OpenSSL self-signed certificates & Thunderbird again

David von Oheimb informed me that my instructions OpenSSL self-signed certificates & Thunderbird from 2014 don’t work anymore. The main cause seems to be that Thunderbird now requires that the personal certificate (e.g. for the email address) and the issuer’s certificate (e.g. the CA’s certificate) are different.¹ ² ³ So, we need at least 2 certificates whereas in my old instructions we generated only 1 which was used for both purposes.

Unfortunately, this requirement complicates things quite a bit (see below). If possible, please review and support the respective bug reports:

202329 - Ability to create self-signed user certificates reported 2003!
1523130 - (Re-)enable support for self-signed X.509 S/MIME end entity certificates reported 2019-01-26 by David

Instructions

Here’s a rough sketch of instructions for generating a CA & a personal certificate by means of OpenSSL command line tools (tested on Debian 9 + Ubuntu 18.04). These instructions assume that there is a reasonable default config file available (used here mainly for the CA parts). In case of Debian + Ubuntu this file is /usr/lib/ssl/openssl.cnf.

# basic example data for our certificates (including the CA cert)
name="Some One"
email="someone@example.net"
days=1827 # validity of the certs, 5 years = 1827 days (roughly;)
cc="AT"
state="Vienna"
city="Vienna"
organization="example.net"
org_unit=""

# build string for openssl `-subj` parameter
subj="/C=$cc/ST=$state/L=$city/O=$organization"
test -n "$org_unit" && subj="$subj/OU=$org_unit"
subj="$subj/CN=$name/emailAddress=$email"

# a directory to work in
mkdir selfsigned-certs
cd selfsigned-certs

# a privacy minimum
umask 0077

# set up directories as specified in /usr/lib/ssl/openssl.cnf which is
# the sample/default config file that we are going to use
cadir="demoCA"
mkdir -p "$cadir"/private "$cadir"/newcerts
echo "1337" >"$cadir"/serial
touch "$cadir"/index.txt
echo "unique_subject = no" >"$cadir"/index.txt.attr
cakey="$cadir/private/cakey.pem"
cacrt="$cadir/cacert.pem"

# generate key + certificate for the CA
openssl genrsa -aes128 -out "$cakey" 4096
# about -aes128 cf. https://security.stackexchange.com/q/14068
openssl req -new -key "$cakey" -x509 -out "$cacrt" -days $days -subj "$subj"

# x509v3 certificate extensions as common these days
exts="basicConstraints = CA:false"
exts="$exts \n extendedKeyUsage = emailProtection"
exts="$exts \n subjectKeyIdentifier = hash"
exts="$exts \n authorityKeyIdentifier = keyid,issuer"

# generate key, certificate + PKCS#12 export for the email address
openssl req -new -newkey rsa:2048 -keyout $email.key \
  -out $email.req -subj "$subj"
openssl ca -out $email.crt -days $days -in $email.req -extfile <(printf "$exts")
openssl pkcs12 -export -in $email.crt -inkey $email.key -out $email.p12
rm $email.req

At this point we have a CA certificate in $cacrt (i.e. cacert.pem) and a personal certificate for Thunderbird in $email.p12 (which includes the key, BTW). Hence, we can essentially proceed as outlined in my old posting:

First, import cacert.pem as “Certificate Authority” and set “Trust this CA to identify email users.” This certificate should show up under the name provided above as $organization.

Then, import $email.p12 on the “Your Certificates” tab, and enable it in account settings.

To allow other people to trust your certificate send them a message with a copy of cacert.pem attached. In Thunderbird, clicking on the attachment will add it as “Certificate Authority”. Remind your correspondents to set “Trust this CA to identify email users.”

For precautions see my my old posting.

Comments

Ron Summers 2019-02-27 22:14

I found your blog posting very helpful. A minor correction: The line

echo "668" >"$cadir"/serial

should be

echo "0668">"$cadir"/serial

Otherwise, openssl throws an error:

openssl ca -out $email.crt -days $days -in $email.req -extfile <(printf "$exts")
Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
unable to load number from ./demoCA/serial
error while loading serial number
4294956672:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number of chars:f_int.c:163:

For the reason why, please see the bottom of A legal [serial] number must always have an even number of characters

Also, the certificates produced using your method do not enable one to encrypt an email on iOS. I’m working on debugging this but I think a minor fix is needed according to iPhone 5c S/MIME and openssl.

Andreas Schamanek 2019-02-28 14:40

Sigh, never ever make untested last minute changes. I should know better. Anyway, I’ve changed it to “1337”. BTW, “668” was just meant as a reference to my posting 668.5.

I wondered whether my instructions should include a random serial number but figured that’s beyond the scope of the posting, and the implied security requirements of my potential readers. So, I hope “1337” is enough of a hint ;-)

Andreas Schamanek 2019-04-02 01:47

A reader asked me how to create certificates for more than 1 email address but sign them with the same CA. To do this set the variables name, email etc., then build the string for the openssl -subj parameter again and rerun the last 4 commands from above, i.e. generate key, certificate + PKCS#12 export for the new email address.

Andreas Schamanek 2019-06-16 17:18

In the meantime I came up with an approach that does not depend on a system-wide pre-supplied OpenSSL cnf file, and an approach that allows to include additional email addresses in the certificates. If anyone’s interested I’ll publish it.

Andreas Schamanek 2019-07-18 21:26: It’s been published, now: Self-signed certificates with subjectAltName

+thunderbird +certificates +encryption +security +smime

Comments welcome.

SysAdmin'ish Blog 2019-02-13
URL: https://fam.tuwien.ac.at/~schamane/_/blog/2019-02-13_thunderbird_selfsigned.htm
Last modification: 2019-07-18 21:29
Copyright 2018 by Andreas Schamanek
Home page: https://fam.tuwien.ac.at/~schamane/
Letters to author: andreas.schamanek@tuwien.ac.at
Imprint (Impressum)