Thunderbird and system-wide certificate authorities

up vote
0
down vote

favorite

I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.

Other mail clients are easy, I just take the following step:

cp ca.crt /usr/share/ca-certificates/trust-source/anchors
sudo update-ca-trust extract

And anything that uses my system CA will trust the server.

But Thunderbird only works if the following two conditions are met:

The cert is installed in my Thunderbird profile with the following command

certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile

The cert has not been installed system-wide using the update-ca-trust method

Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?

(Note: when I do a profile-specific installation, the CA shows up in the "manage certificates" window as a "Software Security Device", but when I do a system-wide installation the CA shows up as a "Builtin Object Token" and I don't understand the difference)

I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0

asked Dec 22 '17 at 15:48

rexroni

618415

add a commentÂ |Â

up vote
0
down vote

favorite

I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.

Other mail clients are easy, I just take the following step:

cp ca.crt /usr/share/ca-certificates/trust-source/anchors
sudo update-ca-trust extract

And anything that uses my system CA will trust the server.

But Thunderbird only works if the following two conditions are met:

The cert is installed in my Thunderbird profile with the following command

certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile

The cert has not been installed system-wide using the update-ca-trust method

Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?

I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0

asked Dec 22 '17 at 15:48

rexroni

618415

add a commentÂ |Â

up vote
0
down vote

favorite

I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.

Other mail clients are easy, I just take the following step:

cp ca.crt /usr/share/ca-certificates/trust-source/anchors
sudo update-ca-trust extract

And anything that uses my system CA will trust the server.

But Thunderbird only works if the following two conditions are met:

The cert is installed in my Thunderbird profile with the following command

certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile

The cert has not been installed system-wide using the update-ca-trust method

Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?

I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0

asked Dec 22 '17 at 15:48

rexroni

618415

I need to install a CA for a mail server that works for Thunderbird (technically icedove) and other mail clients.

Other mail clients are easy, I just take the following step:

cp ca.crt /usr/share/ca-certificates/trust-source/anchors
sudo update-ca-trust extract

And anything that uses my system CA will trust the server.

But Thunderbird only works if the following two conditions are met:

The cert is installed in my Thunderbird profile with the following command

certutil -A -n my-ca-nickname -t "C,," -i ca.crt -d ~/.thunderbird/*.profile

The cert has not been installed system-wide using the update-ca-trust method

Why won't Thunderbird play nice? Why doesn't a system-wide CA install work with Thunderbird? And why does a system-wide CA actually block the profile-specific CA installation from working?

I am using Parabola Linux (derived from Archlinux) and Icedove version 52.5.0

asked Dec 22 '17 at 15:48

rexroni

618415

asked Dec 22 '17 at 15:48

rexroni

618415

asked Dec 22 '17 at 15:48

rexroni

618415

asked Dec 22 '17 at 15:48

rexroni

618415

add a commentÂ |Â

active

oldest

votes

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f412538%2fthunderbird-and-system-wide-certificate-authorities%23new-answer', 'question_page');

);

Post as a guest

Name

active

oldest

votes

draft saved

draft discarded

draft saved

draft discarded

Post as a guest

Name

搜尋此網誌

mjhjmtu