How do I download and accept an email's untrusted digital signature and certificate?
I have an digitally signed email from the FDA. I need to accept/trust the certificate/digital signature to set up secure communications.
However, I cannot get thunderbird to show me the digital signature so I can tell it to trust the certificate authority.
Basically, the thunderbird equivalent of these instructions for outlook:
Windows 10 + Outlook 2016 client If you see a yellow triangle with an exclamation mark on the right side: a. Click on the yellow triangle, a Digital Signature Invalid dialog box will open. b. In the Trusting the Certificate Authority, click Trust c. In the Security Warning dialog box, read the warning and if you agree, click Yes d. Restart Outlook.
Things I have tried (and do not work)
1) Manage Certificates -> Servers tab -> add exception.... Because the email address from is from the domain fda.hhs.gov, which isn't a thing.... looking at the raw text of email, nothing jumps out as a domain to add... but I could just be missing it.
2) no separate attachment file found, even though email raw text says there is ...
"Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64 Content-Disposition: attachment;
filename=smime.p7s"
(this is followed with one of those giant pgp-looking blocks)
Additional information:
FDA email says, "The certificate for [iRemovedThis]@fda.hhs.gov was used to sign this message.
This certificate can be imported into your email client and used for encrypting messages to [iRemovedThis]@fda.hhs.gov.
Note: The certificate provided is a server S/MIME "Proxy" certificate and does not have direct relationship with the user's personal data."
Thank you in advance!
All Replies (5)
Exactly what error are you seeing? Who is the certifying authority.
Note that self signed certificates are not acceptable for S/Mime. That the FDA appears to think they are acceptable really leaves a question as to the competence of their systems people.
They do not use self signed certificates for their web site. But email... any old garbage is good enough apparently.
Thanks for the help!
Regardless of how garbage this self-signed setup is, at the end of the day, I need to use this to encrypt message I send to the reviewer at the FDA...
cert's issuer is "secure-server@fda.hhs.gov"... additional information attached as pics.
Part 1 of the problem (i have figured out a work-around, but I still want to know how I should have done it in thunderbird): How do you pull the .pem certificate from the email in order to import it into the certificate manager?
I finally did it by opening it up through the gmail client, but how am I supposed to do this with thunderbird?
Part 2 of the problem: I think now that I've imported the self-signed certificate, and think I can use it to encrypt emails sent to this person now... However, thunderbird throws an error: "Sending of the message failed. You specified encryption for this message, but the application failed to find an encryption certificate for [email-removed]@fda.hhs.gov."
The certificate is properly showing up for the recipient's email address... Am I missing something? is there a separate encryption certificate? Or is thunderbird rejecting it because it is invalid?
If thunderbird is rejecting it because it is invalid, how do I get it to manually trust/accept this certificate/authority?
Thank you again for your time and help! -Chris
p.s. not sure what 'needs more information' checkbox is for
ckc19 said
p.s. not sure what 'needs more information' checkbox is for
Neither am I.
As far as I know, smime certificates have to be issued by a trusted authority. That is the root certifying authority have to have their own certificate in the Authority tab and from usage there appears to be intermediate certificates issues that "staple the root and the actual certificate together.
That is why we all just use valid CA's that have been through the audit process and can be trusted. (as far as anyone can be trusted)
How you go about getting a CA certificate to the proxy I have no idea. Perhaps ask those that are offering the invalid certificate.
Thanks. Makes sense. FDA says that the certificate can be used to encrypt emails.
As the functional questions posed above remain unanswered, I am moving forwards assuming the following:
(1)Thunderbird does not have functionality to manually accept untrusted certificates. (2) Untrusted certificates cannot be used to encrypt emails in Thunderbird.
Please correct if I am wrong.
(Unfortunately, Now I have to go install outlook... *sigh*)
Thanks for your time!
Following up. Please hold regarding aforementioned discussion.
Outlook is unable to send encrypted emails, even working with directions in FDA's guidance documents...
Following up with them further to say, "wtf"
Will update in 24hr