How force Thunderbird to accept a certificate? or admit a new certificate authority when it doesn't accept the authority as valid?
I get the following message when I check the senders signature:
This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved."
So, after converting the .crt to a .cer file, and trying to import it into the Authorities list - I get the following message: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." I converted it by saving it in the alternative formats but it won't accept the certificate authority. I don't understand why Thunderbird won't let me accept the risk. Can I do this without getting the sender's server address and port? thanks!
Modified
Chosen solution
Ok. roger all. Will try to get a different certificate from the sender. Thanks very much!
Read this answer in context 👍 0All Replies (9)
I can't get THunderbird to accept your certificate
What certificate exactly are you talking about?
or accept APL as a valid certificate authority.
I have no idea what 'APL' stands for. In any case, you can import CA certificates into the Thunderbird certificate store.
it won't even let me try to send encrypted to you
Who is 'you'? What are you trying to achieve in the first place?
I copied too much of a conversation into the question. Sorry I can't edit the question.
Please start reading the question at "I get the following message when I check the senders signature:"
You'll need to import the cert of the CA which issued the cert you want to verify into the Thunderbird certificate store. Thunderbird needs to verify the entire certificate chain up to the root CA. So you may even need to import other certs from intermediate CAs in case these do not yet exist in the Thunderbird certificate store. You can determine the entire certificate chain by inspecting the cert you received from the sender of the message.
Thanks - that explains a lot. When I look at the hierarchy of the certificate, there is only one name on it, that of my sender. I tried it as a self-signed certificate too, that is also a no-go. I get from what you are saying is that unless I can get a certificate from that client that is recognized as valid, or from a valid CA, then it won't work. Should i even bother with trying to get the server id?
I'm not sure what you mean with 'server id'. As said before, you'd need to import the cert of the CA which issued the cert you received from the sender who signed the message.
I meant that there's an option to add an exception to the server list so it would allow encryption to/from that server. Would that work? thanks again!
That's an entirely different story and has got nothing to do with a signed message you received.
Wrt to creating an exception, there shouldn't be a need to create an exception in the first place. If you're prompted to create an exception, ultimately something went wrong. In that case you should investigate what the problem is, and not just foolishly create an exception. In the worst case you may be connected to a malicious server and putting yourself at risk.
Chosen Solution
Ok. roger all. Will try to get a different certificate from the sender. Thanks very much!
Modified
Problem was fixed when sender IT dept sent me root certificate & I imported it into authorities. thanks for your help in isolating problem.