We are in the process of setting up a self-hosted mail solution in our lab and we're required to be our own CA. The problem we're having is that Thundebird is complaining that our root certificate is untrusted, even though we know it's valid.
The problem is that Thunderbird comes with it's own certificates that it trust, and it does not look at the computers trusted certificates, so just pushing a GPO to all clients with the root certificate does not work.
We need to automate the deployment of importing the root certificate into Thundebird and are having severe problems figuring out how.
Autoconfig is working and thunderbird are getting the right server configuration but the certificate error is still persistent. The only known way is to manually import the certificate into Thunderbirds trusted certificates.
Does anyone here have a suggestion on how to proceed?
Best Answer
Because Thunderbird is based on the same platform as Firefox, you should be able to use the same tools as Firefox would use.
There are several options of tools you can use, in order of simplest to most complex:
1. It may be built-in!
Thunderbird has experimental support for auto-importing certificates from the OS Certificate store.
Here's how to enable it manually:
security.enterprise_roots.enabled
security.enterprise_roots.enabled
to set it to true.You can automate this by deploying a config file to the computers.
2. Deploy a default profile
You can add the certificate to your own profile, then copy your profile's
cert8.db
file to the main program folder. Any new profile that is created on the computer will then use that version ofcert8.db
.Unfortunately, this will not help for any user who has already opened Thunderbird because their profiles have already been created.
See https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Thunderbird_Enterprise_Tips#Using_a_private_CA_certificate for more info.
3. Deploy a config file
As mentioned and linked above in option #1, Mozilla products support deploying a configuration file in
C:\Program Files (possibly x86)\Mozilla Thunderbird\defaults\pref\autoconfig.js
.You can put a script in that file which adds your certificate to the certificate store. Here's an example:
4. Mozilla's
certutil
executableYou can create a login script that runs
certutil
to add the certificate to the user's profile. This forum post has an example script (for Firefox), of which the important part is copied below (with modifications for Thunderbird):(Note: Do not confuse this with Microsoft's program of the same name)
5. You can use a management tool
CCK2 is a third-party management tool for Mozilla products. See its documentation for more details.