Recently, I received an encrypted message sent by Outlook which I cannot decrypt. Thunderbird is printing following error message instead:
Thunderbird cannot decrypt this message
The sender encrypted this message to you using one of your digital
certificates, however Thunderbird was not able to find this
certificate and corresponding private key. Possible solutions:
- If you have a smartcard, please insert it now.
- If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and
private key from a backup. Certificate backups usually end in ".p12".
Also other mail clients (including a recent version of Outlook!) failed at decrypting the message. As the mail is very important and I don't really want to ask the sender to resend the mail, what can I do?
Best Answer
The Issue
This is a known issue with Microsoft Outlook 2010, but a fix is provided -- you might want to notify the sender that he should apply it.
X.509 certificates have several attributes attached, some of them can be used to identify certificates. One such way is to use the serial number together with the certificate issuer (together, they have to form a unique identifier). For S/MIME encrypted messages, this is called
issuerAndSerialNumber
. An alternative is the also standardizedsubjectKeyIdentifier
, which "should be" be derived from the public key in some form, but is not specifically defined.Outlook 2010 (pre-SP1) uses the
subjectKeyIdentifier
and creates one if no such identifier is provided (from the knowledge base article linked above, highlighting added by me):With other words, Microsoft Outlook 2010 pre-SP1 uses a certificate identifier very likely not understood by any other mail application. I actually failed in using a recent version of Outlook for decrypting such a message!
How to Decrypt the Message Anyway
This won't be easy, and involves dropping to the command line. This should work on pretty much all operating systems (Linux, Windows, macOS, any BSD), make sure to have OpenSSL installed. Using OpenSSL, we can enforce decryption using a specific key, ignoring the broken
subjectKeyIdentifier
..eml
file). I named itmail.eml
in all further steps..p12
extension. I named itcertificate.p12
.cd
command.openssl pkcs12 -in certificate.p12
-out privatekey.pem -nodes`. You will be asked for the passphrase you entered in Thunderbird.Now use the exported key to actually decrypt the message:
The decrypted message will be stored in the
decrypted.txt
file.The message is likely to be encoded as
quoted-printable
. If you encounter weird character sequences likeGr=FC=DFe
and there is a headerContent-Transfer-Encoding: quoted-printable
included, convert the message to plain text (you need Perl, probably restricted to version 5, and theMIME::QuotedPrint
module):The
decoded.txt
file will finally include the decrypted message. If the encoding of special characters still seems wrong, use the conversion tools of your choice or simply try opening the file in Firefox or another browsers -- usually, they do a great job at fixing messed up encoding.Putting together a new, unencrypted
.eml
message requires stripping allContent-*
headers and moving anyContent-*
headers from the decrypted message in this place. More details are out of scope for this tutorial, there are too many different encodings to provide reasonable assistance.