Importing S/MIME Certificate in Thunderbird on Fedora

Dear all,
I obtained a S/MIME certificate. From the files app I can open the certificate with password that was provided with the key. However, when I want to import the certificate in Thunderbird (Fedora 39), it gives me a ‘wrong password’ message and does not import it.
Is anyone experienced with this issue?
Best regards,
Sebastian

Maybe it’s a prompt for NSS db and not for a certificate itself?

Update: I tried to import the S/MIME certificate with thunderbird on qbes/debian12 and it works. So, the problems seems to be linked to Fedora. Where could I issue a bug report?

1 Like

From experience, most Fedora problems are related to SELinux. If you could try to disable it to see if it works better, or check the security logs for a selinux related problem.

Hi, I’m having the same problem on Fedora 40, did you manage to solve it? If yes, then can you please tell me how you solved it?

Hi, not really. I helped myself by running thunderbird in a debian VM. In this case, it perfectly works. I wanted to report a bug on the fedora page, but didn’t know how to do it.

did you try disabling selinux on Fedora?

hi solene, I am not very experienced and not able to do that. By the way, I did not know that the linux kernel contains modules (originally) written by the NSA…

sudo setenforce 0 to disable selinux, from within a qube and just for that qube

disabling selinux did nothing :confused:

Hey everyone,

I wanted to share a solution I found for handling S/MIME certificates obtained from Actalis, especially for those who may be struggling to get them properly imported into Thunderbird.

Problem

I had a .p12 certificate from Actalis that I needed to convert into a .pem file and then back into a .p12 format before importing it into Thunderbird. Thunderbird was not accepting the original .p12 file, and I kept running into issues.

Solution

Here’s the step-by-step guide that worked for me:
Note: Maybe you have to run the following comands with leading ‘sudo’

  1. Convert .p12 to .pem Using OpenSSL
  • Open a terminal (Linux, macOS, or Windows with OpenSSL installed) and run:
openssl pkcs12 -in certificate_input_file_name.p12 -out certificate_output_file_name.pem -nodes
  • When prompted, enter the password you received from Actalis for the .p12 file.
  • Note: The -nodes option exports the private key unencrypted, so make sure to handle the .pem file securely.
  1. Convert .pem back to .p12
  • Run the following command:
openssl pkcs12 -export -in certificate_output_file_name.pem -out newfile_name.p12
  • You’ll need to create a new, secure password for the .p12 file.
  • This will generate a new .p12 file with the desired format.
  1. copy “new_filename.p12” to target qube.

  2. Import the .p12 into Thunderbird

    • Open Thunderbird and go to Settings > Privacy & Security > Certificates > Manage Certificates.
  • Click Import and select the new .p12 file.
  • Enter the password you set during the export process.
  • Finally, configure your email account to use the certificate for signing and encryption.
  1. Save your keys and certificate-files in vault qube´s password Manager and remove all related files from /home/user directories.

Notes

  • Make sure to secure your private key and any exported files to prevent unauthorized access.
  • Tested on Fedora, but it should work similarly on other systems with OpenSSL installed.

I hope this helps anyone facing similar issues! Feel free to ask questions or share your own experiences.

Cheers!