Invalid Certificate

T

Tim B

Unable to digitally sign or encrypt my e-mail. I am however able to receive
encrypted e-mails from other parties whose certificates I have.??!!

My certificate is provided by my government ID card via an ActiveCard Reader
using Active Client 6.1 software. Active Client Diagnostics indicates that
Active Client software is loaded and functioning correctly. Checked the
option in Active Client to make Certificates Available to Windows. Downloaded
my certificate in Outlook 2007. Properties show a valid certificate in my
contact properties tab. Verified that certificate shows up as a trusted
certificate in properties tab. My Certificates also are viewable in IE under
Internet Options/Content/Certificates.
Running MS Outlook Pro 2007 and Vista OS with all updates.

Deleted and then reloaded my certificates several times now and triple
checked all the settings in various programs. However still unable to
digitally sign or encrypt my messages and attachments. I get the Warning "
Microsoft Office cannot sign or encrypt this message because your certificate
is not valid.

All this stuff worked fine under MS Office XP Pro 2003 and Win XP Pro prior
to my recent hardware upgrade.

Any suggestions?
 
B

Brian Tillman

Tim B said:
Unable to digitally sign or encrypt my e-mail. I am however able to
receive encrypted e-mails from other parties whose certificates I
have.??!!

That's not the usual way encryption works. You don't use your senders'
certificates to decrypt messages they send you. You use your own
certificate's private key and your senders use your public key from your
certificate to encrypt them when they send. Likewise, you use your
recipients' public keys to encrypt messages to them which they decrypt with
their own private keys.
My certificate is provided by my government ID card via an ActiveCard
Reader using Active Client 6.1 software. Active Client Diagnostics
indicates that Active Client software is loaded and functioning
correctly. Checked the option in Active Client to make Certificates
Available to Windows. Downloaded my certificate in Outlook 2007.
Properties show a valid certificate in my contact properties tab.
Verified that certificate shows up as a trusted certificate in
properties tab. My Certificates also are viewable in IE under
Internet Options/Content/Certificates.
Running MS Outlook Pro 2007 and Vista OS with all updates.

Deleted and then reloaded my certificates several times now and triple
checked all the settings in various programs. However still unable
to digitally sign or encrypt my messages and attachments. I get the
Warning " Microsoft Office cannot sign or encrypt this message
because your certificate is not valid.

Digital signing is a different operation from encrypting. Your certificate
(in the form of your public key) is attached to a message you sign, but your
certificate is not involved when encrypting, only the public keys of your
recipients. Try sending an encrypted message only, disabling the option to
sign it. Does anything different happen? If you open Internet Explorer and
click Tools>Internet Options>Content>Certificates, choose your certificate,
click Export, then Next, do you see two radio buttons, one saying to export
the private key and one saying not to, with BOTH radio buttons being active
(i.e., you can select either one)?

If you click Tools>Options>Security in Outlook, what encryption
 
B

Brian Tillman

Brian Tillman said:
If you click Tools>Options>Security in Outlook, what encryption

I accidentally sent this without finishing my sentence.

If you click Tools>Options>Security in Outlook, what encryption settings do
you have? Describe them all.
 
T

Tim B

Brian,

Thanks for your reply. I followed your troubleshooting advice. Here's
the result:

-I tried to send an encrypted msg without signing it. Result was the Invalid
Certifcate advisory, asking me to change security settings.

-In IE I can select and export each of my three certificate files. However,
only the lower radio button is available to select.

- Outlook encryption settings are as follows:

- Active Client Certificate
- S/Mime
- Next two boxes are checked
- Signing Certificate Hash Algorithm SHA1
- Encryption Certificate 3DES
- Last box is checked

Does this give you any clues?

Just to clarify :
- The core problem is that outlook doesn't recognize my certificate as
valid. My CAC card actually provides three certification files; signature,
encryption and ID. I don't know the nuts and bolts of which file does what...
I thought it was unusual but significant that I could receive encrypted
e-mail, but couldn't send any..... Anyway the encryption is a secondary issue
I suspect.
 
T

Tim B

Brian,

Here's an update on my Invalid Certificate Problem.....Success!!!

Here's what I did to force Outlook to recognize my certificate.

1) Try to send digitally signed e-mail
2) When Outlook gives you the Invalid Certificate Advisory: Select Change
Security Settings Option.
3) a. Select Active Card as source (My Certificates Source)
3) b. Manually reload Signature Certificate and under properties select
inherently trust this certificate
3) c. Manually reload Encryption Certificate and under properties select
inherently trust this certificate
4) Close to save settings.

Digital Signature and e-mail encryption now function properly.
 
B

Brian Tillman

Tim B said:
-I tried to send an encrypted msg without signing it. Result was the
Invalid Certifcate advisory, asking me to change security settings.

This should have to do with the cert of the recipient. I really can't say
what might be going on here. I would recommend that you remove the other
person's certificate from your certificate store and ask that person to send
you a new signed message.
-In IE I can select and export each of my three certificate files.
However, only the lower radio button is available to select.

If only the lower button is available, then your private key has been
damaged and you will need to speak with your PKI administrator for private
key recovery or remove the damages certificate and reinstall from the backup
you made when you first install it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top