<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I wanted to switch to having separate signing and encryption
certificates. I followed the outline at Stefan Holek's excellent<br>
<a class="moz-txt-link-freetext" href="http://pki-tutorial.readthedocs.org/en/latest/expert/index.html">http://pki-tutorial.readthedocs.org/en/latest/expert/index.html</a><br>
That is the signing cert request used<br>
<blockquote><tt>keyUsage = critical,digitalSignature</tt><br>
<tt>extendedKeyUsage = emailProtection,clientAuth</tt><br>
<tt>subjectKeyIdentifier = hash</tt><br>
<tt>subjectAltName = email:move</tt><br>
</blockquote>
And the encryption cert request used<br>
<blockquote><tt>keyUsage = critical,keyEncipherment</tt><br>
<tt>extendedKeyUsage = emailProtection</tt><br>
<tt>subjectKeyIdentifier = hash</tt><br>
<tt>subjectAltName = email:move</tt><br>
</blockquote>
The generated csrs were signed by my own CA using the following
-extensions<br>
<blockquote><tt>keyUsage = critical,digitalSignature</tt><br>
<tt>basicConstraints = CA:false</tt><br>
<tt>extendedKeyUsage =
emailProtection,clientAuth,msSmartcardLogin</tt><br>
<tt>subjectKeyIdentifier = hash</tt><br>
<tt>authorityKeyIdentifier = keyid:always</tt><br>
<tt>authorityInfoAccess = @issuer_info</tt><br>
<tt>crlDistributionPoints = @crl_info</tt><br>
</blockquote>
and<br>
<blockquote><tt>keyUsage = critical,keyEncipherment</tt><tt><br>
</tt><tt>basicConstraints = CA:false</tt><tt><br>
</tt><tt>extendedKeyUsage = emailProtection,msEFS</tt><tt><br>
</tt><tt>subjectKeyIdentifier = hash</tt><tt><br>
</tt><tt>authorityKeyIdentifier = keyid:always</tt><tt><br>
</tt><tt>authorityInfoAccess = @issuer_info</tt><tt><br>
</tt><tt>crlDistributionPoints = @crl_info</tt><br>
</blockquote>
respectively, resulting in certificate serials 0x19, and 0x0D. This
was done with openssl-1.0.1k on openSUSE 13.2.<br>
<br>
I imported the CA cert into Thunderbird under "Authorities" and set
it to be trusted, and imported 0x19 and 0x0D into Thunderbird under
"Your Certificates". I then went to Account Settings > Security,
and clicked on "Select" button for the Digital Signing box. It
offers me a choice of 0x19 or my old combined sign/encrypt cert. I
pick 0x19. It asks me whether I want to use it for encryption too,
and I said no. I then clicked on the "Select" for the Encryption
box. It offered me the same two certs as choices: 0x19 or my old
combined cert. It did not offer 0x0D.<br>
<br>
So the question is what does the above recipe fail to do to make an
encryption cert that Thunderbird would recognize and offer as a
choice?<br>
<br>
The CN and SAN of the two certs are identical (my name and my email
address respectively). Is that a problem? How do others create
separate signing and encryption certs?<br>
<br>
I don't want to delete my old combined cert, since then I would not
be able to read old S/MIME messages to me.<br>
<br>
Suggestions and comments welcome.<br>
<br>
-Earl<br>
<br>
</body>
</html>