MozillaZine

Import Cert into Thunderbrid + configure account! [SOLVED]

User Help for Mozilla Thunderbird
dtr84

User avatar
 
Posts: 8
Joined: July 9th, 2015, 7:54 am

Post Posted July 9th, 2015, 8:07 am

Hi!

I need to develop a tool that will automatically (i.e. without the need for the user to do things manually) install a Certificate into Thunderbrid and configure the user's existing Mail account to make use of the new Cert. We need this in the company, to deploy certificates on many machines, so that our customers can sign their e-mail, even if they don't understand how to configure Thunderbrid for X.509 cert usage by hand (yes, for most users it's still way to complex to install and setup a certificate by hand).

Now the easy part is to import the certificate into Thunderbird's certificate store, because pk12util does this nicely:
pk12util.exe -i temp.p12 -d C:\Users\john\AppData\Roaming\Thunderbird\Profiles\1278dm3u.default -W rvfsfDAMdMyD71Z


But the difficult part is to actually configure the Mail account to actually use the certificate!

In perfs.js there is a property "mail.identity.idX.encryption_cert_name" which I need to set. Okay, but the value, on my system is "das Software-Sicherheitsmodul:ERIKA MUSTERMANN", after I setup the certificate manually.

Where does the prefix string "das Software-Sicherheitsmodul:" come from? And how I can my program get it? I clearly can not hardcode the String, as it appears to be Locale-specific :?

Also, if I use "certutil.exe -L" to list the installed certificates, then the output is very different!
...
NSS Certificate DB:ERIKA MUSTERMANN u,u,u
...


I tried using the name that certutil shows, i.e. "NSS Certificate DB:Something" instead of "das Software-Sicherheitsmodul::Something". But it does not work :(

Any suggestions?

Thanks in advance!
Last edited by dtr84 on July 20th, 2015, 9:44 am, edited 1 time in total.

DanRaisch
Moderator

User avatar
 
Posts: 117985
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Post Posted July 9th, 2015, 8:28 am

Moving to Thunderbird Support.

dtr84

User avatar
 
Posts: 8
Joined: July 9th, 2015, 7:54 am

Post Posted July 13th, 2015, 1:07 am

Nobody? :?

In the meantime, I have tried with English version of Thunderbird. And there the prefix is "Software Security Device".

So, we have the following required Certificate name prefixes:
  • CertUtil: "NSS Certificate DB"
  • Thunderbrid EN: "Software Security Device"
  • Thunderbrid DE: "das Software-Sicherheitsmodul"
  • Probably a lot more (different for each locale)

Is there really no way to figure out the proper prefix in a programmatical way? Do I need to maintain a Lookup Table, containing the required prefix for each locale of Thunderbird? :-k

Also: I downloaded the sources of Thunderbird and made a full text search for "das Software-Sicherheitsmodul". Not found! Where does this string come from, when it's not inside the Thunderbird source codes? :?:

Thank you!


BTW: I noticed this thread was moved from "development" section to "support" section. Still I think this question is more for the developers, not so much for the customer support.

How can I get in contact with the Thunderbird developers?

tanstaafl
Moderator

User avatar
 
Posts: 43357
Joined: July 30th, 2003, 5:06 pm

Post Posted July 13th, 2015, 4:50 am

http://kb.mozillazine.org/Message_security mentions:

Thunderbird has no user interface for choosing a certificate for other identities (this is bug 252250). To work around it, choose the certificate for an account's default identity. Close Thunderbird and go to your profile. Back up and edit the file prefs.js there, and search in the file for the four certificate settings:

mail.identity.idnn.signing_cert_name
mail.identity.idnn.sign_mail
mail.identity.idnn.encryption_cert_name
mail.identity.idnn.encryptionpolicy

Change the identity number in these settings from the account's default identity number to the identity number you want. You will have to look around the file to discover which number it is. The order of settings within the file is not important, so there is no need to move them.

You can associate certificates with other identities by copying these four settings and changing the identity numbers and values.


https://developer.mozilla.org/en-US/doc ... y_Services

tanstaafl
Moderator

User avatar
 
Posts: 43357
Joined: July 30th, 2003, 5:06 pm

Post Posted July 13th, 2015, 5:02 am

"How can I get in contact with the Thunderbird developers?"

They don't normally provide support. That's provided by the user community. You might try asking in the mozilla.dev.tech.crypto google group.

http://kb.mozillazine.org/Configuration ... nistrators has links to a lot of configuration tools for admins. It also has a link to a mailing list to discuss deploying and configuring Thunderbird in enterprise environments. I suggest you browse its archives (http://groups.google.com/group/tb-enterprise) and if it doesn't have the information you want, ask your question on that mailing list. If you get an answer please post a link to it (in this thread).

dtr84

User avatar
 
Posts: 8
Joined: July 9th, 2015, 7:54 am

Post Posted July 14th, 2015, 6:54 am

tanstaafl wrote:http://kb.mozillazine.org/Message_security mentions:

Thunderbird has no user interface for choosing a certificate for other identities (this is bug 252250). To work around it, choose the certificate for an account's default identity. Close Thunderbird and go to your profile. Back up and edit the file prefs.js there, and search in the file for the four certificate settings:

mail.identity.idnn.signing_cert_name
mail.identity.idnn.sign_mail
mail.identity.idnn.encryption_cert_name
mail.identity.idnn.encryptionpolicy

Change the identity number in these settings from the account's default identity number to the identity number you want. You will have to look around the file to discover which number it is. The order of settings within the file is not important, so there is no need to move them.

You can associate certificates with other identities by copying these four settings and changing the identity numbers and values.


https://developer.mozilla.org/en-US/doc ... y_Services

Thanks for reply, tanstaafl.

I understand that I can write the certificate options into the "prefs.js". I also know which entries I need to write. The problem is the value that I need to write :?

The "signing_cert_name" and "encryption_cert_name" entries contain the friendly name of the certificate, but with some locale-specific prefix!

For example, a German Thunderbrid version prepends "das Software Sicherheitsmodul:" to the certificate name. An English one prepends "Software Security Module". And so on.

To generate this entry in "prefs.js" file, I need to know which exact prefix I have to add. Omitting the prefix or adding a wrong mans that things won't work....

So, the big question remains: How can I figure out the required prefix? In a programmatical way, I mean.

Thank you!

dtr84

User avatar
 
Posts: 8
Joined: July 9th, 2015, 7:54 am

Post Posted July 20th, 2015, 9:25 am

Just for the notes: After digging through the codes of NSS for hours, I found the solution! :shock:

It appears that pk12util is going to add the "NSS Certificate DB:" prefix only if there happens to be a ':' (colon) character in the certificate's friendly name - which was the case with my certificates for a certain reason.
If I make sure that there's no ':' in the certificate's friendly name, then the prefix is gone. Also the locale-specific one in the "prefs.js" file !!!

](*,)

Return to Thunderbird Support


Who is online

Users browsing this forum: No registered users and 4 guests