1. Set up master password

The master password of Thunderbird protects private keys, passwords and other confidential data saved in the Thunderbird profile.

Open the settings page of Thunderbird:

In the symbol row select „Sicherheit“ (“Security”) and then the tab „Passwörter“ (“Passwords”). If it is not already checked, do check „Master-Passwort verwenden“ (“Use a master password”):

Enter a new master password and confirm with “OK”:

Accept the completion message with “OK” and close the settings:

2. Import digital IDs

Open the settings page of Thunderbird:

In the symbol row select „Erweitert“ (“Advanced”) and then the tab „Zertifikate“ (“Certificates”). There click on „Zertifikate“ (“Certificates”):

In the „Zertifikat-Manager“ (“Certificate manager”) select the tab „Ihre Zertifikate“ (“Your certificates”) and click on „Importieren“ („Import”):

There you select the PKCS#12 file containing your digital ID (i.e. your private key, your public key and all relevant certificates) (not the PEM file from the email):

To allow to store the private key protected in the Thunderbird profile, you have to enter the master password:

To allow the private key to be extracted from the PKCS#12 file the password protecting this file must be entered:

Accept the successful import with “OK”:

In the „Zertifikat-Manager“ (“Certificate manager”) your certificate should be listed now. Close the certificate manager and the settings with “OK”:

This way you can import as much digital IDs as you want.

3. Select a digital ID

To select a certain imported digital ID for a certain email account, please open the „Konto-Einstellungen“ (“account settings”):

In the left column select „S/MIME-Sicherheit“ (“S/MIME security”) and on that page click on „Auswählen“ (“Select”):

Select one of the available digital IDs and click on “OK”:

Confirm with „Ja“ (“Yes”) that the digital ID is to be used both for signing and for encrypting messages to you:

On the S/MIME security page you should also indicate that you want to sign all your emails before you close the page with “OK”.

The word „Nie“ (“Never”) in front of „keine Verschlüsselung verwenden“ (“do not use encryption”) is a very unfortunate translation: When sending an email you can nevertheless select that the email is to be encrypted.

This completes your settings.

4. Try out the digital ID

Now you can try that sending signed or even signed and encrypted emails really works. Hence now „verfassen“ (“compose“) a new messages:

In the toolbar at the top, behind “S/MIME” you can open the menu where you can indicate whether the new email is to be signed and/or encrypted:

Leave the default settings unchanged and start a new email by selecting a recipient. You should be familiar with these steps.

Regard also the symbol in the right bottom corner indicating that the email is to be signed:

Because you want to sign the email and need the private key, you are now asked for the master password. Please enter it and confirm with “OK”:

The email is now sent. You find it in your “Sent” folder. Look at it and see the symbols indicating a good (sucessfully verified) signature.

You can click on the symbols to get further information (not displayed here).

Now write a new email. This time it will be encrypted, too:

If, when sending a signed email or when decrypting an encrypted email, you are not asked for the master password again the reason is that Thunderbird remembers your master password for a certain period of time and does not ask again in this period.

This makes it more comfortable to you but bears the risk of accidentally sending an email signed that you did not want to sign.