How do I use Thunderbird's inbuilt encryption?
May 1, 2005 7:45 AM   Subscribe

So I've gone to and got myself a Freemail certificate and imported it into Thunderbird, and my friend is about to do the same thing, and we want to exchange encrypted mails. What do we actually DO with our shiny new certificates?

When I ask our Google overlords about Thunderbird and mail encryption, everybody wants to tell me about installing WinPT and using Enigmail and GPG. But Thunderbird apparently has native encryption based on certificates, and having gone to the trouble of spending half an hour extracting one from Thawte I'd kind of like to use it.

When I try to encrypt a mail to my friend, Thunderbird apparently wants HIS certificate. Which is fair enough, I guess, if certificates contain public keys.

So: where are the private keys kept? Can I freely hand my new certificate around to all my friends and have them install it in their Thunderbirds? If not, how do I actually go about giving out my public key? Where IS the M I'm supposed to be RTFing?
posted by flabdablet to Computers & Internet (11 answers total) 2 users marked this as a favorite
The Thawte certificate, IIRC, is an S/MIME cert. From the Thunderbird FAQ:

To use S/MIME, open Mail/News and go to Edit | Mail & Newsgroup Account Settings | account name | Security. You can set which certificates to use with each account for digital signing and/or encryption.

I don't believe you need to send an S/MIME certificate to others as a public key as long as the others' mail program trusts the authority of the certificate vendor; once yours is in your store, I'd imagine that it's all you'd need.
posted by eschatfische at 10:39 AM on May 1, 2005

Oops, that's for signing, not encryption -- you do need the recipient's public key for encryption. If you have the other person set up signing (as above), then send you an unencrypted signed message, the signature in the message should contain the needed public portion of the cert. I'll download Thunderbird and take a look at the specifics.
posted by eschatfische at 10:52 AM on May 1, 2005

OK, downloaded Thunderbird. My original message, about installing in the Account Settings, is still valid, but there's more to do, here. The "missing" step is to export a public version of your certificate for your friend to install (and for your friend to do the same for you.)

Strangely, it doesn't look like this type of export is possible in Firefox or Thunderbird themselves -- it looks like the current versions will just export the entire certificate as a .p12 file, which isn't what you want.

In Windows XP, go into IE, select Tools -> Options -> Content -> Certificates, select the cert with the correct E-mail address, click on Export, select "do not export the private key," select a DER-encoded binary X.509 (.cer) or the .p7b and then select a filename. (As above, .cer worked fine for me with Thunderbird.) If the certificate isn't in IE, go into Firefox, click on Tools -> Options -> Advanced -> Security -> Manage Certificates, click on the name of your certificate, back it up as a .p12 file to your desktop, then double-click on that .p12 file to import it into the Windows store (select the defaults).

On the Mac, if you have a .p12 certificate on your desktop, double-click on it, go to Certificates, select your E-mail address, and then click on File -> Export. You can export a public key as a .p7b or .cer here; .cer worked for me just fine importing into Thunderbird. If you don't have a .p12 file on your Mac, in Firefox, go into Preferences -> Advanced -> Security -> Certificates -> Manage Certificates, click on your certificate, select backup, and choose a location to save the .p12 file.

On Linux, you'll need to use command-line based tools like openssl; I've manipulated certs in openssl before, but it was a while back. Let me know if this is the case and I'll dig for info on the specifics.

Finally, send the .cer or .p7b file off to the person you want to share encrypted E-mail with, and have them do the same.

You can import someone else's .p7b or .cer in Thunderbird fairly easily; go into Edit -> Mail & Newsgroup Account Settings -> account name -> Security. Click on Manage Certificates, click on Other People's, click on Import, and then select the public cert you made in the last paragraph. You should then be ready to go using T-Bird's built in encryption options.

Hope this helps! I know I've just learned something! ;)
posted by eschatfische at 11:53 AM on May 1, 2005

and then select the public cert you made in the last paragraph

Er, that should be "select the public cert they made."
posted by eschatfische at 12:25 PM on May 1, 2005

In my opinion, you would be better off with GPG—more people use it, and the web of trust is more useful to me than a Freemail cert. I know that doesn't answer your question, but it's already been answered.
posted by grouse at 2:15 PM on May 1, 2005

Response by poster: eschatfische: I'd got as far as exporting and importing the .p12 - that's how I got the damn thing from Firefox into Thunderbird in the first place - but had no clue where to find the Windows cert store and public-key-only export. Thanks!

By the way, in what semi-obvious place is this stuff all documented?

grouse: I fully intend to investigate the whole Enigmail/GPG thing at some point, but given that Thunderbird has all this certificate-based stuff built in I wanted to try it first - mainly in the naive belief that it would end up being easier for Aunt Tillie to cope with. But it's starting to look as if that's not actually the case.

I am truly amazed it's still this hard.
posted by flabdablet at 8:31 PM on May 1, 2005

By the way, in what semi-obvious place is this stuff all documented?

I honestly don't think it is, at least not in regards to specifically Thunderbird and the Thawte certs. I'm kind of amazed by the lack of procedural instructions as well.
posted by eschatfische at 9:29 PM on May 1, 2005

Response by poster: I just got another certificate for my other mail account and sent a signed message to myself with Thunderbird. When I click the little scribbly-pen thing that TB uses to mark the incoming message as signed, I get the opportunity to view the certificate included in the signature, and one of its fields is clearly the sender's public key.

Surely there must be some easy way I can import a certificate embodied in the signature on an incoming mail to let me do an encrypted reply without needing to jump through all those Tillie-proof .p12-to-.cer hoops.

Surely there must exist, somewhere, a clear Howto that takes me step-by-step through the simplest processes necessary to exchange encrypted mails with another Thunderbird user.
posted by flabdablet at 9:29 PM on May 1, 2005

Best answer: Ok - just to add a final last drop to the answers!
(I work for a big commercial CA)

Once you have a signature, the most you can do is sign messages. This means the message is plaintext, but it can be guaranteed to be from where it claims to be.

Now, in order to send encrypted emails, you both need a certificate. You have to have exchanged at least ONE signed message each, so that you have the intended recipients public key.
You can use this to send encrypted mails to that person.

NOTE: You must have a cert yourself to send encrypted emails, as the message is encrypted with your key too, so you can see it in the 'Sent' folder ;)

Oh, and I'll try to do a guide sometime.....
posted by nafrance at 3:27 PM on May 2, 2005

Response by poster: OK, I've sorted this out now. The procedure (assuming Alice and Bob both have Thunderbird) is:

1. Alice and Bob each pay a visit to, get themselves a certificate and install it into Thunderbird.

2. Alice sends Bob a signed, but not encrypted, email. On receipt, Bob's Thunderbird automatically installs Alice's public key under "Other people's" in the Certificate manager; Bob doesn't have to do anything to make this happen.

3. Bob can now send encrypted emails to Alice.

This is really easy, and really should be documented somewhere obvious.
posted by flabdablet at 2:54 PM on May 3, 2005

« Older What is the minimum number of states in a...   |   Where do you get your stats from on the web? Newer »
This thread is closed to new comments.