Use Your YubiKey for S/MIME Email in Thunderbird

Mozilla Thunderbird users may have noticed that S/MIME certificates installed on a YubiKey hardware token are not immediately available for use in Thunderbird. Even though the YubiKey’s smart card features are supported by the underlying OS on both Windows and macOS, Thunderbird requires an additional open-source PKS#11 driver (OpenSC) to access certificates and keys stored on the device. This how-to will show you how to configure Thunderbird to work with OpenSC and your YubiKey on Windows and macOS.

Linux users can basically follow the macOS instructions below, but installation instructions and the location of the pkcs11.so file will vary between Linux distributions. On 64-bit Ubuntu 18.4, the path is /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so. For more information, please refer to the OpenSC Project’s pages on Linux Distributions and Compiling and Installing on Unix Flavors.
Note: These instructions assume that you have installed an encryption-enabled S/MIME certificate in the Key Management slot (9c) of your YubiKey. If you have not done so already, please refer to our how-to covering this operation.

Windows Instructions

1. Install OpenSC by following the instructions in OpenSC’s Windows Quick Start.

2. In Thunderbird’s main window, select the account you want to add certificates for, then click View settings for this account.

View account settings3. Select Security in the left-hand menu, then click the Security Devices button, under Certificates.

Security Devices4. Click the Load button.

Load5. Click the Browse button.

Browse6. In the file open dialog, navigate to the correct library for your versions of Windows and Thunderbird, then click the Open button.

    • 32 bit Windows and Thunderbird: C:\Program Files\OpenSC Project\OpenSC\pkcs1\opensc-pkcs11.dll
    • 32 bit Thunderbird on 64 bit Windows: C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
    • 64 bit Windows and Thunderbird: C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll

Choose PKCS#11 Driver7. Type a name in the Module Name field (“OpenSC” is a logical choice), then click the OK button to close the dialog box.

Module name8. Click the OK button to close the Device Manager window.

OK button9. Click the Select button, under Digital Signing.

Select10. Enter your YubiKey PIN, then click the OK button.

Enter PIN11. Select the certificate labeled Certificate for Key Management from the Certificate drop-down menu.

Note: If you do not see a certificate labeled for Key Management, please refer to our how-to on installing an S/MIME certificate on your Yubikey.

Certificate for Key Management12. Verify that the Signing and Key Encipherment key usages are shown in the certificate details, then click the OK button.

OK button13. A dialog box will appear asking if you want to use the same certificate for encryption and decryption. Click the Yes button.

Specify encryption certificate14. Click the OK button to close the account settings. If you’d like, you can set the default message signing and encryption settings first.

Close Account Settings15. You’re all finished! Note that with these settings you will need your YubiKey and PIN to sign, encrypt, and decrypt email. To protect yourself against data loss in the event of the loss of your YubiKey, make sure that you keep a backup of your private key in a secure location.

macOS Instructions

1. Install OpenSC by following the instructions in OpenSC’s macOS Quick Start.

Note: Homebrew users can easily install OpenSC with the command brew install opensc. If you choose this option, note that the OpenSC files will be installed in /usr/local/lib/ rather than /Library/OpenSC/lib.

2. In Thunderbird’s main window, select the account you want to add certificates for, then click View settings for this account.

View account settings3. Select Security in the left-hand menu, then click the Security Devices button, under Certificates.

Security Devices4. Click the Load button.

Load button5. Click the Browse button.

Browse button6. In the file open dialog, navigate to the directory /Library/OpenSC/lib/, select the file opensc-pkcs11.so, then click the Open button.

Mac users who installed OpenSC with Homebrew will find the file at /usr/local/lib/opensc-pkcs11.so. You will need to press Command+Shift+Period to see the /usr/ directory in the file open dialog box.

Open file7. Type a name in the Module Name field (“OpenSC” is a logical choice), then click the OK button to close the dialog box.

Name module, then click OK8. Click the OK button to close the Device Manager window.

OK button9. Scroll back up in the left-hand pane and click the Select button under Digital Signing.

Select certificate10. Enter your YubiKey PIN, then click the OK button.

Enter PIN11. Select the certificate labeled Certificate for Key Management from the Certificate drop-down menu.

Note: If you do not see a certificate labeled for Key Management, please refer to our how-to on installing an S/MIME certificate on your Yubikey.

Key for Key Management12. Verify that the Signing and Key Encipherment key usages are shown in the certificate details, then click the OK button.

Click OK13. A dialog box will appear asking if you want to use the same certificate for encryption and decryption. Click the Yes button.

Click Yes14. Click the OK button to close the account settings. If you’d like, you can set the default message signing and encryption settings first.

Click OK15. You’re all finished! Note that with these settings you will need your YubiKey and PIN to sign, encrypt, and decrypt email. To protect yourself against data loss in the event of the loss of your YubiKey, make sure that you keep a backup of your private key in a secure location.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.