UW Digital ID (Personal Certificate) - Troubleshooting - Usage (Mac)
This document will provide troubleshooting steps for various UW Digital ID issues on Mac.
Entrust Certificate Revocation
If your digital certificate is reporting as invalid, please check the issuer of that certificate. You can see this information by following the instructions to verify your certificate installation below.
If the issuer of that certificate is "Entrust Education Shared Service Provider," you are using an old, revoked certificate. As of October 31, 2016, all old Entrust certificate holders should be using Comodo certificates.
If you do not have a Comodo certificate, please contact UW Digital ID Administration at uwdigitalid@doit.wisc.edu for instructions to issue a new certificate to you.
Verifying Certificate Installation
You should ensure that your digital certificate is installed properly before troubleshooting. This will confirm that your certificate was properly downloaded and installed.
-
Open Keychain Access (Applications > Utilities > Keychain Access).
-
Navigate to the "login" keychain and click My Certificates in the left-hand sidebar.
-
You should see a certificate with your name in the main window, if the certificate was installed properly. Right click the certificate and click "Get Info."
-
To make sure the certificate is valid, look for the green checkmark and "This certificate is valid" message at the top of the information window.
Email Client Troubleshooting
Behavior / Error Messages
When reading a signed email, you see this message:
Resolution
There are several reasons and potential solutions for this error:
-
If the sender's email address does not match the email address contained in the digital signature.
Solution: Contact the sender to check which email addresses are on their Digital ID. -
The message may have been forged, was tampered with, or was corrupted.
Solution: Contact the sender to re-send the message. -
It can also occur if the signing certificate is not "trusted".
Solution: You will need to modify your Keychain to explicitly trust the root certificate for UW Digital ID.
Behavior / Error Messages
When reading an encrypted email, you see this message:
Resolution
There are several reasons and potential solutions for this error:
-
If the sender's public key is not in your Keychain.
Solution: Exchange public keys by sending signed emails to each other. -
If you denied Apple Mail access to your public key.
Solution: Select the email and Mac OS will ask you for permission to give Apple Mail access to use the private key in your Keychain to decrypt the email. Click Allow or Always Allow.
Behavior / Error Messages
Email messages viewed in Apple Mail will sometimes not display the security header indicating they have been digitally signed.
Resolution
This problem is specific to users viewing email with Apple Mail. This can happen for one of the following reasons:
- The sender's signing and encryption algorithms are set to something other than SHA-1 and 3DES, respectively. Apple Mail's security header does not know what to display when emails with more stringent encryption settings are received, so the header will not be displayed at all.
- The email is not digitally signed.
Because the current version of Apple Mail does not allow users to configure which signing and encryption algorithms to accept, there is no simple workaround. If you are affected by this issue, the only known "fixes" are as follows:
- Contact the sender directly to verify that the email was digitally signed.
- Use a mail client other than Apple Mail to view your email.
- Ask the sender to change his or her signing and encryption settings to SHA-1 and 3DES, respectively. Senders using Microsoft Outlook can use the following document for assistance with changing these settings: [Link for document 23572 is unavailable at this time.].
Encryption Behavior
When you send an encrypted email to someone, Apple Mail will subsequently always send an encrypted email to that recipient until you specify otherwise.
To disable this behavior, simply toggle encryption off on a subsequent message. Apple Mail will no longer default encrypt an email to that recipient until you choose to encrypt another email to that recipient.
Security Controls
When you compose an email, Apple Mail has two icons to indicate whether or not your email will be signed and / or encrypted.
Encryption Unavailable / Signed Message. The message cannot be encrypted since the certificate for one or more recipients is not known or does not exist.
Signed Only.
Encrypted Only.
Signed and Encrypted.
No security set. Click on the lock icon to encrypt and / or the seal icon to sign the message.
Behavior / Error Messages
When you send a signed email, the recipient reports that your message is encrypted, even if it has only been signed.
Resolution
You can experience this issue if the "Send digitally signed messages as clear text" setting is disabled.
To enable / verify this setting:
-
Navigate to Outlook > Preferences...
-
Click Accounts.
-
Click Advanced...
-
Click the Security tab and ensure that the Send digitally signed messages as clear text option is selected.
Behavior / Error Messages
When you try to send a signed email, you encounter one of the following error messages:
"Microsoft Outlook : Can't open this item - your digital ID name cannot be found by the underlying security system."
Resolution
You may need to explicitly save the recipient's certificate into Outlook.
Open a digitally signed message from the recipient.
-
In the Info Bar at the top of the message, click the Details button, and then click Add Encryption Certificate to Contacts.
The certificate is stored with your contact entry for this sender. If you do not already have this person saved as a contact, Outlook automatically creates a contact entry.
You should also verify that you have enabled the Send digitally signed messages as clear text option enabled. Follow the instructions above under Outlook 2011: Messages Display as Encrypted when they are only Signed.