5

I have generated a self-signed certificate authority using mydomain.org as the common name. I imported the public certificate using Thunderbird's certificate manager under the "Authorities" tab. So far so good.

Next, using this CA, I have generated (and signed) a certificate for mail.mydomain.org, but even though I imported the CA, I keep getting the "Add Security Exception" popup with the message "Unknown Identity" when I'm trying to connect for the first time. Here's a screenshot that illustrates the situation:

popup, mail certificate, authorities, trust, CA

Note: Both the CA and the mail certificate are signed using "SHA-1 With RSA Encryption".
Note 2: I understand that I should get a certificate from a trusted authority, this is a temporary solution.

So my questions are:

1) Is this behavior normal?
2) How do I "convince" Thunderbird that all certificates signed by my CA are trusted?

UPDATE

% openssl s_client -connect mail.mydomain.org:993
CONNECTED(00000003)
depth=1 <snip> CN = mydomain.org, <snip>
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/<snip>/CN=mail.mydomain.org/<snip>
   i:/<snip>/CN=mydomain.org/<snip>
 1 s:/<snip>/CN=mydomain.org/<snip>
   i:/<snip>/CN=mydomain.org/<snip>
---
Server certificate
-----BEGIN CERTIFICATE-----
<BASE64>
-----END CERTIFICATE-----
subject=/<snip>/CN=mail.mydomain.org/<snip>
issuer=/<snip>/CN=mydomain.org/<snip>
---
No client certificate CA names sent
---
SSL handshake has read 2807 bytes and written 567 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
<long apparently irrelevant output snipped>
    Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
s3v3n
  • 316
  • 2
  • 4
  • 13
  • You need to show us the host certificate as well. – MikeyB Aug 20 '13 at 01:16
  • Do you have put your CA certificate in your server ? If it is dovecot, you should add the CA cert to your server cert file to provide it to the client. – Dom Aug 20 '13 at 06:47
  • 1
    @MikeyB, the 3 rightmost windows are describing the CA. – s3v3n Aug 20 '13 at 08:12
  • @Dom, of course I did. It's courier, the 2 leftmost windows are describing the certificate received via imap-ssl – s3v3n Aug 20 '13 at 08:21
  • @Dom, it was not there, but I added it now. Now the certificate that I pass to courier contains (in this order): 1. The private key for mail.mydomain.org certificate 2. The certificate for mail.mydomain.org 3. The CA. Still getting the same error. – s3v3n Aug 20 '13 at 09:32
  • The private key shouldn't be in the cert : it is private. But it is maybe the solution for Courrier, I don't know it. – Dom Aug 20 '13 at 12:24
  • 1
    'openssl s_client -connect server:port' and see if there is an error like 'unable to get local issuer certificate' – Dom Aug 20 '13 at 12:31
  • @Dom, see the update. – s3v3n Aug 20 '13 at 14:23
  • It would help to see all details for both certificates: `openssl x509 -noout -text -in CERT_FILE.PEM` (without moduli and signature). E.g. has the CA file the contrain "CA:TRUE" set? – Nils Toedtmann Sep 08 '14 at 20:05
  • Apart from the mail server certificate, I'm having the same issue with a transparent proxy I have upstream. It uses its own certificates that I created, but Thunderbird will not let me, say, add new dictionaries. It prompts to "add an exception", but when that's clicked, nothing happens. Seems like a bug. – Turgut Kalfaoglu Jun 06 '15 at 09:24

2 Answers2

3
  1. In Mozilla Thunderbird, go to Tools → Options → Advanced → tab Certificates.
  2. Click on View Certificates and go to tab Servers.
  3. Click on Add Exception.
  4. Enter the name of your mail server and click on Get Certificate.
    Do not forget to use the port number of the mail server.
    Example: mail.provider.com:993
  5. Save the exception.

Source: http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/self-signed-certificates-in-mozilla-thunderbird-950.html

Andreas Edler
  • 31
  • 2
  • Get Certificate does not work for port 143. If I type full url - like https://mail.server com it works, but that's web certificate. for port 143 it says No Information Available – NickSoft Mar 29 '21 at 16:20
1

I had the same problem. The source in my case was the CA was not created with -extensions v3_ca which Firefox does not care about but Thunderbird seems to require for a "valid" signature

user254581
  • 11
  • 1