Mageia forum

I created for Company I am working for, own CA for several purposes (based on M5 server). One of them is generating SMIME certificates for email signing/encryption. I use such certificates on different platforms like Linux M5 (most common), Apple Mail, WIN, Android etc.
Practically all people in Company, have several email accounts. Most of people use Thunderbird as email client. Because of bug (since ver 3 TB !!!) https://bugzilla.mozilla.org/show_bug.cgi?id=252250 it is not possible to import more than one individual certificate. So it is possible to install individual certificate for only one identity that is one email address. Googled workarounds, including TB Add-On`s - does not work.
Using OpenPGP it is possible to assign one certificate to several identities/email address. As far as I know, some payed SMIME certificate providers offers SMIME certs with several identities.

So, how can I generate one SMIME certificate with several identities/email address ?

Below script I use to generate individual SMIME certs, signed by our own CA.

Code: Select all

#!/bin/bash
dir="/home/maciek/Dokumenty/SMIME"
cd $dir
echo "Generowanie certyfikatu osobistego"
echo
openssl genrsa -des3 -out humble_coder.key 4096
openssl req -new -key humble_coder.key -out humble_coder.csr
echo "Podpisanie certyfikatu osobistego przez CA"
echo
openssl x509 -req -days 3650 -in humble_coder.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out humble_coder.crt -setalias "Certyfikat wydany przez EPI" -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout
echo "Konwersja certyfikatu na p12"
echo
openssl pkcs12 -export -in humble_coder.crt -inkey humble_coder.key -out humble_coder.p12
echo
echo "Jak ma się nazywać certyfikat?"
read name
mv -f ./humble_coder.p12 $name.p12
rm -f ./humble_coder*

Any idea?

For the bug you mentioned, check e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=252250#c20 which explains how to import/configure multiple certificates for older TB versions.
And as mentioned there, you could also use this addon: https://addons.mozilla.org/en-US/thunde ... ltiple-id/ as a workaround.
Apart from that, the bug is fixed since a log time as the GUI dialog for S/MIME settings was introduced via https://bugzilla.mozilla.org/show_bug.cgi?id=455310

In theory, it should be possible, by providing multiple values for the "SubjectAltName" certificate extension (which should also be used for the main identity, as use of SubjectName is deprecated for that)
Extensions are documented here: https://www.openssl.org/docs/manmaster/ ... onfig.html

The question is, do all the used mail clients actually support this?

See also
https://groups.google.com/forum/#!topic ... YFSuILYjqc
http://security.stackexchange.com/a/11547/55107
https://tools.ietf.org/html/rfc5752

I try to use https://addons.mozilla.org/en-US/thunde ... ltiple-id/ but it is not compatible with current version of Thunderbird distributed by Mageia 5 (current version 38.4.0)
https://bugzilla.mozilla.org/show_bug.cgi?id=455310 stands that problem is fixed. It is not true in ver 38.4.0 of TB. Simply it is not possible to import more than one individual SMIME cert, for only one identity.. TB rapports something like "Unknown problem occurs during certificate import".
I will try to play with "SubjectAltName" . The question is how to generate and sign such certificate using openssl.

You could also ask on the thunderbird-enterprise mailing list how others handle this and if this is possible how you intend to do it.
https://wiki.mozilla.org/Thunderbird/tb-enterprise