Importing a pfx or p12 file into Thunderbird

A Thunderbird recipient receives the following message1 containing the attached password encrypted pfx:

Thunderbird email with pfx attachment

1. Save the pfx attachment onto your system

2. Open the certificates options page

Open tools menu Tools → options, select the Advanced settings and open the Certificates tab
Thunderbird certificates options

3. Click "View Certificates"

This opens the "Certificate Manager" dialog

Thunderbird certificate manager

4. Click "Import" and select the pfx from step 1.

The first time you add a certificate, you are asked to set a "Master Password". All the private keys stored in Thunderbird will be protected with the master password to ensure that only you can access the private keys. You only have to set the master password once.

Note: this is NOT the password for the pfx file that has been handed out to you! The master password should be chosen by you.

5. Set the master password and click "OK"

Thunderbird set master password

6. Enter the pfx password and click "OK"

you are now asked for the password of the password protected pfx file. This is the password that was given to you via an SMS Text message or in some other way.
Thunderbird password entry dialog

7. Finished.

Now that you have installed a certificate and private key, you are able to receive encrypted email.

[The following steps are only required if you want to send encrypted email]

Trust the imported certificate

The certificate with the private key and the root and intermediate certificates have now been installed. You should now manually trust the root certificate because it is not automatically trusted. You first need to find out which root you need to trust.

1. Open "Your Certificates" tab on the "Certificate Manager"

Open tools menu Tools → options, select the Advanced settings and open the Certificates tab, Click "View Certificates" and select the "Your Certificates" tab.
Thunderbird your certificates

2. View certificate properties and get the name of the root

Double-click the certificate you just installed. The certificate details should now be shown. The first entry in the "Certificate Hierarchy" is the root certificate. Write down the name of the root certificate. It is needed in the following steps.
Thunderbird root details

3. Select the root certificate

Open the "Certificate Manager" (see step 1) and select the "Authorities" tab. In the certificate list select the root certificate from step 2.
Thunderbird authorities

4. Trust the root certificate

Click the "Edit" button and select "This certificate can identify mail users.".
Thunderbird edit ca certificate trust settings

Associate the certificate with your account

The imported certificate must be associated with your email account.

1. Open the security settings for your Tunderbird account

Open Tools → Account settings... and select the "Security" options for your account.
Thunderbird account settings

2. Select the signing certificate

Click "Select..." for the "Digital Signing" certificate and select the certificate you just imported.

3. Select the encryption certificate

Click "Select..." for the "Encryption" certificate and select the certificate you just imported.

4. Finish.

We will now explain how to receive and send encrypted email.

Receiving signed and encrypted email

A signed and encrypted message looks as follows:

Thunderbird signed and encrypted

The 'lock' Lock shows that the message was encrypted and the 'envelope' Signed shows that the message was signed.

Sending signed and encrypted email

1. Enable encryption and signing

Enable "Encrypt This Message" and "Digitally Sign This Message" from the security menu.
Thunderbird sign and encrypt

2. Send mail

3. Finished.

  1. In this example the password was sent via an SMS Text message. The message is slightly different when the password was not sent via SMS.