为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

How do I download and accept an email's untrusted digital signature and certificate?

  • 5 个回答
  • 1 人有此问题
  • 16 次查看
  • 最后回复者为 ckc19

more options

I have an digitally signed email from the FDA. I need to accept/trust the certificate/digital signature to set up secure communications.

However, I cannot get thunderbird to show me the digital signature so I can tell it to trust the certificate authority.

Basically, the thunderbird equivalent of these instructions for outlook:


Windows 10 + Outlook 2016 client If you see a yellow triangle with an exclamation mark on the right side: a. Click on the yellow triangle, a Digital Signature Invalid dialog box will open. b. In the Trusting the Certificate Authority, click Trust c. In the Security Warning dialog box, read the warning and if you agree, click Yes d. Restart Outlook.



Things I have tried (and do not work) 1) Manage Certificates -> Servers tab -> add exception.... Because the email address from is from the domain fda.hhs.gov, which isn't a thing.... looking at the raw text of email, nothing jumps out as a domain to add... but I could just be missing it. 2) no separate attachment file found, even though email raw text says there is ... "Content-Type: application/pkcs7-signature;

name=smime.p7s

Content-Transfer-Encoding: base64 Content-Disposition: attachment;

filename=smime.p7s"

(this is followed with one of those giant pgp-looking blocks)


Additional information: FDA email says, "The certificate for [iRemovedThis]@fda.hhs.gov was used to sign this message. This certificate can be imported into your email client and used for encrypting messages to [iRemovedThis]@fda.hhs.gov. Note: The certificate provided is a server S/MIME "Proxy" certificate and does not have direct relationship with the user's personal data."

Thank you in advance!

I have an digitally signed email from the FDA. I need to accept/trust the certificate/digital signature to set up secure communications. However, I cannot get thunderbird to show me the digital signature so I can tell it to trust the certificate authority. Basically, the thunderbird equivalent of these instructions for outlook: ------------------------------------ Windows 10 + Outlook 2016 client If you see a yellow triangle with an exclamation mark on the right side: a. Click on the yellow triangle, a Digital Signature Invalid dialog box will open. b. In the Trusting the Certificate Authority, click Trust c. In the Security Warning dialog box, read the warning and if you agree, click Yes d. Restart Outlook. --------------------------------------------------------------------------- Things I have tried (and do not work) 1) Manage Certificates -> Servers tab -> add exception.... Because the email address from is from the domain fda.hhs.gov, which isn't a thing.... looking at the raw text of email, nothing jumps out as a domain to add... but I could just be missing it. 2) no separate attachment file found, even though email raw text says there is ... "Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s" (this is followed with one of those giant pgp-looking blocks) Additional information: FDA email says, "The certificate for [iRemovedThis]@fda.hhs.gov was used to sign this message. This certificate can be imported into your email client and used for encrypting messages to [iRemovedThis]@fda.hhs.gov. Note: The certificate provided is a server S/MIME "Proxy" certificate and does not have direct relationship with the user's personal data." Thank you in advance!

所有回复 (5)

more options

Exactly what error are you seeing? Who is the certifying authority.

Note that self signed certificates are not acceptable for S/Mime. That the FDA appears to think they are acceptable really leaves a question as to the competence of their systems people.

They do not use self signed certificates for their web site. But email... any old garbage is good enough apparently.

more options

Thanks for the help!

Regardless of how garbage this self-signed setup is, at the end of the day, I need to use this to encrypt message I send to the reviewer at the FDA...

cert's issuer is "secure-server@fda.hhs.gov"... additional information attached as pics.

Part 1 of the problem (i have figured out a work-around, but I still want to know how I should have done it in thunderbird): How do you pull the .pem certificate from the email in order to import it into the certificate manager?

I finally did it by opening it up through the gmail client, but how am I supposed to do this with thunderbird?

Part 2 of the problem: I think now that I've imported the self-signed certificate, and think I can use it to encrypt emails sent to this person now... However, thunderbird throws an error: "Sending of the message failed. You specified encryption for this message, but the application failed to find an encryption certificate for [email-removed]@fda.hhs.gov."

The certificate is properly showing up for the recipient's email address... Am I missing something? is there a separate encryption certificate? Or is thunderbird rejecting it because it is invalid?

If thunderbird is rejecting it because it is invalid, how do I get it to manually trust/accept this certificate/authority?

Thank you again for your time and help! -Chris

p.s. not sure what 'needs more information' checkbox is for

more options

ckc19 said

p.s. not sure what 'needs more information' checkbox is for

Neither am I.

As far as I know, smime certificates have to be issued by a trusted authority. That is the root certifying authority have to have their own certificate in the Authority tab and from usage there appears to be intermediate certificates issues that "staple the root and the actual certificate together.

That is why we all just use valid CA's that have been through the audit process and can be trusted. (as far as anyone can be trusted)

How you go about getting a CA certificate to the proxy I have no idea. Perhaps ask those that are offering the invalid certificate.

more options

Thanks. Makes sense. FDA says that the certificate can be used to encrypt emails.

As the functional questions posed above remain unanswered, I am moving forwards assuming the following:

(1)Thunderbird does not have functionality to manually accept untrusted certificates. (2) Untrusted certificates cannot be used to encrypt emails in Thunderbird.

Please correct if I am wrong.

(Unfortunately, Now I have to go install outlook... *sigh*)

Thanks for your time!

more options

Following up. Please hold regarding aforementioned discussion.

Outlook is unable to send encrypted emails, even working with directions in FDA's guidance documents...

Following up with them further to say, "wtf"

Will update in 24hr