Step-by-step Windows key generation process for Thunderbird

Written by Lída Hrnčířová on May 28, 2020.

In today’s blog post you’ll find how to generate your own set of cryptographic keys and revocation certificate on Windows with Thunderbird email client.  All this information is neatly packed into our step-by-step guide! And if you’re still not sure why would you need cryptographic keys and what is revocation certificate for, we covered those topics here too.

This is yet another important step in the process of getting your Cryptoucan do all the hard job for you in the long run. We’ve already published a video on this topic but we’ve also created a set of written instructions for those who prefer to do stuff this way.

Let’s dive into our step-by-step guide to find out how to get both your new encryption keys and revocation certificate! Click here to get to our brand new web page dedicated to Cryptoucan™ information.

In case you’re a bit lost in the importance of encryption keys and revocation certificate, keep reading, we’re explaining everything!

What do you need encryption keys for?

To be able to sign, encrypt or decrypt e-mails, you have to generate your keys[1] first. You’re going to get three types of keys: signature key, authentication key and decryption key. All of them are pairs of private and public keys. Public key, as you can guess by its name, is for others to use to send you encrypted e-mails and to verify your signature. Private key is known only to you and you’ll be using it to sign your e-mails and to decrypt messages sent to you.

Picture 1: Key generation window


And what about Revocation Certificate?

Revocation certificate is a special type of a public key signature[2]. There are three common situations which will make you appreciate having revocation certificate:

    1. Your private key is no longer private – anyone who knows your private key and has access to the emails can read them.
    2. You’ve blocked your Cryptoucan irreversibly by entering incorrect admin PIN 3 too many times.
    3. You’ve generated new keys.

Once one of those situations happens, you can upload this certificate to key servers[3], basically saying: “I’m the owner of this key and I’m saying that the key is no longer to be valid” this way.
We strongly recommend you getting the certificate as it only takes a minute to get and it can save you a lot of trouble.

Picture 2: Enigmail Confirmation window asking you to generate certificate


And that’s all for this week, see you soon!


1. More info: Key management – introduction

2. More info: RFC 4880, Section 5.2.1

3. More info: Key server