Setting email encryption and signing in Thunderbird for Windows / Mac OS X / Linux
Setting email encryption and signing in Thunderbird
- PKCS#11 module for identity card reading
- Public certificates of addressees for encryption
- During setting operations make sure that your reader is connected with your computer and that your identity card is in the reader.
Windows: Everything necessary to set up encryption can be found under "Tools -> Account Settings -> Security".
Linux: Everything necessary to set up encryption can be found under "Edit -> Preferences -> Advanced -> Certificates".
Mac OS X: Everything necessary to set up encryption can be found under "Tools -> Account Settings -> Security".
- Open Security Devices
- Select Load from the right-hand column
- Select Browse from the dialog box displayed
- Click on File System in the dialog box displayed
- Windows: Select path /Windows/system32/onepin-opensc-pkcs11.dll
- Mac OS X: Select path /Library/OpenSC/lib/onepin-opensc-pkcs11.so
- Linux: Select path /usr/lib/onepin-opensc-pkcs11.so
- If everything is correct and your card is in your reader, a number of new rows are displayed under Security Modules and Devices in addition to a row with the card holder’s name.
- Close this dialog box by clicking OK.
Make sure you install the certificates ESTEID-SK 2007 and ESTEID-SK 2011, because without it neither the encryption nor the signing function work, for the certificates of the sender and the addressee are verified using this certificate:
- First you download the required certificates (ESTEID-SK 2007 PEM, ESTEID-SK 2011 PEM) from the website www.sk.ee/certs and save these on your hard drive in a place where you can relocate them.
- Select View Certificates in your Thunderbird.
- Now the Thunderbird asks for the PIN1 code of your identity card – enter it.
- A window titled Certificate Manager is displayed.
- Select Authorities from the upper menu and then click Import at the bottom.
- Browse in the File dialog box and find the downloaded PEM file (e.g. from Downloads folder) and click Open.
- In the window displayed tick “Trust this CA to identify" according to your wishes/needs (at least ...indentify mail users).
- Close the Certificate Manager by clicking OK.
If you have managed to get so far without any problems, the next step is to go to the Account Settings window in the Security panel and select Digital signing:
- Click Select..:
- Make sure that you have selected the identification certificate, and confirm the operation by clicking OK.
Now, according to your preferences, you can select the same certificate also for encryption (button Yes) or decline this option (No). It makes sense to select Yes.
Encryption requires addressees’ certificates. These can either be forwarded to you, or if you know the addressee’s personal identification code, you can detect the person using DigiDoc encryption utility and save their certificates (using LDAP address search).
To download the addressee’s certificate:
- Select View Certificates -> People -> Import
- Find the addressee’s certificate file and select Open
- If the addressee’s certificate could be found through SK certificates, it will be added to the list.
Make sure you have the addressee’s email address. Encryption will be performed provided that the emails of all addressees could be retrieved from the People’s list!
These steps should lead to the utilisation of signing and encryption options.
Some comments about using Thunderbird:
- When composing an email, select encryption or signing after having written the letter, otherwise the Thunderbird may start to display frequent notices complaining that the mail could not be saved (due to default settings).
- In the event of anomalies (e.g. signing could not be performed; PIN code is being asked repeatedly even though it was entered correctly, etc.) you should save the unfinished mail immediately and:
Windows: close the mail client and restart the mail client/computer. Then try again.
Mac OS X: close the mail client and restart the mail client/computer. Then try again..
Linux: close the mail client and restart pcscd service with command sudo /etc/init.d/pcscd restart . Then try again.