Let´s do it step by step:

Last updated for Thunderbird version 2.0.0.6. Instruction for Thunderbird v2.0.0.14 is now added.

First: go to the Root Certificates Page

http://www.cacert.org/index.php?id=3

Right-click on "Root Certificate (PEM Format)", and "Save as" to a local file. (Do this for both the class1 and class3 root certificates)

Second: Open Thunderbird

Then go to Thunderbird and select Edit, Account Settings, Security, Manage Certificates, Authorities. Then select "Import", and select the previously saved files of the root certificates.

If you use Thunderbird version 2.0.0.6, follow these instructions. Select Tools > Account Settings. Then click 'security' in the menu on the left of the Account Settings window. Next, click the 'Authorities' tab in the Certificate Manager window. Next, click import. Check the boxes for the documents you would like to certify.

If you use Thunderbird version 2.0.0.14, follow these instructions. Thunderbird > Tools > Options > Advanced > Certificates > View Certificates > Certificate Manager > Authorities > Import > Browse the previously saved files of the root CAcert certificate root.crt > Downloading Certificate > View > Certificate viewer > General tab > make sure you have cert from "CAcert", and that fingerprint matches, close Certificate viewer > select or put tick mark next to "Trust this CA to identify email users", and also the "Trust this CA to identify web sites" option > Ok. Under the Authorities it should appear as "Root CA".

Third: go back to www.cacert.org and login:

Next, if you have not already done so, you will have to add an email account at www.cacert.org. Logon by clicking 'password logon'. Then select 'email accounts' > 'add'. Follow the instructions given there. Then add a new client certificate for that new email. If you're using firefox to follow the instructions, then your certificate should import automatically to firefox (if not see below).

Then, with Firefox go to https://www.cacert.org/account.php?id=6&cert=XYXYX (use the link you received when you issued the client certificate) and click on the certificate to import it.

Fourth: Save a Backup of Your Certificate

In Firefox choose Tools > Options > Advanced > View Certificates. You should see your own certificate there. Select "Backup", choose a good password to encrypt the backup, and save it to a local file, which has a ".p12" ending (e.g. Backup.p12).

If you're using Firefox v2.0.0.14, goto Tools > Options > Advanced > Encryption > View Certificates > Your Certificates > under the "Root CA" (CAcert) > carefully select the client certificate that is associated with the email you wanted to apply on, (if you click on "View", inside "Details" tab page, you will see under "Certificate", then under "Subject", that the email address that this certificate is associated with or you created with) > click "Backup" button to create backup PKCS12 file (for an example, email_x1_domain_com.p12) of that client certificate (firefox will ask you to create backup password, save the pass also in safe place).

Fifth: Import Your Certificate to Thunderbird

Then go to Thunderbird and select Tools > Account Settings > Security > View Certificates. Click the 'Your Certificates' tab then choose 'Import'. Open the backup file you saves in Firefox, and enter the password you secured it with. You may have to enter two sets of passwords here.

If you're using Thunderbird v2.0.0.14, create/add email account for that email that you've obtained client certificate for, if you haven't already done so. Then goto Tools > Options > Advanced > Certificates > View Certificates > Certificate Manager > Your Certificates --> Import > Browse to location where you've previously saved PKCS12 (.p12) backup certificate file > select your backup (p12) file (for an example, email_x1_domain_com.p12) for that email > enter/create new pass (for Thunderbird certificate/pass storage) > then enter the pass which you've used to encrypt the certificate during creating backup file > then You should see "...successfully ...recorded ...cert ...key..." > Ok.

Sixth: Link the Certificate to your Identity

You should now see the certificate in the certificate management window of Thunderbird. It is necessary to link the certificate to your identity, so that ThunderBird knows with which key it should sign the emails you want to send. In the Tools > Account Settings > select the email account that you want to apply certificate > goto "Security" option window, select the certificate you would like to use for digital signing and encryption.

Seventh and Last: Send secure signed encrypted emails

When you write and email check the 'digitally sign this message' and/or 'encrypt this message' items shown under the lock symbol. If you enable "Headers" area (View > Headers > All), you will see there an envelop with red seal or dot, which is indicating that the email was Digitally signed. If you see a picture of Lock next to the picture of the envelop then that indicating the email was encrypted also.

Related Information

Email Certificates ../EmailCertificates
Thunderbird Advanced Configuration ../ThunderBirdAdvancedConfig

CAcert Wiki: ThunderBird (last edited 2008-07-03 07:29:07 by EmdyAshfolk)