Problems with Outlook 2007 and digital certificate

[MiToZ]

Hello!


I've been successfully using Outlook 2007 with my Thawte e-mail certificate
for quite some time, and then suddenly I started getting following error when
trying to send signed e-mails "An error occurred in the underlying security
system. Key not valid for use in specified state". When I try to send
encrypted message it works. I haven't made any changes to my Outlook
configuration and my certificate is valid. I am using Outlook 2007 in
combination with Exchange 2003 server.


If anyone can think of any reason for this, I would be glad to hear it


Thanks

 

[Brian Tillman]

I've been successfully using Outlook 2007 with my Thawte e-mail
certificate for quite some time, and then suddenly I started getting
following error when trying to send signed e-mails "An error occurred
in the underlying security system. Key not valid for use in specified
state". When I try to send encrypted message it works.

Sending an encrypted message does not rely on your certificate. It relies
on the certificate (the public key) of the recipient.

I haven't made
any changes to my Outlook configuration and my certificate is valid.
I am using Outlook 2007 in combination with Exchange 2003 server.

In IE, click Tools>Internet Options>Content>Certificates. In the Personal
tab, does your certificate appear? If so, select it, click Export, then
Next. You should see two radio buttons about he private key and they both
should be active (i.e., clickable), with the "No, don't export the private
key" selected. If they're not both active, then your private key has been
damaged and you'll need to restore your certificate from the backup you made
after you installed it last.

If the "Yes, export the private key"radio button is selectable, then your
certificate should be working still. Close the Internet Explorer dialogue
and go back to Outlook. I don't have my Outlook 2007 copy in front of me
right now, but under Tools>Options you should be able to find a Security
dialogue with an "Encrypted e-mail" section. There should be a "Default
Setting" drop-down that shows "My S/MIME Settings (yourmailaddress)". Do
you have that?

 

[MiToZ]

Sending an encrypted message does not rely on your certificate. It relies
on the certificate (the public key) of the recipient.

I know, I've been sending it to myself

In IE, click Tools>Internet Options>Content>Certificates. In the Personal
tab, does your certificate appear? If so, select it, click Export, then
Next. You should see two radio buttons about he private key and they both
should be active (i.e., clickable), with the "No, don't export the private
key" selected. If they're not both active, then your private key has been
damaged and you'll need to restore your certificate from the backup you made
after you installed it last.

If the "Yes, export the private key"radio button is selectable, then your
certificate should be working still. Close the Internet Explorer dialogue
and go back to Outlook. I don't have my Outlook 2007 copy in front of me
right now, but under Tools>Options you should be able to find a Security
dialogue with an "Encrypted e-mail" section. There should be a "Default
Setting" drop-down that shows "My S/MIME Settings (yourmailaddress)". Do
you have that?

I've deleted and imported certificate before reading this, and was just
getting ready to post message when notification of your message arrived
.... thanks for your answer, you are right, it seems that certificate was
damaged in some way ... i just don't get how it happened

Thanks x2

 

[Brian Tillman]

I've deleted and imported certificate before reading this, and was
just getting ready to post message when notification of your message
arrived ... thanks for your answer, you are right, it seems that
certificate was damaged in some way ... i just don't get how it
happened

There are multiple ways that a certificate can be damaged. Anything that
changes the SID of the user with whom the certificate is connected will
damage it because the private key involves, in part, that SID value. The
SID is that big S-1-5 number contained in the registry that identifies your
user to Windows. Changing your windows password, for example, can damage a
cert. That's why it's always a good idea to export the cert with the
private key immediately after installing it (if the cert is installed via a
web page) so that you can reinstall it if it ever gets damaged.