I got only this keys. Can you explain me what exactly you mean with
adding chains?
And I wonder why this error only occurs in Thunderbird, not in
openssl.
Never mind, I don't think my first guess was correct. I wonder if it
has to do with the error 27 reported in the verify by openssl. According
to the manual, an error 27 means:
"the root CA is not marked as trusted for the specified purpose."
It looks like the certificate is valid cryptographically, but that it
wasn't certified for how you're using it.
If I run:
openssl x509 -in ssl.crt -noout -text
The output includes the following:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Does yours look different?
