Thunderbird and system-wide certificate authorities

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.



Other mail clients are easy, I just take the following step:



cp ca.crt /usr/share/ca-certificates/trust-source/anchors
sudo update-ca-trust extract


And anything that uses my system CA will trust the server.



But Thunderbird only works if the following two conditions are met:




  • The cert is installed in my Thunderbird profile with the following command



    certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile


  • The cert has not been installed system-wide using the update-ca-trust method


Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?



(Note: when I do a profile-specific installation, the CA shows up in the "manage certificates" window as a "Software Security Device", but when I do a system-wide installation the CA shows up as a "Builtin Object Token" and I don't understand the difference)



I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0







share|improve this question
























    up vote
    0
    down vote

    favorite












    I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.



    Other mail clients are easy, I just take the following step:



    cp ca.crt /usr/share/ca-certificates/trust-source/anchors
    sudo update-ca-trust extract


    And anything that uses my system CA will trust the server.



    But Thunderbird only works if the following two conditions are met:




    • The cert is installed in my Thunderbird profile with the following command



      certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile


    • The cert has not been installed system-wide using the update-ca-trust method


    Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?



    (Note: when I do a profile-specific installation, the CA shows up in the "manage certificates" window as a "Software Security Device", but when I do a system-wide installation the CA shows up as a "Builtin Object Token" and I don't understand the difference)



    I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0







    share|improve this question






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.



      Other mail clients are easy, I just take the following step:



      cp ca.crt /usr/share/ca-certificates/trust-source/anchors
      sudo update-ca-trust extract


      And anything that uses my system CA will trust the server.



      But Thunderbird only works if the following two conditions are met:




      • The cert is installed in my Thunderbird profile with the following command



        certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile


      • The cert has not been installed system-wide using the update-ca-trust method


      Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?



      (Note: when I do a profile-specific installation, the CA shows up in the "manage certificates" window as a "Software Security Device", but when I do a system-wide installation the CA shows up as a "Builtin Object Token" and I don't understand the difference)



      I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0







      share|improve this question












      I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.



      Other mail clients are easy, I just take the following step:



      cp ca.crt /usr/share/ca-certificates/trust-source/anchors
      sudo update-ca-trust extract


      And anything that uses my system CA will trust the server.



      But Thunderbird only works if the following two conditions are met:




      • The cert is installed in my Thunderbird profile with the following command



        certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile


      • The cert has not been installed system-wide using the update-ca-trust method


      Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?



      (Note: when I do a profile-specific installation, the CA shows up in the "manage certificates" window as a "Software Security Device", but when I do a system-wide installation the CA shows up as a "Builtin Object Token" and I don't understand the difference)



      I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0









      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 22 '17 at 15:48









      rexroni

      618415




      618415

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f412538%2fthunderbird-and-system-wide-certificate-authorities%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f412538%2fthunderbird-and-system-wide-certificate-authorities%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?