[openssl-users] Separate signing and encryption certificates for Thunderbird

Thu, 19 Feb 2015 10:23:17 -0800

I wanted to switch to having separate signing and encryption certificates. I followed the outline at Stefan Holek's excellent 
http://pki-tutorial.readthedocs.org/en/latest/expert/index.html
That is the signing cert request used

   keyUsage                = critical,digitalSignature
   extendedKeyUsage        = emailProtection,clientAuth
   subjectKeyIdentifier    = hash
   subjectAltName          = email:move

And the encryption cert request used

   keyUsage                = critical,keyEncipherment
   extendedKeyUsage        = emailProtection
   subjectKeyIdentifier    = hash
   subjectAltName          = email:move

The generated csrs were signed by my own CA using the following -extensions

   keyUsage                = critical,digitalSignature
   basicConstraints        = CA:false
   extendedKeyUsage        = emailProtection,clientAuth,msSmartcardLogin
   subjectKeyIdentifier    = hash
   authorityKeyIdentifier  = keyid:always
   authorityInfoAccess     = @issuer_info
   crlDistributionPoints   = @crl_info

and

   keyUsage                = critical,keyEncipherment
   basicConstraints        = CA:false
   extendedKeyUsage        = emailProtection,msEFS
   subjectKeyIdentifier    = hash
   authorityKeyIdentifier  = keyid:always
   authorityInfoAccess     = @issuer_info
   crlDistributionPoints   = @crl_info
respectively, resulting in certificate serials 0x19, and 0x0D. This was done with openssl-1.0.1k on openSUSE 13.2.
I imported the CA cert into Thunderbird under "Authorities" and set it to be trusted, and imported 0x19 and 0x0D into Thunderbird under "Your Certificates". I then went to Account Settings > Security, and clicked on "Select" button for the Digital Signing box. It offers me a choice of 0x19 or my old combined sign/encrypt cert. I pick 0x19. It asks me whether I want to use it for encryption too, and I said no. I then clicked on the "Select" for the Encryption box. It offered me the same two certs as choices: 0x19 or my old combined cert. It did not offer 0x0D.
So the question is what does the above recipe fail to do to make an encryption cert that Thunderbird would recognize and offer as a choice?
The CN and SAN of the two certs are identical (my name and my email address respectively). Is that a problem? How do others create separate signing and encryption certs?
I don't want to delete my old combined cert, since then I would not be able to read old S/MIME messages to me. 

Suggestions and comments welcome.

-Earl


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to