i am trying to use the Yubikey NEO as a smart card holding my x509 S/MIME certificate and use that as a security device in both thunderbird 38.5.1and firefox 44.0 on xUbuntu 15.10.
I have imported the key and cert to the yubikey:
sudo yubico-piv-tool -a import-cert -a import-key -s 9d -K PKCS12 -i smime.p12 -p pass
Key is loaded to the card:
yubico-piv-tool -a status
CHUID: No data available
Slot 9a: No data available.
Slot 9c: No data available.
Subject DN: xxx
Issuer DN: xxx
Not Before: Jan 18 13:36:27 2016 GMT
Not After: Jan 17 13:36:27 2019 GMT
Slot 9e: No data available.
PIN tries left: 3
Opensc detects the reader:
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
Pkcs-tool lists the certificate:
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
Data object 'X.509 Certificate for Key Management'
applicationName: X.509 Certificate for Key Management
Data (1448 bytes): 538XXXXXXXX0FE00
I imported the certificate chain in firefox and thunderbird and set trustlevels to trust them with everything.
I then loaded a new security device trying the two modules
Login with my pin works and I see my certificate and am able to set it in thunderbirds security dialog for digital signing and encryption.
However, whenever I try to send a signed message, sending fails with the following error:
Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.
Curiously, decryption of emails sent to me does indeed work, meaning, the certificate is stored and accessed correctly.
I found a post somewhere that claims this is an issue with trust somewhere in the certificate chain. This cannot be the case here, I checked the chain and its trust multiple times, including reseting trust levels, deleting and reimporting the chain, and so on.
I'm stuck now.
Has anybody any idea why signing does not work?
Sending signed mails with thunderbird using yubikey as a security device does not work. Decryption, however, works as expected. Any idea why?
Thank you all for any insights