Secure emails with Thunderbird

Step 1: Start Thunderbird

Start the Thunderbird email program. The Macintosh version of Thunderbird 3.0 is being used here, but the steps should be the same for Thunderbird 3.0 on other platforms.

Step 2: Open the Thunderbird certificates manager

Select the ThunderbirdPreferences menu item.

Select the Advanced tab.

Select the Certificates tab.

Click on the View Certificates button.

Step 3: Import your private key and certificates

Select the Your Certificates tab.

Click on the Import button.

Open the PKCS#12 file where your private key and certificates was saved in.

Enter the password for the PKCS#12 file. This is the password you used to create the PKCS#12 file.

Your certificate now appears under the list of Your Certificates. The private key is also stored in the certificate manager along with your certificate.

Select the OK button to close the Certificate Manager and the Preferences windows.

Step 4: Send secured emails

Compose a new email by using the Write icon in the toolbar, or use the FileNewMessage menu item.

Enable digital signing using the Digitally Sign This Message menu item, under the Options menu or under Security item in the toolbar of the write message window. Enable encryption using the Encrypt this Message menu item.

A small icon appears at the bottom right of the write message window When either signing, encryption or both is enabled. This icon is looks like an envelope with a red wax seal.

If you click on the Security icon in the toolbar, or select ViewMessage Security Info, a dialog shows you details about the security that will be performed and the certificates of the recipients.

Although the user interface allows you to select any combination of signing and encrypting, when you actually send the email it will then check whether that combination can be performed. You cannot send an encrypted email unless the certificates for all the recipient are known to Thunderbird. So initially your first outgoing email messages will have to be sign only, because you do not yet have any certificates for your recipients.

Step 5: Receiving secured emails

Ask someone to send you a secure email that is signed and encrypted. You will probably first have to send them a signed email, so that they will have your certifcate and can use it to encrypt a message to you.

When a secured email is received, it is shown with a envelope icon. The red seal indicates that the signature is valid and the certificate of the signer is trusted by the email program.

Click on the sealed envelope icon to show details from the signer's certificate.

Step 6: Managing certificates from other people

After receiving a signed email (or a signed and encrypted email), Thunderbird automatically saves a copy of the other person's certificate. This will allow you to send encrypt emails to them.

The other people's certificates are listed under the People tab of Thunderbird's Certificate Manager.

If you have receive someone's certificate as a file, it can be imported into the Certificate Manager using the import button.

If you have problems with using the correct certificate, go through and delete any certificates that are no longer needed. Problems can occur when the other person's certificate expires or they start using a different certificate, and the wrong one is still being used by Thunderbird.

Step 7: Increasing security with mandatory OCSP checking (optional)

Thunderbird validates the signing certificate when it checks a signature. It does this by looking at Certificate Revocation Lists or queries the certificate authority using OCSP. The certificate indicates which of these mechanisms (if any) are supported by the certificate authority. By default, if an OCSP service is referenced in the certificate but Thunderbird cannot contact it, Thunderbird will assume the certificate is ok.

If you do not want to trust certificates when the OCSP server cannot be contacted, this can be setup by clicking on the Validation button in the certificates preferences.

Turn on "When an OCSP server connection fails, treat the certificate as invalid."

Now the signature will not be trusted when the OCSP server cannot be contacted.

For example, when there is no Internet connection the security icon shows a red cross over the sealed enverlope.

And the details dialog says that the signature is not trusted. Technically the signature is valid, but the certificate itself is not trusted.

Return to the overview or go to the next step of understanding the limitations of secure emails.