Digitally Signing a Message prompts for access to my private key?

[Mark S.]

I have started using a digital certificate I obtained from Verisign to sign
my email messages. However, I am concerned about a stop prompt I am getting
that appears to request access to my private key. The window title is
"Signing data with your private exchange key", and states "An application is
requesting access to a protected item". That item is "CryptoAPI Private Key",
and is prompting me to enter the password I used to protect it. I have
scoured the MS knowledge base, and have attempted to install/reinstall the
certificate a number of times with various settings, including the default
settings. However, regardless of what I seem to do, I still get this message.
Am I doing something wrong? Should I be concerned about the prompt?

Thanks in advance.

Mark

 

[Brian Tillman [MVP - Outlook]]

I have started using a digital certificate I obtained from Verisign to sign
my email messages. However, I am concerned about a stop prompt I am
getting
that appears to request access to my private key. The window title is
"Signing data with your private exchange key", and states "An application
is
requesting access to a protected item". That item is "CryptoAPI Private
Key",
and is prompting me to enter the password I used to protect it. I have
scoured the MS knowledge base, and have attempted to install/reinstall the
certificate a number of times with various settings, including the default
settings. However, regardless of what I seem to do, I still get this
message.
Am I doing something wrong? Should I be concerned about the prompt?

It sounds like you enabled strong private key protection on your certificate
when you installed it. This type of protection requires that you specify
the password of the certificate every time you use the certificate. It can
be found in the certificate instlallation wizard on the same window where
you specify the certificate's password when installing. There are two
checkboxes on that dialogue; one for the strong private key protection and
the other for marking the private key as exportable. If you do not want to
be asked for the password every time, uninstall the certificate and
reinstall it, leaving the string private key protection check box unchecked,
but checking the option to mark the private key as exportable.

 

[Mark S.]

Brian,

Thanks for responding. Based on your response, is it safe then to export or
otherwise provide my private key to others? I thought I had read somewhere
that I wanted to keep my private key "private", otherwise someone else could
impersonate me. But again, I may be totally confused.

Thanks.

Mark S.

 

[Brian Tillman [MVP - Outlook]]

Thanks for responding. Based on your response, is it safe then to export
or
otherwise provide my private key to others? I thought I had read somewhere
that I wanted to keep my private key "private", otherwise someone else
could
impersonate me. But again, I may be totally confused.

Your private key should always remain private. It's how receipients can
know the messages are actually from you when you sign them. Everybody in
the world can have your public key, though.

You don't need strong private key protection for your certificate, unless
you need to validate that it is you using the privacy features every time.
I would find that too inconvenient, myself. It's enough that the
certificate prompts for the password when it gets installed. Once
installed, I don't want it asking me every time I use it. Because it's
password protected form installations, if someone else were to get it, they
wouldn't be able to install it because they wouldn't know the password.
Make sure the password difficult to guess. Use a combination of upper and
lower case letters, digits, and special characters.

 

[Mark S.]

Brian, thank you again for your response. Now I understand how it's
protected. I have already set up password protection, and hopefully it's a
doozy. Thanks again for your help.

Mark S.