Mozilla Thunderbird – Install certificate, how to sign, Encrypt e-mails, LDAP directory service V1.2

6. April 2023

1 Basics

1.1 Purpose of this document

The purpose of this document is to provide a step-by-step tutorial on how to install certificates in Mozilla Thunderbird, sign e-mails and to encrypt them and how to receive signed and encrypted mails which you can decrypt later on. You can download this manual as a PDF here:


1.2 Definitions and abbreviations


–      Standard for signing and encryption for e-mails.


– abbreviation for „Lightweight Directory Access Protocol“ and gives you the opportunity to connect to a directory service over an IP network (e.g. internet). The directory could be a contact directory, like in this tutorial.

2 Short version

Install certificate:

–      Download the root certificate from:

–      Import the crt fie in the certificate manage of Thunderbird under the tab „certification bodies“

–      Import the personal certificate under the tab “Your certificates” (ð 3.1.3     Installation certificates for signing p7)

–      Choose the certificate for signing in the account settings under the category S/MIME safety.

→ Done

Sign e-mails:

–      Create new e-mail.

–      Choose S/MIME in the menu bar and then “sign message”. Afterwards, a sealed envelope symbol will appear in the right bottom corner.

→ Done

Encrypt e-mails:

–      Open the certificate manager, go to the tab “Persons” and import the certificate of the recipient.

–      Create new e-mail, decide S/MIME in the menu bar and then “Encrypt message”. Afterwards, a lock symbol will appear in the right bottom corner.

→ Done

Receive signed/encrypted e-mails:

–      Open e-mail with double click.

–      At the top right you can see the sealed envelope and, if the message was also encrypted, the lock. By clicking on one of the icons, the details of the signer and the signer’s certificate can be retrieved.

→ Done


LDAP installation short version

Open the address book and after that under “New” you can find the option “LDAP Directory” which you choose.

Insert the server data (without the quotation marks):

–      Name: „GLOBALTRUST“

–      Server address: „“

–      Basis-DN: „c=at“

–      Port-Number: „389“

Select “GLOBALTRUST” in the address book on the left side, and now you can search in the right top corner.

→ Done


3  Detailed documentation certificate management

3.1 Installation of certificates

Purchase suitable S/MIME certificates:

– note: for encrypted e-mail communication, both sender and recipient need a suitable key (certificate)

3.1.1 Import Globaltrust Root-CA certificate


–      Open

–      In the sections „GLOBALTRUST Root CA 2006“, „GLOBALTRUST Root CA 2015“ and „GLOBALTRUST Root CA 2020“ click on the download links for the “DER-format” and save the file.


Direct links of the GLOBALTRUST Root-CA certificates:


3.1.2 Open Thunderbird options

Extras  Settings  Advanced  Certificates   Certificates  Certification bodies  Import


→ tick all boxes → OK

Herunterladen des Zertifikats

Open window: → Certificate Manager → Settings close it

The GLOBALTRUST Root-CA certificate is installed.


3.1.3 Install certificates for signing        Import Software-certificates

Software-certificate + key can be used because of the import of the PKCS#12 file.

→ Extras → Settings → Advanced → Certificates → Certificates → Your Certificates → Import → Choose directory (here C:\temp) → Choose file type PKCS12 ð Pick the suiting PKCS#12-file (here Filename: mein-software-zertifikat.p12) → Open

→ Password entry dialog → Password: your chosen PKCS#12-Password → OK


Your software certificate + key is now installed!        Import E-Token certificate Safenet (Previously Aladdin)

Certificates on external devices (Smartcards, eToken) can be used with a PKCS#11 interface. The module for that PKCS#11 interface needs to be imported to Thunderbird.


→ Extras → Settings → Advanced → Certificates → Cryptography modules → Load

→ Rename to a suiting Module name, Recommendation: SafeNet eToken PKCS#11 Module → Search


→ C:\Windows\System32 → choose the eTPKCS11.dll file → Open


Safenet-E-Token is now prepared for signing/encrypting!


3.2 Set up certificates for signing

→ Extras → Account Settings

→ Choose user account, example: → S/MIME-Safety →Choose (certificate for signing) + Choose (Hint for the certificate to encrypt! Here you have to choose the receiver certificate, not your own one because otherwise the receiver will not be able to decrypt the e-mail!)


Optional: → choose to Sign messages digitally, so it will be signed always


3.2.1 Create message and send signed

→ Create

→ S/MIME → Sign message


→ send → there will pop up a window where you have to put in the E-Token password (only with an E-Token certificate), otherwise it will ask you for the password of the software certificate



3.3 Encrypt e-Mail

3.3.1 Import receiver certificate

“Open” → OK → OK → done


3.3.2 Create new mail + encrypt

Choose “create” in the main window

Hint I:

“Encrypt message“ is only available, if the receiver certificate is already installed (here: test@testdomain.test).

Hint II:

The Message can be signed also, but the key and the certificate of the e-mail sender have to be installed.

Hint III:

The subject of the e-mail is not being encrypted!


3.4 Receive signed/Encrypted e-mails

3.4.1  Open received e-mail

–      After double-clicking the received e-mail, there should be the two symbols in the right top corner (lock and sealed envelope) that’s how you can see if the mail is signed and encrypted.


3.4.2   Check signature

–      Clicking on the symbols opens the details for signing and encryption. If you click on „View signature certificate“ you can see the details from that certificate.

–      You can close the window by clicking the OK button.


3.4.3 Show certificate details


After checking the certificate, you can close the window with the “close” button. → Done!


4  Mozilla Thunderbird LDAP Address book

GLOBALTRUST provides its customers with an LDAP directory. All certificates issued by GLOBALTRUST can be found in this directory. This makes it possible to send encrypted emails to anyone with a GLOBALTRUST certificate. It is also possible to integrate this directory into the Mozilla Thunderbird address book.


4.1 Detailed documentation LDAP

4.1.1 Open Address book

–      Click on “address book” in the main window


–      Click on File → New → LDAP-directory…


4.1.2 Fill in server details


      Enter the information for the directory in the new appeared window.

–      Name: „GLOBALTRUST“

–      Server address: „“

–      Base-DN: „c=at“

–      Port-Number: „389“

When filled in all data, click on “OK”.


4.1.3 Search for entries

      Choose the fitting address book on the left side. Here “GLOBALTRUST”.

     On the right top searching bar, you can look for the desired name/e-mail address. In the list below, you can select the right entry. → Done!

You could also like…

On letters, stamping and (e-)seals

On letters, stamping and (e-)seals

On letters, stamping and (e-)seals Still stamping or already sealing? Fully automated and at the highest security level? If no, you should think about it: You can use the electronic seal as a digitization turbo and make it the central game changer of your organization. Did you know that there are administrative...

read more
GLOBALTRUST launches Strong Authentication services for the UPC

GLOBALTRUST launches Strong Authentication services for the UPC

Press release, Vienna April 5, 2023 The Austrian signature provider GLOBALTRUST is one of only a few in Europe to provide suitable certificates for the mandatory "Strong Authentication" of the new Unified Patent Court (UPC). The Viennese were thus already able to convince with their services across Europe in the...

read more

These great companies rely on GLOBALTRUST

How can we get in touch with you?

Contact our team: +43 1 532 0 944

Our employees are available for an obligation-free consultation.

Availability: Mon-Fri 9:00-17:00