Yubico Forum

Hello all,

i am trying to use the Yubikey NEO as a smart card holding my x509 S/MIME certificate and use that as a security device in both thunderbird 38.5.1and firefox 44.0 on xUbuntu 15.10.

I have imported the key and cert to the yubikey:



Key is loaded to the card:



Opensc detects the reader:



Pkcs-tool lists the certificate:


I imported the certificate chain in firefox and thunderbird and set trustlevels to trust them with everything.
I then loaded a new security device trying the two modules


Login with my pin works and I see my certificate and am able to set it in thunderbirds security dialog for digital signing and encryption.

However, whenever I try to send a signed message, sending fails with the following error:



Curiously, decryption of emails sent to me does indeed work, meaning, the certificate is stored and accessed correctly.
I found a post somewhere that claims this is an issue with trust somewhere in the certificate chain. This cannot be the case here, I checked the chain and its trust multiple times, including reseting trust levels, deleting and reimporting the chain, and so on.

I'm stuck now.

Has anybody any idea why signing does not work?

TL;DR
Sending signed mails with thunderbird using yubikey as a security device does not work. Decryption, however, works as expected. Any idea why?

Thank you all for any insights

I sort of figured it out. The certificate also has to be stored in slot 9c for signing.
To be able to both sign outgoing mails and decrypt incoming mails the certificate has to be stored in 2 slots, namely 9c and 9d. I don't know if there is a technical necessity for that, but it's a bit confusing and also seems to lead to further problems.

I am only able to send one (1) signed message. The first message I send can be signed. Thunderbird asks for the pin, signs the message, and sends it out. But any subsequent attempt to sign mails leads to the same error as stated above.

I have to either restart thunderbird or reinsert the yubikey every time I want to sign a message, which is basically for every new mail. That's not really usable.

Has anybody else seen that problem and maybe even has a solution?


Thank you all.

I have exactly same issue on both OS X and Ubuntu 16.10.
Emails are properly decrypted,
Trying to send signed message causes same error.
Certificate signed by external CA
[EDIT]
I have yubikey 4

Adding certificate to both 9c and 9d causes pin prompt every time i read a message.
However i can send signed emails (after two pin prompts).