This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Smart card certificate for S/MIME signatures

  • 4 tontu
  • 1 am na jafe-jafe bii
  • 13 views
  • i mujjee tontu mooy Ale

more options

European governments issue eID cards which can be used for authentication and signing. I have a PKCS#11 shared object which works as middleware under Firefox to authenticate to some web sites. Thunderbird supports a similar interface to load a shared object (a.k.a. dll). After loading it, I can log in.

When I go to Manage S/MIME Certificate"" I see the corresponding certificate. I can view it. If I try to backup it I get Failed to create the PKCS #12 backup file for unknown reasons. TB asks for a new password. The s.o. logs something about unsupported function C_UnwrapKey(). I can investigate further, but this is not important.

The important thing is when I hit Select... for Personal certificate for digital signing. I immediately get Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <MY@ADDR.ESS>. In this case, the s.o. log shows no error.

My address is not written in the certificate, which probably means I cannot use it to get encrypted messages. Indeed, the certificate says:

   Key Usage: Digital Signature.
   Extended Key Usage: Client Authentication.

Encryption is not mentioned. And the gov. application allows to sign or verify pdf and other files, not to encrypt or decrypt them.

I think signing the message body with S/MIME should be possible. Is it? If not, how can I determine whether the bug is in Thunderbird or in the shared object?

European governments issue eID cards which can be used for authentication and signing. I have a PKCS#11 shared object which works as middleware under Firefox to authenticate to some web sites. Thunderbird supports a similar interface to load a shared object (a.k.a. dll). After loading it, I can log in. When I go to ''Manage S/MIME Certificate"" I see the corresponding certificate. I can view it. If I try to backup it I get ''Failed to create the PKCS #12 backup file for unknown reasons.'' TB asks for a new password. The s.o. logs something about unsupported function C_UnwrapKey(). I can investigate further, but this is not important. The important thing is when I hit ''Select...'' for Personal certificate for digital signing. I immediately get ''Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <MY@ADDR.ESS>.'' In this case, the s.o. log shows no error. My address is not written in the certificate, which probably means I cannot use it to get encrypted messages. Indeed, the certificate says: Key Usage: Digital Signature. Extended Key Usage: Client Authentication. Encryption is not mentioned. And the gov. application allows to sign or verify pdf and other files, not to encrypt or decrypt them. I think signing the message body with S/MIME should be possible. Is it? If not, how can I determine whether the bug is in Thunderbird or in the shared object?

All Replies (4)

more options

Did you set up the cert for signing in your Account Settings - End-To-End Encryption for the desired account?

more options

No. As I said, when I hit Select... for Personal certificate for digital signing. I immediately get Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages with an address of <MY@ADDR.ESS>.

more options

I am no expert, but I do use free Actalis certificates and observe the following when looking at mine for examples.

Your key usage would need to explicitly state it is for Digital Signatures if it was to sign emails. As well as have extended key usages of Client Authentication, E-mail Protection. As s/mime uses the same digital certificate to encrypt as it does to sign, I can not see it working as a signature if it is not valid for e-mail protection. The certificate is also issued for a specific email address. The Common name is the email address. You say yours does not have that.

more options

The certificate is issued by the Italian Ministry of Interior. The email address is not part of the basic personal data. Although data group 22 of the card spec (BSI TR-03110) provides for a probably empty email address field, the certificate does not mention it. Is it needed?

I never used S/MIME, but AFAIK, unlike GPG, it is keyed on CAs rather than email addresses. In this respect, I didn't find the Italian Country Signing Certification Authority (CSCA) among the Authorities that TB's Certificate Manager lists. However, that should prevent verifying, not signing.