[openssl-users] Separate signing and encryption certificates for Thunderbird

Earl Killian openssl at lists.killian.com
Thu Feb 19 15:56:54 UTC 2015 

I wanted to switch to having separate signing and encryption 
certificates. I followed the outline at Stefan Holek's excellent
http://pki-tutorial.readthedocs.org/en/latest/expert/index.html
That is the signing cert request used

    keyUsage                = critical,digitalSignature
    extendedKeyUsage        = emailProtection,clientAuth
    subjectKeyIdentifier    = hash
    subjectAltName          = email:move

And the encryption cert request used

    keyUsage                = critical,keyEncipherment
    extendedKeyUsage        = emailProtection
    subjectKeyIdentifier    = hash
    subjectAltName          = email:move

The generated csrs were signed by my own CA using the following -extensions

    keyUsage                = critical,digitalSignature
    basicConstraints        = CA:false
    extendedKeyUsage        = emailProtection,clientAuth,msSmartcardLogin
    subjectKeyIdentifier    = hash
    authorityKeyIdentifier  = keyid:always
    authorityInfoAccess     = @issuer_info
    crlDistributionPoints   = @crl_info

and

    keyUsage                = critical,keyEncipherment
    basicConstraints        = CA:false
    extendedKeyUsage        = emailProtection,msEFS
    subjectKeyIdentifier    = hash
    authorityKeyIdentifier  = keyid:always
    authorityInfoAccess     = @issuer_info
    crlDistributionPoints   = @crl_info

respectively, resulting in certificate serials 0x19, and 0x0D. This was 
done with openssl-1.0.1k on openSUSE 13.2.

I imported the CA cert into Thunderbird under "Authorities" and set it 
to be trusted, and imported 0x19 and 0x0D into Thunderbird under "Your 
Certificates". I then went to Account Settings > Security, and clicked 
on "Select" button for the Digital Signing box. It offers me a choice of 
0x19 or my old combined sign/encrypt cert. I pick 0x19. It asks me 
whether I want to use it for encryption too, and I said no. I then 
clicked on the "Select" for the Encryption box. It offered me the same 
two certs as choices: 0x19 or my old combined cert. It did not offer 0x0D.

So the question is what does the above recipe fail to do to make an 
encryption cert that Thunderbird would recognize and offer as a choice?

The CN and SAN of the two certs are identical (my name and my email 
address respectively). Is that a problem? How do others create separate 
signing and encryption certs?

I don't want to delete my old combined cert, since then I would not be 
able to read old S/MIME messages to me.

Suggestions and comments welcome.

-Earl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150219/6da0e025/attachment-0001.html>

More information about the openssl-users mailing list