certificate renew with S/MIME in Outlook

[Guest]

Hi,

I'm the PKI Engineer in my company and We would like to secure our mail with
S/MIME in Outlook.
I know that S/MIME save in the message the issuer and serial number of
certificate used to encrypt the mail.

And I know that if certificate is renewed with the same key pair, it's not
possible to decrypt the old messages crypted with the previous certificate.

In Outlook Web Access, we could issue this by creating a registry entry in
Exchange server by putting UseKeyIdentifier = 1.

What about Outlook in genrally (outlook 2003 and Outlook 2007)?
Is there a configuration in Outlook to locate the certificate and private
key for decrypting the message by using the same way, i mean UseKeyIdentifier?

Thank you for your help

 

[Brian Tillman]

I'm the PKI Engineer in my company and We would like to secure our
mail with S/MIME in Outlook.
I know that S/MIME save in the message the issuer and serial number of
certificate used to encrypt the mail.

And I know that if certificate is renewed with the same key pair,
it's not possible to decrypt the old messages crypted with the
previous certificate.

Not true. As long as you keep the prior certificates installed, you'll be
able to decrypt messages encrypted with them. I have certificates installed
that go back several years. Renewing adds the latest certificate and does
not remove the previous one.

What about Outlook in genrally (outlook 2003 and Outlook 2007)?
Is there a configuration in Outlook to locate the certificate and
private
key for decrypting the message by using the same way, i mean
UseKeyIdentifier?

Outlook uses the certificates you can see either from IE's Tools>Internet
Options>Content>Certificates or Start>Run>certmgr.msc . I think these certs
are physically located in the folder named for your SID under
%AppData%\Microsoft\Crypto\RSA. There is a
HKEY_CURRENT_USER\Software\Microsoft\Office\xx.x\Common\Security\DefaultSigningCert
key, but I don't know how that relates.

 

[Guest]

you're right brian, i make a mistake.
I would like to ask if it's possible to decrypt the message with the renewed
certificates with the same key pair as previous.
Because my users didn't saved the previous or old certificates.
I know that it's possible in OWA, but i don't know the configuration for
Outlook client.

Or if you want, we have renew certificate with the same key pair for our
users.
They have some messages crypted with their previous certificates.
And those previous certificates and private key have been renew.

NB: the certificate and private key is stored in smart card.

What's the configuration in Outlook to used renew certificate with same key
pair to decrypt old messages?

Thank you for your help because i'm desperate

 

[Brian Tillman]

you're right brian, i make a mistake.
I would like to ask if it's possible to decrypt the message with the
renewed certificates with the same key pair as previous.
Because my users didn't saved the previous or old certificates.
I know that it's possible in OWA, but i don't know the configuration
for Outlook client.

Or if you want, we have renew certificate with the same key pair for
our users.

Do you have your own Private Key Infrastructure with your own certificate
issuing system? I don't know all there is to know about digital
certificates, but I don't think that you can generate new certs with the old
key values. Each renewal is a completely new public/private key pair, no
different than issuing a completely new cert, as far as I know. The only
difference in the procedure is that a renewal expects to find a prior cert
in the crypto store.

They have some messages crypted with their previous certificates.
And those previous certificates and private key have been renew.

What's the configuration in Outlook to used renew certificate with
same key pair to decrypt old messages?

Never delete the old keys is all I can recommend.