Closed LecrisUT closed 2 years ago
Usually CA Root are added to keychain previously. Currently chain certificates are already added to PKCS12 file. However, most of the keychains take only the certificate and private key parts. Adding a certificate as a root requires several user confirmations, since it is a security critical aspect.
Sorry, but I don't quite follow.
Usually CA Root are added to keychain previously
Indeed, that would be for trusting the certificates signed from the CA Root, but it seems Thunderbird does not look into this when the error occurs.
Currently chain certificates are already added to PKCS12 file
But when I investigate the pk12 file, it does not have the proper certificate chain, only the leaf one (appearing twice for some reason.
However, most of the keychains take only the certificate and private key parts
It seems that Thunderbird import the full chain, and it is expecting that when it is being used. Indeed when I check other imported S/MIME certificates, they have the full chain.
Adding a certificate as a root
This is not related. After adding the chain to the p12 file, everything worked even without adding the root to the trust chain.
I think the main problem is this:
I made some changes in the client and in the server. It should now include the intermediate chain in the P12. I tried with Thunderbird and the intermediate is imported into Trusted Entities.
After several test, everything seems to be working.
If people are finding issues here, note that:
Using thunderbird, I get errors of the certificate could not be found or is expired when being used to send an email. The import is not affected. Adding the root and/or intermediate certificates has no effect, and reading the signed mail sent from another client works just fine.
The error message:
Maybe this is due to a difference in the certificate format an populated terms.
Update: After looking into the p12, I saw that it does not include the chain of trust, and after adding in the intermediate, thunderbird was able to correctly use the certificate. Is there any reason for not including the chain in the p12 file?