Digital signature/encryption problems w/ e-mail

[Smackboy1]

I have Vista Business (32 bit) OEM install. Originally I used Outlook 2003
and used digital signatures to encrypt e-mail with no problems. It was often
times slow but generally worked. I upgraded to OL 2007 and now it's like
something broke. Working with encryption is a nightmare.

1) Every time I go to open an encrypted e-mail it asks me to grant or deny
permission. Every time even if it's from a sender I always grant permission
to! Is there a way to override the constant prompts?

2) When someone sends me an encrypted e-mail and I reply, there is an error
message "recipients had missing or invalid certificates, or conflicting or
unsupported encryption capabilities". I have save the reply as a draft, then
restart OL, then send the draft to get the encryption to work right. I've
tried removing and reinstalling the sender's certificate. There are no
receipts requested. Nothing fixes this problem.

3) To try to fix problem 2) I removed and reinstalled a sender's
certificate. Now not only did it not fix the problem, everytime I go to open
an old encrypted message, it gives me another notice that "You have changed
this message. If you save the changes the message will no longer be digitally
signed. Do you want to save your changes?" What is going on?

Anybody have any ideas how to fix this?

 

[Brian Tillman [MVP - Outlook]]

I have Vista Business (32 bit) OEM install. Originally I used Outlook 2003
and used digital signatures to encrypt e-mail with no problems. It was
often
times slow but generally worked. I upgraded to OL 2007 and now it's like
something broke. Working with encryption is a nightmare.

Did you change anything other than Outlook, like upgrading Windows as well?
Digital certificates are not contained in Outlook. They are contained in a
cryptography store within Windows. Outlook uses that store along with
Internet Explorer and anything else within Windows that need certificates.

1) Every time I go to open an encrypted e-mail it asks me to grant or deny
permission. Every time even if it's from a sender I always grant
permission
to! Is there a way to override the constant prompts?

Sounds like when you installed the certificate you chose strong private key
protection which requires that you validate the certificate usage each time
you use it. Typically that's not necessary.

2) When someone sends me an encrypted e-mail and I reply, there is an
error
message "recipients had missing or invalid certificates, or conflicting or
unsupported encryption capabilities". I have save the reply as a draft,
then
restart OL, then send the draft to get the encryption to work right. I've
tried removing and reinstalling the sender's certificate. There are no
receipts requested. Nothing fixes this problem.

Sounds like you haven't installed the Intermediate or Trusted Root
Certification Authority for the sender's certificate. Verify the
certificate's path and see that all root certs are installed and trusted.

3) To try to fix problem 2) I removed and reinstalled a sender's
certificate. Now not only did it not fix the problem, everytime I go to
open
an old encrypted message, it gives me another notice that "You have
changed
this message. If you save the changes the message will no longer be
digitally
signed. Do you want to save your changes?" What is going on?

In addition to what I've said already, If you still have your certificate
file, remove the existing one and reinstall it. Before you do, however,
verify the validity of yor private key just so you won't burn any bridges
behind you in case there's something wrong with the certificate file.

 

[smackboy1]

Thanks for the help. I'm not sure what I have to do. I just go and get a
certificate and install it using OL and when it expires I just get another
one. When someone sends me a certificate I just save it to their OL contact
info.

I did not upgrade Vista or change anything else other than through MS
Automatic Updates. The problems basically started happening once I started
using OL2007. OL2003 had no encryption problems.

1) So how do I go back and unchoose strong private key protection?

2) So how do I verify the Intermediate or Trusted Root
Certification Authority for the sender's certificate? When I view a
certificate it seems to look OK. What problems am I looking for and how do I
fix them? The certs people give me are from Comodo.com.

3) I have a backup file of my own certificate (also from Comodo.com). How do
I verify there isn't an error in it? How do I remove and reinstall it?

 

[Brian Tillman [MVP - Outlook]]

Thanks for the help. I'm not sure what I have to do. I just go and get a
certificate and install it using OL and when it expires I just get another
one. When someone sends me a certificate I just save it to their OL
contact
info.

Describe the exact procedure you use to install the cert. Is this using the
"Import/Export" button on Tools>Options>Security?

1) So how do I go back and unchoose strong private key protection?

At one point in the cert install you should be asked if you want to use
strong private key protection.

2) So how do I verify the Intermediate or Trusted Root
Certification Authority for the sender's certificate? When I view a
certificate it seems to look OK. What problems am I looking for and how do
I
fix them? The certs people give me are from Comodo.com.

Did you open the certificate and examine the certification path? Start
Internet Explorer and click Tools>Internet
Options>Content>Certificates>Other People. Select the certificate and click
View. Select the Certification Path tab and see if the entire path is OK.

3) I have a backup file of my own certificate (also from Comodo.com). How
do
I verify there isn't an error in it? How do I remove and reinstall it?

In that same Internet Explorer dialogue (which you can reach from
Start>Run>certmgr.msc as well), select your own certificate from the
"Personal" tab. Click Export, then Next. You should see an "Export Private
Key" dialogue with two radio buttons, one for "Yes, export the private key"
and one for "No, do not export the private key". The second one will be
selected, but the first one must be selectable. If it's grayed out, your
certificate is damaged and you can't make a good backup. I'd not disturb
your existing cert if the private key is not exportable.

 

[smackboy1]

Thanks for the help. This seems to be getting more and more involved. Is
there a website or FAQ somewhere which explains in detail step by step how to
use digital certs in Vista/Outlook/Internet Explorer etc.?

Describe the exact procedure you use to install the cert. Is this using the
"Import/Export" button on Tools>Options>Security?

All the certs were installed almost a year ago when I was using Vista and
OL2003, so I can't exactly recall. IIRC for my own Digital ID I used the
"Import" on the Tools>Options>Security on OL2003. When senders e-mail me
their certs I just right click on the cert attached to the e-mail (or maybe I
right click on their e-mail address) and select "Save to Contacts". It then
just saves their cert to their contacts info. This method works for OL2003.
When I upgraded to OL2007 a few months ago I didn't need to install any new
certs, it just used the certs installed from OL2003. I notice that OL2007
does not have a Tools>Options>Security tab, I have to go to Tools>Trust
Center>e-mail Security. When I look there I see my own Digital ID listed.

If someone sends me a signed e-mail, how am I supposed to install their cert
so I can use it?

At one point in the cert install you should be asked if you want to use
strong private key protection.

It probably did. But how do I go back and change that setting? Or if I have
to go back and redo the whole thing from the start, how do I do that?

Did you open the certificate and examine the certification path? Start
Internet Explorer and click Tools>Internet
Options>Content>Certificates>Other People. Select the certificate and click
View. Select the Certification Path tab and see if the entire path is OK.

When I examine the certificate the entire path looks OK. No obvious errors.

In that same Internet Explorer dialogue (which you can reach from
Start>Run>certmgr.msc as well), select your own certificate from the
"Personal" tab. Click Export, then Next. You should see an "Export Private
Key" dialogue with two radio buttons, one for "Yes, export the private key"
and one for "No, do not export the private key". The second one will be
selected, but the first one must be selectable. If it's grayed out, your
certificate is damaged and you can't make a good backup. I'd not disturb
your existing cert if the private key is not exportable.
--

OK I used the Cert Manager and found my current cert and a bunch of old
expired ones. What is the Cert Manager? Is it just a warehouse for keeping
backup copies of certs or is this where programs go to access the public and
private keys? I notice that my own Digital ID's are present in the Personal
folder and the certs from other e-mail senders are in the Other People folder.

How do I correctly install and use a digital cert? I just got a new cert for
myself from Thawte. The file is sitting on my desktop mycert.spc. When I open
it I see it contains 3 certs: Thawte Freemail Member, Thawte Personal
Freemail CA, and Thawte Personal Freemail Issuing CA. What am I supposed to
do with these?

Brian Tillman [MVP-Outlook]

 

[Brian Tillman [MVP - Outlook]]

Thanks for the help. This seems to be getting more and more involved. Is
there a website or FAQ somewhere which explains in detail step by step how
to
use digital certs in Vista/Outlook/Internet Explorer etc.?

I don't know of one myself. Maybe something in one of these articles will
help:
http://office.microsoft.com/en-us/help/results.aspx?qu=digital+certificate&sc=9

 

[smackboy1]

I'll take a look. When you get a chance if you could take a look at my
responses to your questions. If you tell me how, I might just remove and
reinstall my own certs and the signatures other people sent me. Thanks.

 

[Brian Tillman [MVP - Outlook]]

I'll take a look. When you get a chance if you could take a look at my
responses to your questions. If you tell me how, I might just remove and
reinstall my own certs and the signatures other people sent me. Thanks.

I told you how to see them in Internet Explorer. You'll see a "Remove"
button there as well.