UW Digital ID (Personal Certificate) - Troubleshooting - Usage (Windows)

This document will provide troubleshooting steps for various UW Digital ID issues on Windows.

Entrust Certificate Revocation

If your digital certificate is reporting as invalid, please check the issuer of that certificate. You can see this information by following the instructions to verify your certificate installation below.

If the issuer of that certificate is "Entrust Education Shared Service Provider," you are using an old, revoked certificate. As of October 31, 2016, all old Entrust certificate holders should be using Comodo certificates.

If you do not have a Comodo certificate, please contact UW Digital ID Administration at uwdigitalid@doit.wisc.edu for instructions to issue a new certificate to you.

Verifying Certificate Installation

You should ensure that your digital certificate is installed properly before troubleshooting. This will confirm that your certificate was properly downloaded and installed.

  1. Open the Windows menu and type certmgr.msc in the search bar, select certmgr.msc from the search results.

  2. In the left hand sidebar, click Personal > Certificates.

  3. Double click your certificate - the Issued By column should say "COMODO SHA-256 Client Authentication and Secure Email CA."

  4. If you see the message "You have a private key that corresponds to this certificate," then your certificate is properly installed.

Email Client Troubleshooting

Behavior / Error Messages

Your From: and Signed by: addresses mismatch for your sent messages.


Resolution

Unfortunately, there is no known workaround with the Comodo certificates.

Behavior / Error Messages

You encounter one of the following error messages.

"Microsoft Outlook : An error occurred in the underlying security system.  The keyset is not defined."
"Microsoft Outlook : Can't open this item - your digital ID name cannot be found by the underlying security system."

Resolution

The above error message occurs if there is not a digital certificate available for the sender or recipient on your workstation.
Outlook cannnot send a signed or encrypted or in some instances view an S/MIME message.

As a workaround, you can use the following instructions to manage certificates for Outlook 2007 and 2010.

  1. Open a digitally signed message from the recipient.

  2. Right-click on the name in the "From:" box and choose "Add to Outlook Contacts.

  3. The contacts window will open next click on the "Save & Close" button in the upper-left corner.

  4. Verify that you configured Outlook to send a clear text signed message when sending signed messages. Please refer to the instructions below in Outlook 2007 / 2010 / 2013: Messages display as encrypted when they are only signed

Behavior / Error Messages

Outlook indicates that a message you sent and digitally signed is also encrypted, even if you've indicated to not encrypt the message.


Resolution

If you encounter this issue, then you likely do not have the "Send clear text signed message when sending signed messages" setting enabled.

To verify if you have this setting enabled:

Outlook 2007

  1. Click "Tools" in the Outlook menu bar.

  2. Click "Trust Center".

  3. Select "E-mail Security" in the left hand sidebar.

  4. Verify that "Send clear text signed message when sending signed messages" is checked.

    Setting_2007.gif

Outlook 2010 / 2013

  1. Choose "File" in the Outlook menu bar.

  2. Select "Options."

    File_Option_2010.gif
  3. Click "Trust Center".

  4. Click the "Trust Center Settings..." button.

    Trust_Center_2010.gif
  5. Click "E-mail Security" in the left hand sidebar.

  6. Verify that "Send clear text signed message when sending signed messages" is checked.

    Setting_2010.gif

Behavior / Error Messages

If there is no digital certificate installed on the workstation, Outlook cannnot send a signed or encrypted S/MIME message. In this scenario, if the registry value below is not configured, the following error message will be displayed.

"Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address '<e-mail address>'.
Either get a new digital ID to use with this account, or use the Accounts button to send the message using an account that you have certificates for."

Resolution

As a workaround, you can use the following instructions to make Outlook 2010 and 2013 not attempt to automatically sign or encrypt a reply or forward that was signed or encrypted.

  1. Save the following file to your desktop: Outlook_Fix.reg

  2. Right click on the file and choose Merge.

  3. Click OK to ignore registry prompt.

  4. Exit and restart Outlook.

For more information see: Outlook automatically tries to sign or encrypt the reply or forward

Another option is for the individual message that you are seeing the error you can un-check the sign and or encrypt option(s) and then click send.

Within the email message window under the "Options" Tab or Ribbon in the Permission section you will see two Mail Security icons, the red signing icon and the second is the blue encrypting icon make sure both are un-selected.

Note: this will not prevent Outlook from attempting to automatically sign or encrypt replies or forwarded emails in the future.

Behavior / Error Messages

Outlook hangs / crashes when sending a digitally signed message.


Resolution

Make sure you have a backup of your digital certificate saved as a file before you start the procedures below:
Exporting your Digital Certificate Instructions

If you install the digital certificate via the Outlook import certificate method versus the Windows Certificate Import Wizard, the bug will occur.

To fix this issue:

  1. Go to the Windows Start menu and click on Control Panel.

  2. Click Network and Internet and then click Internet Options.

  3. Click on Content.

  4. Under the content tab under the Certificates section click on Certificates.

    You will then be presented with the screen below:

    delete
  5. Click on the certificate you wish to remove then click Remove.

  6. Then re-install the digital certificate you backed up using the Windows Certificate Import Wizard rather than from the import certificate method within Outlook.

  7. When done reinstalling return to Outlook 2013 and try to send a signed message after choosing Options | Sign:

    sign your message



Keywords:uw digital id certificate cert personal did uwdid troubleshooting outlook thunderbird windows mail error signing trusted office microsoft   Doc ID:69289
Owner:Charles C.Group:UW Digital ID
Created:2016-12-08 13:58 CDTUpdated:2017-08-10 09:20 CDT
Sites:DoIT Help Desk, DoIT Tech Store, UW Digital ID
Feedback:  0   0