From f39149c5029d68f18979d3ab6e8238e114525c37 Mon Sep 17 00:00:00 2001 From: M66B Date: Sun, 24 May 2020 13:39:18 +0200 Subject: [PATCH] Updated FAQ --- FAQ.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/FAQ.md b/FAQ.md index 370be533ea..45a71a54e8 100644 --- a/FAQ.md +++ b/FAQ.md @@ -693,6 +693,23 @@ Common errors: * *No certificate found matching targetContraints*: this likely means you are using an old version of FairEmail * *unable to find valid certification path to requested target*: basically this means one or more intermediate or root certificates were not found +In case the certificate chain is incorrect, you can tap on the little info button to show the all certificates. +After the certificate details the issuer or "selfSign" is shown. +A certificate is self signed when the subject and the issuer are the same. +Certificates from a certificate authority (CA) are marked with "[keyCertSign](https://tools.ietf.org/html/rfc5280#section-4.2.1.3)". +Certificates found in the Android key store are marked with "Android". + +A valid chain looks like this: + +``` +Your certificate > zero or more intermediate certificates > CA (root) certificate marked with "Android" +``` + +Note that a certificate chain will always be invalid when no anchor certificate can be found in the Android key store, +which is fundamental to S/MIME certificate validation. + +Please see [here](https://support.google.com/pixelphone/answer/2844832?hl=en) how you can import certificates into the Android key store. + The use of expired keys, inline encrypted/signed messages and hardware security tokens is not supported. If you are looking for a free (test) S/MIME certificate, see [here](http://kb.mozillazine.org/Getting_an_SMIME_certificate) for the options.