Thunderbird does not recognize the certificate

[LecrisUT]

Using thunderbird, I get errors of the certificate could not be found or is expired when being used to send an email. The import is not affected. Adding the root and/or intermediate certificates has no effect, and reading the signed mail sent from another client works just fine.

The error message:

Maybe this is due to a difference in the certificate format an populated terms.

Update: After looking into the p12, I saw that it does not include the chain of trust, and after adding in the intermediate, thunderbird was able to correctly use the certificate. Is there any reason for not including the chain in the p12 file?

[polhenarejos]

Usually CA Root are added to keychain previously. Currently chain certificates are already added to PKCS12 file. However, most of the keychains take only the certificate and private key parts. Adding a certificate as a root requires several user confirmations, since it is a security critical aspect.

[LecrisUT]

Sorry, but I don't quite follow.

Usually CA Root are added to keychain previously

Indeed, that would be for trusting the certificates signed from the CA Root, but it seems Thunderbird does not look into this when the error occurs.

Currently chain certificates are already added to PKCS12 file

But when I investigate the pk12 file, it does not have the proper certificate chain, only the leaf one (appearing twice for some reason.

For example

``` $ openssl pkcs12 -info -in 0001_cert-certbot.pfx Enter Import Password: MAC: sha1, Iteration 1 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 20000 Certificate bag Bag Attributes localKeyID: 82 20 38 68 75 83 2C 97 4E CB ED 26 A1 4B 84 68 19 E4 5A 37 friendlyName: lecris.phy@gmail.com subject=CN = lecris.phy@gmail.com issuer=C = ES, O = CASTLE Platform, CN = IRE1 -----BEGIN CERTIFICATE----- MIIEjTCCA3WgAwIBAgIQXNhb8iA/gPeKWnMZV3bOljANBgkqhkiG9w0BAQsFADA2 MQswCQYDVQQGEwJFUzEYMBYGA1UECgwPQ0FTVExFIFBsYXRmb3JtMQ0wCwYDVQQD DARJUkUxMB4XDTIxMTAyOTAzNDUxNFoXDTIyMDQyNzAzNDUxNFowHzEdMBsGA1UE AwwUbGVjcmlzLnBoeUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDCWxfZBJNtUTR39Gd+PyFeoiVKOncl9m+r6k5ZPiuSXQsMx24XnW7j pKbWYwnWOlSBQqAjf8iwNPd/0d2UmDMf/AHV6NH2FnLVD5rimTlCBpIxsvqS0A4t gfp2IkTvVn9S6rVV61vtXfx4YRcrLgysjUWp3JN13LXP6iosotkAJpH1w95oxMtj TbOiw7DlTfC7QOivLRnxS+JFL6PHeeSa7LRMwAUK8krS4zNbbAk/isIClM1G68w4 5xk0vkjY61CmWACq7M/5kxBfRUAuPi8ZNQw0EfoLaQu6hWIoZXoTrsFl9nQb4o+H qBqbx+7sDaj4yOiF6Zdo6ry3dOsLhryDAgMBAAGjggGsMIIBqDAMBgNVHRMBAf8E AjAAMA4GA1UdDwEB/wQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4E FgQUW+JrjkHNHPC5xoF2vQVaEZXGfqYwHwYDVR0jBBgwFoAUu+sWlFoHPOKbeY0S /VE2oZpsBUAwOwYDVR0SBDQwMoYXaHR0cDovL2NhLmNhc3RsZS5jbG91ZC+BF2Nl cnRtYXN0ZXJAY2FzdGxlLmNsb3VkMEgGCCsGAQUFBwEBBDwwOjA4BggrBgEFBQcw AoYsaHR0cDovL2NhLmNhc3RsZS5jbG91ZC9jZXJ0cy9DQVNUTEVfSVJFMS5jcnQw OwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NhLmNhc3RsZS5jbG91ZC9jcmwvQ0FT VExFX0lSRTEuY3JsMBEGCWCGSAGG+EIBAQQEAwIFIDA7BglghkgBhvhCAQ0ELhYs Q0FTVExFIElSRTEgUlIxIEdlbmVyYXRlZCBTL01JTUUgQ2VydGlmaWNhdGUwHwYD VR0RBBgwFoEUbGVjcmlzLnBoeUBnbWFpbC5jb20wDQYJKoZIhvcNAQELBQADggEB AI0BTGh76m/DVMlQwGJACbAtmpiuft+2MZ976irsRM7C41tUypc5i1IEEMAGU1js yxqP6T6WL2wuo7GKe9lJZMLZr2dDCKrjVslPoBHn6miP+tAS+ktlMXgxMVZkwxfa Wvx0NZ+JiOi3QW0jtLSpuiCPf1kkMh1R/4or0Bhx85c57XAVERDhvBcJXKjV7NKh D8O1MEdnzmCv3AVZTg5ja/RLya73/oPTfELF8J4Up2YediJj5WKldHbUsbH+O4LO tRdYxZpTqyC69DWdWVJJu2lCqmmPZMOskpQosD4a6OQswD7I48cvTGzOZGt+Z4G2 JDscfOt6z8g+crVALZEkEbI= -----END CERTIFICATE----- Certificate bag Bag Attributes: subject=CN = lecris.phy@gmail.com issuer=C = ES, O = CASTLE Platform, CN = IRE1 -----BEGIN CERTIFICATE----- MIIEjTCCA3WgAwIBAgIQXNhb8iA/gPeKWnMZV3bOljANBgkqhkiG9w0BAQsFADA2 MQswCQYDVQQGEwJFUzEYMBYGA1UECgwPQ0FTVExFIFBsYXRmb3JtMQ0wCwYDVQQD DARJUkUxMB4XDTIxMTAyOTAzNDUxNFoXDTIyMDQyNzAzNDUxNFowHzEdMBsGA1UE AwwUbGVjcmlzLnBoeUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDCWxfZBJNtUTR39Gd+PyFeoiVKOncl9m+r6k5ZPiuSXQsMx24XnW7j pKbWYwnWOlSBQqAjf8iwNPd/0d2UmDMf/AHV6NH2FnLVD5rimTlCBpIxsvqS0A4t gfp2IkTvVn9S6rVV61vtXfx4YRcrLgysjUWp3JN13LXP6iosotkAJpH1w95oxMtj TbOiw7DlTfC7QOivLRnxS+JFL6PHeeSa7LRMwAUK8krS4zNbbAk/isIClM1G68w4 5xk0vkjY61CmWACq7M/5kxBfRUAuPi8ZNQw0EfoLaQu6hWIoZXoTrsFl9nQb4o+H qBqbx+7sDaj4yOiF6Zdo6ry3dOsLhryDAgMBAAGjggGsMIIBqDAMBgNVHRMBAf8E AjAAMA4GA1UdDwEB/wQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4E FgQUW+JrjkHNHPC5xoF2vQVaEZXGfqYwHwYDVR0jBBgwFoAUu+sWlFoHPOKbeY0S /VE2oZpsBUAwOwYDVR0SBDQwMoYXaHR0cDovL2NhLmNhc3RsZS5jbG91ZC+BF2Nl cnRtYXN0ZXJAY2FzdGxlLmNsb3VkMEgGCCsGAQUFBwEBBDwwOjA4BggrBgEFBQcw AoYsaHR0cDovL2NhLmNhc3RsZS5jbG91ZC9jZXJ0cy9DQVNUTEVfSVJFMS5jcnQw OwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NhLmNhc3RsZS5jbG91ZC9jcmwvQ0FT VExFX0lSRTEuY3JsMBEGCWCGSAGG+EIBAQQEAwIFIDA7BglghkgBhvhCAQ0ELhYs Q0FTVExFIElSRTEgUlIxIEdlbmVyYXRlZCBTL01JTUUgQ2VydGlmaWNhdGUwHwYD VR0RBBgwFoEUbGVjcmlzLnBoeUBnbWFpbC5jb20wDQYJKoZIhvcNAQELBQADggEB AI0BTGh76m/DVMlQwGJACbAtmpiuft+2MZ976irsRM7C41tUypc5i1IEEMAGU1js yxqP6T6WL2wuo7GKe9lJZMLZr2dDCKrjVslPoBHn6miP+tAS+ktlMXgxMVZkwxfa Wvx0NZ+JiOi3QW0jtLSpuiCPf1kkMh1R/4or0Bhx85c57XAVERDhvBcJXKjV7NKh D8O1MEdnzmCv3AVZTg5ja/RLya73/oPTfELF8J4Up2YediJj5WKldHbUsbH+O4LO tRdYxZpTqyC69DWdWVJJu2lCqmmPZMOskpQosD4a6OQswD7I48cvTGzOZGt+Z4G2 JDscfOt6z8g+crVALZEkEbI= -----END CERTIFICATE----- ```

However, most of the keychains take only the certificate and private key parts

It seems that Thunderbird import the full chain, and it is expecting that when it is being used. Indeed when I check other imported S/MIME certificates, they have the full chain.

Adding a certificate as a root

This is not related. After adding the chain to the p12 file, everything worked even without adding the root to the trust chain.

I think the main problem is this:

• The certificates added to the pk12 file is the leaf certificate only, appearing twice. Maybe this is an error in the export code, because the intermediate certificate is not added.
• The leaf announces that it is signed by an intermediate certificate so it should look through the chain.
• The intermediate certificate is not provided so it does not know which signed it. So when I packaged the intermediate certificate it fixes the issue.

[polhenarejos]

I made some changes in the client and in the server. It should now include the intermediate chain in the P12. I tried with Thunderbird and the intermediate is imported into Trusted Entities.

[LecrisUT]

After several test, everything seems to be working.

If people are finding issues here, note that:

• You need to trust at least the root certificate (maybe you can get away with only the intermediate?) for email users. Make sure that when you view the S/MIME certificate, it doesn't show only the leaf certificate.
• When you change trusts, clear and reselect your S/MIME certificate for your account.