Your digital ID name cannot be found by the underlying security system

[Jorge Ramos]

Hello All,



I apologize in advance for the cross posting, but it occurs to me that
perhaps this is the NG where originally I should have posted my question.
Instead, I posted it on microsoft.public.security.



My Class 1 Verisign Digital ID expired and I purchased (or renewed?) a new
digital certificate. I disabled my Norton 2008 Firewall during the
installation of the VeriSign certificate and received no error messages
during the installation. However, unlike in my previous installation I
receive the following error message: "Your digital ID name cannot be found
by the underlying security system."



The VeriSign support is very disappointing. The VeriSign troubleshooting
requires one to export the private key from within Internet Explorer and
then importing it again. However, when attempting to export the private key,
the box is grayed out and a note indicates that "The associated private key
can not be found. Only the certificate can be exported."



I am using Win XP, IE 7.0.5730.11, Outlook 2003 SP3



Any suggestions on how to resolve the problem?



Thanks

 

[neo [mvp outlook]]

Do you still have the original e-mail from Verisign that contains your
certificate?

/neo

ps - the error you see is expected because the certificate key store doesn't
contain the private key for said certificate

 

[Jorge Ramos]

Yes, I do. I have the Verisign email with a long string of characters which
are used to retrieve and activate the certificate.

A little earlier I received email from VeriSign indicating that the
certificate might be corrupt. They asked me to replace the certificate (free
of charge). I did replace it and now I have two certificates, none of which
works. I now have two certificates which appear identical. Not knowing which
of the two to select in configuring Outlook, I first selected the one on the
top. I then tested to see if I could send digitally signed emails. Because I
could not send digitally signed emails I tried again to configure Outlook
using the second certificate (at the bottom). Again, I then tested to see if
I could send digitally signed emails and I could not. I still receive the
message "Your digital ID name cannot be found by the underlying security
system.". I then went to Internet Explorer to try to export the certificate
to then attempt to import it again. Since I could not identify which of the
two certificates is the most recent or valid, I attempted to export both
certificates. In both instances, when attempting to export the private key,
the box is grayed out and a note indicates that "The associated private key
can not be found. Only the certificate can be exported."

Am I required to take any other steps with the certificate or with the
configuration?

Thanks!

 

[neo [mvp outlook]]

What i would do is this...

Uninstall the personal certificate you have now. You should be able to
access it via IE's Internet Options > Content tab > Certificates > Personal
tab. Once you have it removed, close the dialog box and then install one of
the .PFX files Verisign sent you. Go back to IE's Internet Options >
Content tab > Certificates > Personal tab and double click on the
certificate. Down near the bottom will show the issued to, from, valid
dates, and whether or not it has the private key. If the text "You have a
private key that corresponds to this certificate" is missing, then uninstall
and try the other .PFX file.

If neither contains that blurb, you will need to let Verisign know that both
files sent are missing the private key.

 

[Jorge Ramos]

Neo, thanks for your reply. However, VeriSign never sent any files, .PFX or
otherwise. I just received an email from Verisign providing a "digital id
pin number" along with a link. Once I clicked on the link, I was prompted
for my "digital id pin number" and other information. The installation of
the certificate occurred automatically. Because I don't have a .PFX file I
can not do what you suggest.

I've had several digital id's in the past on this same computer. Is it
possible that something is corrupted?

 

[neo [mvp outlook]]

On your machine, doubt it because if you don't have the private key, then
you are stuck. Is the verisign link/pin still active where you can download
the certificate as many times as you need to?

 

[Brian Tillman]

A little earlier I received email from VeriSign indicating that the
certificate might be corrupt. They asked me to replace the
certificate (free of charge). I did replace it and now I have two
certificates, none of which works. I now have two certificates which
appear identical. Not knowing which of the two to select in
configuring Outlook, I first selected the one on the top. I then
tested to see if I could send digitally signed emails. Because I
could not send digitally signed emails I tried again to configure
Outlook using the second certificate (at the bottom). Again, I then
tested to see if I could send digitally signed emails and I could
not. I still receive the message "Your digital ID name cannot be
found by the underlying security system.". I then went to Internet
Explorer to try to export the certificate to then attempt to import
it again. Since I could not identify which of the two certificates is
the most recent or valid, I attempted to export both certificates. In
both instances, when attempting to export the private key, the box is
grayed out and a note indicates that "The associated private key can
not be found. Only the certificate can be exported."

If this were to happen to me, since it's a paid service, I'd be calling
VeriSign.

 

[Brian Tillman]

Neo, thanks for your reply. However, VeriSign never sent any files,
.PFX or otherwise. I just received an email from Verisign providing a
"digital id pin number" along with a link. Once I clicked on the
link, I was prompted for my "digital id pin number" and other
information. The installation of the certificate occurred
automatically. Because I don't have a .PFX file I can not do what you
suggest.

That's how VeriSign's managed PKI system works. I suspect you do not have a
private key recovery feature, either.

I've had several digital id's in the past on this same computer. Is it
possible that something is corrupted?

Not likely. Open IE and visit the dialogue Neo mentions. Select the
certificate and choose Export. The Export wizard will start. Click Next.
In the next page of the dialogue, you should see two radio buttons, one
labeled "Yes, export the private key" and the other labeled "No, do not
export the provate key". WHile the second one will be selected, the first
should be active so that you can select it. If it's not active, then you
certificate is damaged and does not have a private key. It's time to call
VeriSign.

If the "Yes" button is active, select it and click Next. The "Personal
Information Exchange" button should be selected, and the "Enable strong
encryption" bax checked. Click Next. Choose a password for the private key
and click Next.Browse to a folder where you want to save the exported
certificate, give it a name that's meaningful, and click Save, then Next,
then Finish. You should now have a PFX file containing your certificate and
its keys that you can reinstall if something happens to the PC. Keep a
couple of copies of thie file, one on the PC and one off, like on a flash
drive.

 

[Jorge Ramos]

Brian / Neo,

Although I do not have a private key recovery feature, I can replace my
certificate at any time for free during the first 30 days. After 30 days
there is a $100 charge, but I'm will inside of the 30 day period. I have
replaced the certificate 3 times already and still it will not work.
VeriSign supports their Digital ID product only by email. After exchanging a
ridiculous amounts of emails I requested a tel number to talk to a live
person. They said no telephone support is available. I then call the company
telephone number and after navigating through a maze of routing options
reached the line for Digital ID support. Unfortunately, the recording
indicates that no telephone support is available. At that point you can not
press 0 or any other key to reach a live person.

I thank you for the information you provided. I suspect that I don't really
NEED a Digital ID so I will dispute my credit card charge for the Digital ID
and move on. Thanks again!!!

 

[Jorge Ramos]

This morning I received email from VeriSign indicating that apparently I
have an issue with the Windows "key containers protections." They asked me
to replace the digital id using FireFox and then importing it on to Internet
Explorer. They acknowledged that "we have noticed works in most cases.' It
did!

 

[Brian Tillman]

VeriSign supports their Digital ID product only by
email.

Not true for us. I've called VeriSign many times about PKI issues for our
service.

After exchanging a ridiculous amounts of emails I requested a
tel number to talk to a live person. They said no telephone support
is available. I then call the company telephone number and after
navigating through a maze of routing options reached the line for
Digital ID support. Unfortunately, the recording indicates that no
telephone support is available. At that point you can not press 0 or
any other key to reach a live person.

Maybe they've changed things since last I used the support feature.

I thank you for the information you provided. I suspect that I don't
really NEED a Digital ID so I will dispute my credit card charge for
the Digital ID and move on. Thanks again!!!

You need a digital ID for two reasons: one is to prove that you are the
sender of the message. The other is to be able to exchange messages with
others who also have digital certificates.

 

[Brian Tillman]

This morning I received email from VeriSign indicating that
apparently I have an issue with the Windows "key containers
protections." They asked me to replace the digital id using FireFox
and then importing it on to Internet Explorer. They acknowledged that
"we have noticed works in most cases.' It did!

I've done that on occasion as well. There are conditions that corrupt the
Windows crypto store (although I can't begin to list them). Make sure
you've created your external copy of the PFX file as I described in case
anything goes wrong.

 

[Jorge Ramos]

I think there is a difference in terms of how they support their different
products. They may offer telephone support for PKI but not for Digital IDs.
http://www.verisign.com/support/digital-id-support/index.html

 

[Jorge Ramos]

I think there is a difference in terms of how they support their different
products. I think they offer telephone support for PKI but not for Digital
IDs.
http://www.verisign.com/support/digital-id-support/index.html

 

[Denizen]

I have exactly the same problem.
Verisign has repeatedly told me to install firefox browser, reinstall the
digital ID, export the ID, then import it into MSIE.
My registry gets bloated enough without installing software to work around
another piece of software.
I'd like to know if anyone found a ID company works with MSIE 7.

 

[neo [mvp outlook]]

I've never had problems with thawte's personal e-mail certificates. Other
than that, I am really surprised that Verisign is being as difficult as they
are, but maybe they have different support tiers when it comes to companies
getting certificates for web servers vs. personal certificates.