This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cannot Send Signed Email via CAC Card

  • 8 replies
  • 1 has this problem
  • 1 view
  • Last reply by cpdjh02

more options

I think I’ve followed all the steps to get Thunderbird signing and encrypting emails using my CAC.

I set up my CAC card reader as a security devise and was able to select one of my CAC certificate as the certificate used to sign emails and one to use for encrypting emails. I’m able to successfully read encrypted emails and I can send encrypted emails to folks but I can’t send a signed email. When I try to do so I first get prompted for my CAC pin and then the following error is presented: “Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.”

I have all the DOD Certificate Authorities installed and I can see them all in the certificate manager. I set all of the DOD Email CA-## certificate trust settings to have the “This certificate can identify mail users” option checked. I also did the same for the DOD Root Certs.

I’m using Thunderbird 52.6.0 (32-bit) on Windows 7.

Can anyone help me with what I’m doing wrong?

I think I’ve followed all the steps to get Thunderbird signing and encrypting emails using my CAC. I set up my CAC card reader as a security devise and was able to select one of my CAC certificate as the certificate used to sign emails and one to use for encrypting emails. I’m able to successfully read encrypted emails and I can send encrypted emails to folks but I can’t send a signed email. When I try to do so I first get prompted for my CAC pin and then the following error is presented: “Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.” I have all the DOD Certificate Authorities installed and I can see them all in the certificate manager. I set all of the DOD Email CA-## certificate trust settings to have the “This certificate can identify mail users” option checked. I also did the same for the DOD Root Certs. I’m using Thunderbird 52.6.0 (32-bit) on Windows 7. Can anyone help me with what I’m doing wrong?
Attached screenshots

All Replies (8)

more options

Are you certain the corresponding private key for the signing cert is on that card?

more options

Yeah, I'm certain. I use the same card to sign emails with outlook and it works.

more options

Did this ever work with Thunderbird before?

Do you need to enable FIPS for your CAC card reader security device? Doesn't have the DOD any instructions or manuals how to set this up properly in Thunderbird?

Since Thunderbird for Windows is 32-bit only, make sure there is no 32-bit / 64-bit mismatch. See https://support.mozilla.org/en-US/questions/752709

Modified by christ1

more options

Thanks for working with me on this christ1. I'm new to Thunderbird and haven't gotten this to work before. I tried going to my security devices and enabling FIPS mode but I still get the same error. "Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail"

Since I can send encrypted emails it seems that certs can be pulled from my CAC ok but I'm not sure why the cert it pulls off for signing is not recognized as trusted

more options
more options

I am using the 32 bit version of the .dll. The module loads fine for me and I can use the certs on the CAC card to encrypt email so I don't think that is the issue.

more options
Since I can send encrypted emails it seems that certs can be pulled from my CAC ok but I'm not sure why the cert it pulls off for signing is not recognized as trusted

Encrypting doesn't require access to the private key. Signing does. So I can only guess that there is still some sort of pin or passphrase required to unlock the private key. Using different certs for encryption and signing sounds odd to me, but this may be intentionally.

more options

My CAC has 3 certs on it and when I'm selecting the certificates in the Security settings I'm not getting to choose the cert it only gives me one cert to choose from for the Digital Signing and it only gives me one choice for Encryption, and the certs it choose are different. I'm guessing it uses the 'Certificate Key Usage' certificate field to determine which one to use.

When I try to send a signed email I am getting prompted for the CACs pin, if that helps any.