Web page archived as of 2018-05-22. Some links & features might not work. For an update of this particular post see Self-signed certificates & Thunderbird again.

OpenSSL self-signed certificates & Thunderbird

Researching how to use OpenSSL can be quite a PITA. Thus, I am especially delighted when I find instructions that are easier and shorter than what I had previously known. One such delight was provided by diegows accompanied by the wonderful remark "you can do this in one command". So, here are the shortest instructions I could come up with to create and install self-signed certificates in Thunderbird to be used for S/MIME:

Say, we want a certificate for our address someone@example.net:


Generate the self-signed certificate and the encrypted key file valid for 3 years (1095 days):

openssl req -x509 -newkey rsa:2048 -keyout $EMAIL.key -out $EMAIL.crt -days 1095

You get 2 files, your secret private key $EMAIL.key and your public certificate in $EMAIL.crt. For most applications that's it, however, Thunderbird requires the key to be in PKCS #12:

openssl pkcs12 -export -in $EMAIL.crt -inkey $EMAIL.key -out $EMAIL.p12

To be able to import the $EMAIL.p12 in Thunderbird, we first need to import the $EMAIL.crt file as a "Certificate Authority". Doing so we declare that we trust our self-signed certificate.

In order to do so, open the Thunderbird settings/preferences menu and navigate to Advanced → Certificates → [View Certificates]. Eventually change to the "Authorities" tab, click [Import] and import $EMAIL.crt. Thunderbird will ask you to specify the intended purpose. Select "Trust this CA to identify email users."

Then change to the "Your Certificates" tab and import $EMAIL.p12. In case you ever think like double checking whether your entry is still listed among the "Authorities" … it isn't! ;-) Once your certificate is installed and fully trusted Thunderbird removes the entry.

When you start writing the first signed message, Thunderbird will prompt you to finish the setup. I.e., it will open the account settings where you can associate your accounts with your certificates (in the "Security" menu).

Use a master password

On the mozillaZine page Installing an SMIME certificate it says "you must first set a master password". "Must" here means "if you don't do it chances are you are making a big mistake". All your passwords and certificates are utterly unprotected if you do not set a master password. So, while encryption does work without a master password, please make sure your Thunderbird is safe.

Trusting other people's self-signed certificate

While we are at it, here is how to import and trust other people's self-signed certificates

  • Have them send you a signed message.
  • Click the security envelope or go to View → View Security Info.
  • Click [View Signature Certificate].
  • Ideally, double check the "SHA1 Fingerprint" e.g. via phone.
  • Change to the [Details] tab, click [Export…], save the certificate as e.g. friend.pem.
  • Import friend.pem file as "Certificate Authority" in settings/preferences → Advanced → Certificates → [View Certificates] (see above)


Andreas Schamanek 2019-02-13 14:47

Unfortunately, the instructions presented here silently fail in Thunderbird. See my post Self-signed certificates & Thunderbird again for updated instructions.
blog/140216_openssl_self-signed_certificates_thunderbird.txt · Last modified: 2014-06-04 13:23 by andreas