How To Encrypt Mails With SSL Certificates (S/MIME) - Page 2

3 Get Your Certificate From a Trusted Certificate Authority

Apart from creating SSL certificates the above way, either signing it yourself or with a self created certificate authority, you can also get yourself a free SSL certificate from a trusted certificate authority on the net - the good thing about it is that it's valid and trusted from the beginning, without any security exceptions and manual configuration. The bad thing for some people however might be that you need to verify your identity to those businesses offering trusted certificates - this is necessary to validate a trusted certificate. If you choose this option however, there are providers that offer free SSL certificates on their homepages, e.g.


4 Importing Certificates Into a Mail Client

4.1 Thunderbird

To import a certificate in Mozilla Thunderbird open the Preferences (I'm using Thunderbird 3 here):

Go to Advanced and open the Certificates tab. Click on View Certificates:


4.1.1 Import a Self Signed Certificate

Select the Your Certificates tab and click on Import:

Browse the .p12 file you created and hit Open:

Every time you import a certificate, you will need to give the export passphrase you specified when you created the .p12 document:

Next, go to the Servers tab and click Import again:

Here, browse the .crt file belonging to your certificate (there are two if you created a certificate authority).

Still on the same tab, select the newly imported entry and click Edit:

Select Trust the authenticity of this certificate and click Edit CA Trust:

Since we are using the certificate in a mail client, select This certificate can identify mail users. and hit OK. The signer of the certificate (which is you) will then be listed on the certificate authorities list on the Authorities tab.

You only need to do the next step if you created a CA.


4.1.2 Import a CA Signed Certificate

Go to the Authorities tab and hit Import:

Now select the .crt file belonging to your certificate authority and hit Open:

You will then be asked how far you want to trust the certificate authority:

After pressing OK the created CA will be listed on the tab.


4.1.3 Assign the Certificate to an Account and Encrypt a Mail

Now you need to configure which certificate you want to use for which account. To assign a certificate to an account, go to the Account Settings:

On the account you want to configure, select Security out of the left panel. Use the Select... button to search for the certificate you want:

After you have found the certificate, which preferably looks different from mine, hit OK...

You will be asked if you want to use the same certificate you just selected for signing for decryption of encrypted mails sent to you - select Yes here if you want to have an encrypted mail exchange both ways:

You can select the menu items Encrypt This Message and Digitally Sign This Message:

The indicator symbols for a signed and encrypted mail look as follows. The sealed letter shows that the mail is signed whereas the lock shows that it's encrypted:

Share this page:

4 Comment(s)

Add comment


From: Anonymous at: 2011-12-16 20:42:01

Many, many thanks. This article help me too much.

From: Anonymous at: 2011-12-16 20:48:45

Hi there,

Here are a couple notes regarding my experience with self-created Class1 certs for e-mail.

 1:  When you go to create the client cert, it is good practice to add the correct x509 extensions.  Create a file called client.conf and add the following:

[user@host]$ cat client.cnf 
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

Now we can sign the certificate:

openssl x509 -req -days 36500 -in your_client_cert.csr -signkey your_CA_private.key -out your_client.crt -extfile client.cnf -extensions ssl_client

 Now that you have a client cert and key pair, you want to import it into a P12.  It may be necessary to include the CA into the P12 so that recipients can add it to their CA truststore:

openssl pkcs12 -export -in your_client.crt -inkey your_client_private.key -out your_client.pfx -name "Your Name" -CAfile your_ca.crt -caname "Your CA Name" -chain

 One very important note:  "Your Name" and "Your CA Name" are the aliases used in the PKCS12 store.  These aliases MUST be greater than one character long, else Sun/Oracle will fail to find the certificates in the store (refer to the code for  Using aliases/names like "1" or "2"  will cause you random and insanely hard to resolve issues down the line.

From: Martin at: 2013-07-13 23:21:52

Thanks a lot for that article! I tried to give smime a try but I was not successful so far.
Your article saved me a lot of time and worked perfectly on my first try!

From: Anonymous at: 2013-10-15 20:43:39



Second method generates p12  keys that has "00" as serial. I think that this is a problem