UW Digital ID (Personal Certificate) - Troubleshooting - Usage (Mac)

This document will provide troubleshooting steps for various UW Digital ID issues on Mac.

Entrust Certificate Revocation

If your digital certificate is reporting as invalid, please check the issuer of that certificate. You can see this information by following the instructions to verify your certificate installation below.

If the issuer of that certificate is "Entrust Education Shared Service Provider," you are using an old, revoked certificate. As of October 31, 2016, all old Entrust certificate holders should be using Comodo certificates.

If you do not have a Comodo certificate, please contact UW Digital ID Administration at uwdigitalid@doit.wisc.edu for instructions to issue a new certificate to you.

Verifying Certificate Installation

You should ensure that your digital certificate is installed properly before troubleshooting. This will confirm that your certificate was properly downloaded and installed.

  1. Open Keychain Access (Applications > Utilities > Keychain Access).

  2. Navigate to the "login" keychain and click My Certificates in the left-hand sidebar.

    keychain_cert.png
  3. You should see a certificate with your name in the main window, if the certificate was installed properly. Right click the certificate and click "Get Info."

    get_info.png
  4. To make sure the certificate is valid, look for the green checkmark and "This certificate is valid" message at the top of the information window.

    cert_info.png

Email Client Troubleshooting

Behavior / Error Messages

When reading a signed email, you see this message:

Unable_Verify_Sign.gif

Resolution

There are several reasons and potential solutions for this error:

  • If the sender's email address does not match the email address contained in the digital signature.
    Solution: Contact the sender to check which email addresses are on their Digital ID.

  • The message may have been forged, was tampered with, or was corrupted.
    Solution: Contact the sender to re-send the message.

  • It can also occur if the signing certificate is not "trusted".
    Solution: You will need to modify your Keychain to explicitly trust the root certificate for UW Digital ID.

Behavior / Error Messages

When reading an encrypted email, you see this message:

Decrypt_Error.gif

Resolution

There are several reasons and potential solutions for this error:

  • If the sender's public key is not in your Keychain.
    Solution: Exchange public keys by sending signed emails to each other.

  • If you denied Apple Mail access to your public key.
    Solution: Select the email and Mac OS will ask you for permission to give Apple Mail access to use the private key in your Keychain to decrypt the email. Click Allow or Always Allow.
    key_chain_access.gif

Behavior / Error Messages

Email messages viewed in Apple Mail will sometimes not display the security header indicating they have been digitally signed.


Resolution

This problem is specific to users viewing email with Apple Mail. This can happen for one of the following reasons:

  • The sender's signing and encryption algorithms are set to something other than SHA-1 and 3DES, respectively. Apple Mail's security header does not know what to display when emails with more stringent encryption settings are received, so the header will not be displayed at all.
  • The email is not digitally signed.

Because the current version of Apple Mail does not allow users to configure which signing and encryption algorithms to accept, there is no simple workaround. If you are affected by this issue, the only known "fixes" are as follows:

  • Contact the sender directly to verify that the email was digitally signed.
  • Use a mail client other than Apple Mail to view your email.
  • Ask the sender to change his or her signing and encryption settings to SHA-1 and 3DES, respectively. Senders using Microsoft Outlook can use the following document for assistance with changing these settings: Document 23572 is unavailable at this time..

Encryption Behavior

When you send an encrypted email to someone, Apple Mail will subsequently always send an encrypted email to that recipient until you specify otherwise.

To disable this behavior, simply toggle encryption off on a subsequent message. Apple Mail will no longer default encrypt an email to that recipient until you choose to encrypt another email to that recipient.


Security Controls

When you compose an email, Apple Mail has two icons to indicate whether or not your email will be signed and / or encrypted.

Encryption Unavailable

Encryption Unavailable / Signed Message. The message cannot be encrypted since the certificate for one or more recipients is not known or does not exist.


Signed, Not Encrypted

Signed Only.


Encrypted, Not Signed

Encrypted Only.


Signed and Encrypted

Signed and Encrypted.


Both available

No security set. Click on the lock icon to encrypt and / or the seal icon to sign the message.

Behavior / Error Messages

When you send a signed email, the recipient reports that your message is encrypted, even if it has only been signed.


Resolution

You can experience this issue if the "Send digitally signed messages as clear text" setting is disabled.

To enable / verify this setting:

  1. Navigate to Outlook > Preferences...

    Preferences.gif
  2. Click Accounts.

    Accounts.gif
  3. Click Advanced...

    Advanced.gif
  4. Click the Security tab and ensure that the Send digitally signed messages as clear text option is selected.

    Security_Settings.gif

Behavior / Error Messages

When you try to send a signed email, you encounter one of the following error messages:

"Microsoft Outlook : An error occurred in the underlying security system.  The keyset is not defined."
"Microsoft Outlook : Can't open this item - your digital ID name cannot be found by the underlying security system."

Resolution

You may need to explicitly save the recipient's certificate into Outlook.

  1. Open a digitally signed message from the recipient.

  2. In the Info Bar at the top of the message, click the Details button, and then click Add Encryption Certificate to Contacts.

    The certificate is stored with your contact entry for this sender. If you do not already have this person saved as a contact, Outlook automatically creates a contact entry.

    Mac_Outlook_Add_Cert.gif

You should also verify that you have enabled the Send digitally signed messages as clear text option enabled. Follow the instructions above under Outlook 2011: Messages Display as Encrypted when they are only Signed.




Keywords:uw digital id certificate cert personal did uwdid troubleshooting outlook thunderbird apple mail mac email outlook yosemite mavericks error signing trusted   Doc ID:69296
Owner:Charles C.Group:UW Digital ID
Created:2016-12-08 15:42 CDTUpdated:2017-08-10 09:20 CDT
Sites:DoIT Help Desk, DoIT Tech Store, UW Digital ID
Feedback:  0   0