How to sign a certificate for s/mime and generate pkcs12 store with existing CA?

cn flag

I want to create a certificate store file in pkcs12 format to use in thunderbird for s/mime signing and encrypting. I already run a mail and web server that use certificates signed by a CA certificate that I have created. I want to sign the mail user's cert with that same CA.

I loosely followed this guide but adjusted my steps to fit my setup.

The CA cert is in PEM format.

I create the p12 certificate store like so

touch ./tmp.pwd && chmod 600 ./tmp.pwd
vim ./tmp.pwd # enter password

mkdir reqs && mkdir certs && mkdir Pkeys

CLIENT_MAIL="[email protected]"
CN="My Name"

# generate request and private key
# NOTE 1*
openssl req -new -passout: file:./tmp.pwd -keyout "Pkeys/${BASE_FILE_NAME}-key.pem" -out "reqs/${BASE_FILE_NAME}.pem" -subj "/O=${O}/CN=${CN}/emailAddress=${CLIENT_MAIL}" -extensions smime -config ./openssl.cnf

# check request
openssl req -noout -text -in "reqs/${BASE_FILE_NAME}.pem"

# issue the certificate
openssl ca -in "reqs/${BASE_FILE_NAME}.pem" -days 3650 -batch -out "certs/${BASE_FILE_NAME}-cert.pem" -extensions smime -config ./openssl.cnf

# verify
openssl verify -CAfile "CA.pem" "certs/${BASE_FILE_NAME}-cert.pem"
# NOTE 2*
openssl x509 -noout -text -in "certs/${BASE_FILE_NAME}-cert.pem"

# build certificate chain
openssl x509 -in CA.pem -inform PEM -out tmp-root.x509
openssl x509 -in "certs/${BASE_FILE_NAME}-cert.pem" -inform PEM -out tmp-cert.x509

cat "tmp-cert.x509" "tmp-root.x509" > "certs/${BASE_FILE_NAME}-cert-chain.pem"
rm tmp-cert.x509 tmp-root.x509

# make pkcs12 container
# openssl can't open the same file twice for password
cp tmp.pwd tmp2.pwd
openssl pkcs12 -passin file:./tmp.pwd -passout file:tmp2.pwd -export -in "certs/${BASE_FILE_NAME}-cert-chain.pem" -inkey "Pkeys/${BASE_FILE_NAME}-key.pem" -CAfile CA.pem -out "certs/${BASE_FILE_NAME}-cert.p12"

rm ./tmp2.pwd
# check
# NOTE 3*
openssl pkcs12 -passin file:.tmp.pwd -info -in "certs/${BASE_FILE_NAME}-cert.p12" -noout

rm ./tmp.pwd ./tmp2.pwd

The problem is that I can import the certificate in thunderbird just fine, and even select it for signing and encryption. But when I actually try to send a signed mail I get this error:

Sending of the message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired.

I have noticed that when I look at the certificate in thunderbird that it only shows the certificate itself, while I believe it should show the CA certificate in a separate tab at the top, as firefox does with the web certificates.

Note 1

The openssl.cnf file looks like this

[ ca ]
default_ca                              = CA_redacted

[ none ]
# Empty section

[ CA_redacted ]
dir                                     = .
certs                                   = $dir/certs
crl_dir                                 = $dir/crls
database                                = $dir/db/index.txt
new_certs_dir                           = $certs
certificate                             = $dir/CA.pem
serial                                  = $dir/db/serial
crl                                     = $dir/crls/crl.pem
private_key                             = $dir/CAkey/CA_key.pem
RANDFILE                                = $dir/CAkey/.rand
copy_extensions                         = copy
x509_extensions                         = cert_ext
default_days                            = 3650
default_crl_days                        = 365
default_md                              = sha512
policy                                  = policy

# policy for requests to be valid
[ policy ]
organizationName                        = match
organizationalUnitName                  = optional
commonName                              = supplied
emailAddress                            = optional

# These extensions are copied to the issued certs when signing it.
[ cert_ext ]
basicConstraints                        = critical,CA:FALSE
authorityKeyIdentifier                  = keyid,issuer:always
subjectKeyIdentifier                    = hash
issuerAltName                           = issuer:copy
authorityInfoAccess                     = caIssuers;URI:http://redacted/CA.der
crlDistributionPoints                   = URI:http://redacted/crl.pem

# Extensions for the CA itself.
[ CA_cert_ext ]
basicConstraints                        = critical, CA:TRUE
keyUsage                                = critical, keyCertSign, cRLSign, digitalSignature, dataEncipherment, keyEncipherment, digitalSignature
extendedKeyUsage                        = serverAuth,clientAuth
subjectKeyIdentifier                    = hash
authorityKeyIdentifier                  = none

[ req ]
default_bits                            = 8192
distinguished_name                      = req_dn
x509_extensions                         = CA_cert_ext
req_extensions                          = v3_req

# this section is not used for mail.
[ v3_req ]
# [.. snip]

[ req_dn ]
0.organizationName                      = Organization Name (eg. company)
0.organizationName_default              = redacted
organizationalUnitName                  = Organization Unit Name
commonName                              = Common Name
commonName_default                      = CHANGEME
commonName_max                          = 64
emailAddress                            = Email Address
emailAddress_max                        = 64

# This section is used to add extensions when signing certificates used for email protection
[ smime ]
basicConstraints                        = critical, CA:FALSE
keyUsage                                = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage                        = emailProtection
subjectKeyIdentifier                    = hash
authorityKeyIdentifier                  = keyid:always, issuer
subjectAltName                          = email:copy

Note 2

The created mail certificate looks like this

        Version: 3 (0x2)
        Serial Number: 37 (0x25)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O = [redacted], CN = CA Server
            Not Before: May 13 00:14:38 2023 GMT
            Not After : May 10 00:14:38 2033 GMT
        Subject: O = [redacted], CN = My Name, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (8192 bit)
                    [... snip]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                E-mail Protection
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            X509v3 Subject Alternative Name:
                email:[email protected]
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:
        [... snip]

Note 3

the output of the pcks12 info looks like this

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.