Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How force Thunderbird to accept a certificate? or admit a new certificate authority when it doesn't accept the authority as valid?

  • 9 پاسخ
  • 3 have this problem
  • 1 view
  • آخرین پاسخ توسّط redhead3638

more options

I get the following message when I check the senders signature:

This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved."

So, after converting the .crt to a .cer file, and trying to import it into the Authorities list - I get the following message: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." I converted it by saving it in the alternative formats but it won't accept the certificate authority. I don't understand why Thunderbird won't let me accept the risk. Can I do this without getting the sender's server address and port? thanks!

I get the following message when I check the senders signature: This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved." So, after converting the .crt to a .cer file, and trying to import it into the Authorities list - I get the following message: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." I converted it by saving it in the alternative formats but it won't accept the certificate authority. I don't understand why Thunderbird won't let me accept the risk. Can I do this without getting the sender's server address and port? thanks!

Modified by redhead3638

Chosen solution

Ok. roger all. Will try to get a different certificate from the sender. Thanks very much!

Read this answer in context 👍 0

All Replies (9)

more options
I can't get THunderbird to accept your certificate

What certificate exactly are you talking about?

or accept APL as a valid certificate authority.

I have no idea what 'APL' stands for. In any case, you can import CA certificates into the Thunderbird certificate store.

it won't even let me try to send encrypted to you

Who is 'you'? What are you trying to achieve in the first place?

more options

I copied too much of a conversation into the question. Sorry I can't edit the question.

Please start reading the question at "I get the following message when I check the senders signature:"

more options

You'll need to import the cert of the CA which issued the cert you want to verify into the Thunderbird certificate store. Thunderbird needs to verify the entire certificate chain up to the root CA. So you may even need to import other certs from intermediate CAs in case these do not yet exist in the Thunderbird certificate store. You can determine the entire certificate chain by inspecting the cert you received from the sender of the message.

more options

Thanks - that explains a lot. When I look at the hierarchy of the certificate, there is only one name on it, that of my sender. I tried it as a self-signed certificate too, that is also a no-go. I get from what you are saying is that unless I can get a certificate from that client that is recognized as valid, or from a valid CA, then it won't work. Should i even bother with trying to get the server id?

more options

I'm not sure what you mean with 'server id'. As said before, you'd need to import the cert of the CA which issued the cert you received from the sender who signed the message.

more options

I meant that there's an option to add an exception to the server list so it would allow encryption to/from that server. Would that work? thanks again!

more options

That's an entirely different story and has got nothing to do with a signed message you received.

Wrt to creating an exception, there shouldn't be a need to create an exception in the first place. If you're prompted to create an exception, ultimately something went wrong. In that case you should investigate what the problem is, and not just foolishly create an exception. In the worst case you may be connected to a malicious server and putting yourself at risk.

more options

Chosen Solution

Ok. roger all. Will try to get a different certificate from the sender. Thanks very much!

Modified by redhead3638

more options

Problem was fixed when sender IT dept sent me root certificate & I imported it into authorities. thanks for your help in isolating problem.