SysAdmin'ish Blog | 2019-07-18

OpenSSL self-signed certificates with subjectAltName for Thunderbird

In Self-signed certificates & Thunderbird I presented instructions using OpenSSL that try to be short yet comprehensible. However, there are 2 issues:

  1. My instructions rely on a pre-installed, reasonable sample config for OpenSSL. If that config changes or is not available my instructions will fail.
  2. My instructions allow to create certs only for 1 email address per certificate, i.e. no subjectAltName.


So, here’s another rough sketch of instructions for generating a CA & a personal certificate including subjectAltName, all by means of OpenSSL command line tools (tested on Debian 9 + Ubuntu 18.04) and a minimal configuration file for the OpenSSL CA.

Basic example data for our certificates (including the CA cert)

name="Some One"
days=1827 # validity of the certs, 5 years = 1827 days (roughly;)

# email addresses that should be included in the certificate

# 2 more variables (subj + exts) just to shorten some of the other commands

## build string for openssl `-subj` parameter
test -n "$org_unit" && subj="$subj/OU=$org_unit"

## x509v3 certificate extensions as common these days
exts="basicConstraints = CA:false"
exts="$exts \n extendedKeyUsage = emailProtection"
exts="$exts \n subjectKeyIdentifier = hash"
exts="$exts \n authorityKeyIdentifier = keyid,issuer"

Setting up an “environment” for the CA

# a directory to work in
mkdir selfsigned-certs
cd selfsigned-certs

# a privacy minimum
umask 0077

# set up a directory, database + filenames for the CA
mkdir -p "$cadir"/newcerts
echo "1337" >"$cadir"/serial
touch "$cadir"/index.txt "$cadir"/index.txt.attr

Minimal config file for OpenSSL ca + req

cat >minimal.cnf <<'EOF'
default_ca = ca
dir = ./CA
private_key = $dir/CA.key
certificate = $dir/CA.crt
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
default_md = default

unique_subject = no
copy_extensions = copyall
policy = policy_empty


distinguished_name = req

Generate key + certificate for the CA

openssl genrsa -aes128 -out "$cakey" 4096
# about -aes128 cf.
openssl req -new -key "$cakey" -x509 -out "$cacrt" -config minimal.cnf \
  -days $days -subj "$subj"
# optionally check contents of CA certificate
openssl x509 -text -in "$cacrt" | less

Generate key + certificate for the user

If you did not set variable $san above, i.e. you did not specify additional e-mail addresses to include in the certificate, create a key without ,${ENV::san}. The following command should handle both cases automagically by means of ${san:+,\${ENV::san\}}:

openssl req -new -newkey rsa:2048 -keyout $email.key \
  -out $email.req -subj "$subj" ${san:+-reqexts san} \
  -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]';
  echo "subjectAltName=email:copy${san:+,\${ENV::san\}}")
openssl ca -out $email.crt -days $days -in $email.req \
  -extfile <(printf "$exts") -config minimal.cnf -preserveDN
# optionally check contents of the certificate
openssl x509 -text -in $email.crt | less
# generate a PKCS#12 export for the email address
openssl pkcs12 -export -in $email.crt -inkey $email.key -out $email.p12
# clean up
rm $email.req

Please note that compared to my previous instructions file names have changed. The CA’s certificate is now in $cacrt (CA/CA.crt). Also:



Andreas Schamanek 2020-12-16 20:09

Only now I realized I had forgotten to mention the version of Thunderbird I used to test my instructions. Deric Sullivan wrote in saying that it worked well with Thunderbird 78.6.0 (64 bit) on Ubuntu 20.04. Thanks a lot, Deric, for testing it and letting me know!

+thunderbird +certificates +encryption +security +smime

Comments welcome.

SysAdmin'ish Blog 2019-07-18
Last modification: 2020-12-16 20:13
Copyright 2018 by Andreas Schamanek
Home page:
Letters to author:
Imprint (Impressum)