Installing an S/MIME Certificate and Sending Secure Email in Mozilla Thunderbird on Windows 10

These instructions detail how to install an S/MIME certificate and send secure email messages with Mozilla Thunderbird on Windows PCs. Testing was done in Thunderbird version 60.5.3 on Windows 10 Enterprise, but Thunderbird has natively supported S/MIME for many years. Please check with Mozilla Support about any issues or specific instructions concerning earlier versions of Thunderbird.

Download and install the certificate in Thunderbird:

1. Download a PKCS#12 file with your certificate from your account by clicking the link supplied in your Certificate Activation Link email and following the on-screen instructions in your web browser.You will be prompted to create a password before downloading the file. (Keep this password secure – you will need it later.) Make sure to keep track of where you saved your PKCS#12 file, and do not lose it. If you lose your private key, you will be unable to read messages encrypted with your public key.

Note: when downloading your certificate it is possible to choose between the RSA and ECDSA algorithms via the Algorithm drop-down menu. However, ECDSA keys cannot be used for email encryption, so it’s best to leave this set to RSA.

2. Open Thunderbird, then select Tools >> Options from the menu bar.

Tools >> Options


3. In the Options window, click Advanced, select the Certificates tab, then click the Manage Certificates button.

Options window


4. In the Certificate Manager, click Import…, then navigate to the PKCS#12 file you downloaded from and click Open.

Certificate Manager
Navigate to file


5. When prompted, enter the password you used when downloading the PKCS#12 file, then click OK.

Password Required


6. The certificate is now installed. Click OK to close the Certificate Manager, then close the Options pane.

Certificate installed


7. Next, you will have to configure Thunderbird to use the certificate with your email account. Choose Tools >> Account Settings from the toolbar.

Tools >> Account Settings

8. Select Security from the list on the left side of the Account Settings window, then click the Select button under Digital Signing.

Account Settings


9. In the Select Certificate dialog box that pops up, make sure the certificate you just installed is selected. The information under Details of selected certificate should match the email address you want to use it with, and will show “” on the Issued by: line. After confirming that the certificate is correct, click OK.


10. A dialog box will pop up, asking if you want to use the same certificate for email encryption and decryption. Click Yes. You can also check the box labeled Digitally sign messages (by default) if you want to make signed outgoing mail the default option, and/or choose the option to require sending encrypted email if desired. Click OK to close the Account Settings pane.

Select encryption key

Your S/MIME certificate is now set up and ready to use to sign and encrypt email in Thunderbird.

Sending signed and/or encrypted email messages in Thunderbird:

1. Begin composing a new message. Under the Security drop-down menu, select Encrypt This Message and/or Digitally Sign This Message. (Note that if you have previously set either or both of these options as the default you can skip this step.)

Security options


2. When you click Send, your email message will be signed and/or encrypted, as desired. Note that if you do not possess the public key of your recipient, you will receive an error message when attempting to send them encrypted mail.

Error message


For more detailed information about S/MIME email, please see our article, Sending Secure Email with S/MIME.

Thank you for choosing! If you have any questions, please contact us by email at, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.