Miscellaneous screenshot attached. We went through the "Import/Back-up certificate" process in Thunderbird when I first set it up. Sorry for the confusion. I believe I performed that step correctly as we did see the .p12 file format..

Helpful?

more options
In The Certificate Manager.

Very funny. Once again: The Certificate Manager has multiple tabs. In which tab do you see your cert?

Do you see your email address anywhere in the cert? If so, which field?

We went through the "Import/Back-up certificate" process in Thunderbird when I first set it up.

Import and Backup are separate buttons in the Certificate Manager. So I still have no idea what you're talking about.

I believe I performed that step correctly as we did see the .p12 file format..

I don't understand what that means. You need to be more specific about what you did do when importing the cert.

The cert should also have a "Extended Key Usages" section. It should look like this: Purposes Client Authentication, E-mail Protection

Does your cert have an "E-mail Protection" purpose listed, or something in that sense?

Izmjenjeno od strane christ1

Helpful?

more options

I see the certs in the "Your Certificates" Tab in the Cert Manager. This same tab is where we did the "Backup" to generate the .p12 file using the buttons at the bottom of that tab. The only place I see my email address is when I "view" the certificate (from the same "Your Certificates" tab, and I see my email under, "Subject Alt Names"..

Helpful?

more options
The only place I see my email address is when I "view" the certificate (from the same "Your Certificates" tab, and I see my email under, "Subject Alt Names"..

Good. Does the email address in the cert match your account email?

Now, go to your account settings: At the top right of the Thunderbird window, click the menu button ≡ > Account Settings > End-To-End Encryption > S/MIME.

Did you select the correct cert for both, signing, and encryption?

Izmjenjeno od strane christ1

Helpful?

more options

I believe I have. There are two certs with the same cert number, but they have two different "serial Numbers". Is it possible that I have the cert for encryption selected for signing and the signing selected for encryption?

Helpful?

more options
There are two certs with the same cert number, but they have two different "serial Numbers".

So you do have two different certs.

Check the serial no. of the cert underneath the "Your Certificates" tab in the Certificate Manager.

Then use this cert for both, signing, and encryption in Account Settings.

Delete the other cert in Certificate Manager.

Helpful?

more options

Get a message now cannot locate cert for encryption...(screenshot attached)..

Helpful?

more options

I assume you are using s/mime encryption based on having certificates from a CA.

Encryption requires both you and the recipient to have encryption certificates. You have yours, but you can not send a message to someone encrypted that they will be able to decrypt until you first exchange a non encrypted email with a digital signature as that digital signature is the public key they will use to decrypt your mail. You probably have a long history of personal certificates for correspondents somewhere that is not going to be present in Thunderbird.

See this old discussion on the use of the windows store. https://support.mozilla.org/en-US/questions/1272378

Have you read the prerequisites support article https://support.mozilla.org/en-US/kb/thunderbird-help-cannot-encrypt

Helpful?

more options

Yes, I am using the s/mime encryption. I will go back and read the information in the supplied links. Thank you to both of you for responding. I will check back in after I do some more homework. It is unclear to me if I have two certs one for Encryption and one for Signatures from the CA. I'm far fram being and expert on this stuff, just simply a user!

Helpful?

more options
It is unclear to me if I have two certs one for Encryption and one for Signatures from the CA.

As stated before, there is only one cert for both. More precisely, the private key is for signing, the cert (which is essentially the public key) is for encryption when sending a message. The file you import into Thunderbird needs to have both, the cert, and the private key. Note, when sending messages to other recipients, you'll also need their cert.

It is not clear to me why you think you do need two certs, and what's in the two files you imported into Thunderbird.

Helpful?

Postavite pitanje

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.