Personal email certificates

How do digital certificates work?
Obtaining a Client Certificate
Where can I view my certificate?
I don't see the certificate in my personal certificate list
How to send yourself encrypted email with Microsoft Outlook 2000
How do I export and import a certificate in Microsoft Internet Explorer?
How to Export and Import a Personal Certificate in a Netscape browser?
Can I request a certificate for Internet Explorer for the Mac?
How to add a Digital ID to your address book - Outlook Express
How to add a Certificate to contacts list in Outlook 2000
How to add a Certificate to contacts list in Outlook 2000
I cannot see my certificate in the Outlook selection box, even though I can see it in IE.
I get an error when I send encrypted mail to myself using Outlook 2000.

Description of the security features that allow you to send e-mail messages over the Internet

How to Get a Digital ID for Sending Secure Messages
How to Back up or Copy a Digital ID
How to Move a Digital ID to another Computer
How to Send a Signed Message
How to Add a Digital ID to Your Contacts List
How to Send an Encrypted (Sealed) Message
How to Sign or Encrypt All Messages That You Send

Alinghi Smartcard Kit FAQ and Support

Welcome to the Alinghi SmartCard kit support page
Software and Documentation for the supported platforms
Alinghi SmartCard kit support page
Frequently Asked Questions

Error Messages

Error: '-2146885628' when retrieving your certificate.
Error: "Unable to generate PKCS#10"
Error: "Error 5: certificate not installed"
Error: "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from the CA which issued the certificate"
Error: "Your key set cannot be found by the underlying security system", when I send or receive signed or encrypted messages Outlook 2000.
Error: "Your digital ID name cannot be found by the underlying security system"
Error: "This program is trying to access a protected item", every time I read or send encrypted mail.
Error: "This message cannot be secured using the selected security settings"
Error: Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired"

Common error messages that are related to client certificates

403.7 - Client certificate required This error message is received if a client does not provide a client certificate when one is required. Either the client refused to send a client certificate or the client did not have a certificate issued by a mutually trusted certification authority. 403.13 – Forbidden: Client certificate revoked This error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority.

403.16 - Client certificate is untrusted or invalid. This error message is primarily generated when the certificate that the client provided is improperly formed. It can also be generated if there are intermediate certification authorities in the certificate chain that are not trusted by the Web server.

403.17 - Client certificate has expired or is not yet valid This error message is fairly self-explanatory. It means that the current date on the server is not within the valid date ranges that are presented in the client certificate.

The Certificate is invalid. Please double-check that you have chosen the correct file. CAPI2 error = 80093005

IIS Status Codes

400 - Bad request.

• 401 - Access denied. IIS defines a number of different 401 errors that indicate a more specific cause of the error. These specific error codes are displayed in the browser but are not displayed in the IIS log:• 401.1 - Logon failed. 
• 401.2 - Logon failed due to server configuration. 
• 401.3 - Unauthorized due to ACL on resource.
• 401.4 - Authorization failed by filter.
• 401.5 - Authorization failed by ISAPI/CGI application. 
• 401.7 – Access denied by URL authorization policy on the Web server. This error code is specific to IIS 6.0.

• 403 - Forbidden. IIS defines a number of different 403 errors that indicate a more specific cause of the error:
•  403.1 - Execute access forbidden.
• 403.2 - Read access forbidden.
• 403.3 - Write access forbidden.
• 403.4 - SSL required.
• 403.5 - SSL 128 required.
• 403.6 - IP address rejected.
• 403.7 - Client certificate required.
• 403.8 - Site access denied.
• 403.9 - Too many users.
• 403.10 - Invalid configuration.
• 403.11 - Password change.
• 403.12 - Mapper denied access.
• 403.13 - Client certificate revoked.
• 403.14 - Directory listing denied.
• 403.15 - Client Access Licenses exceeded.
• 403.16 - Client certificate is untrusted or invalid.
• 403.17 - Client certificate has expired or is not yet valid.
• 403.18 - Cannot execute requested URL in the current application pool. This error code is specific to IIS 6.0.
• 403.19 - Cannot execute CGIs for the client in this application pool. This error code is specific to IIS 6.0.
• 403.20 - Passport logon failed. This error code is specific to IIS 6.0.

For more information about HTTP status code definitions: http://support.microsoft.com/kb/318380/en-us

Back to top

Certificate Revocation Lists (CRLs) and IIS 5.0

What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)? When does IIS 5.0 retrieve a CRL? If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location? Are the contents of each CRL at each CRL distribution point downloaded and combined? Are CRLs stored on the computer that is running IIS 5.0? How are CRLs identified? That is, what extension do CRL files use? What occurs if IIS 5.0 cannot find one of the CRLs? What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked? You experience one of the following symptoms:

• You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail
• You revoke a certificate and republish the CRL. However, IIS 5.0 still lets users locate a Web site by using the revoked certificate.

Is it possible to force the cached CRL to update?

For additional information about certificates and about caching: http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx

What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?

A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour. A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.

When does IIS 5.0 retrieve a CRL?

Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true:

If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location?

No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.

Are the contents of each CRL at each CRL distribution point downloaded and combined?

No. Only one CRL is downloaded.

Are CRLs stored on the computer that is running IIS 5.0?

Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.

How are CRLs identified? That is, what extension do CRL files use?

CRLs use a .crl extension. For example, CRLFileName[1].crl.

What occurs if IIS 5.0 cannot find one of the CRLs?

By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point:

What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?

Yes, you receive the same error message in both scenarios. You receive the following error message:

HTTP 403.13 Forbidden: Client certificate revoked The page requires a valid client certificate

You experience one of the following symptoms:

Is it possible to force the cached CRL to update?

You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed. All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations:

How do digital certificates work?

Digital Certificates use a cryptographic system made of two keys: a public key known to everyone and a private or secret key known only to the recipient of the message.

An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.

In public key encryption, the public key is made available to anyone who wants to correspond with the owner of the key pair. The public key can be used to verify a message signed with the private key or encrypt messages that can only be decrypted using the private key. The security of messages encrypted this way relies on the security of the private key, which must be protected against unauthorized use.

Back to top

Obtaining a Client Certificate

You can obtain a client certificate from a trustworthy, third-party organization, called a certification authority. Before issuing a certificate, the authority may need to verify your identity. The identification information required by the authority can vary depending on the type of certificate you want to obtain. How these certificates are obtained and implemented depends upon the browser being used. To obtain a client certificate

• Choose a certification authority. Consider the following issues when choosing a certification authority:
  • Is the certification authority a well known and trusted organization?
  • What type of information will the authority require from you in order to verify your identity? Most certification authorities will require you to provide detailed identification information, such as your name, address, organization name, and e-mail address.
  • Does the authority have a Web site that you can use to request your client certificate?
  • Are the certificates issued compatible with the browser and server being used?
• Refer to specific ordering instructions provided by the certification authority.
• Order your certificate. Some client certificates are valid only for the computer and Web browser used to generate the certificate request: for these, be sure to make the online request from the computer where you intend to install the certificate.
• When you receive your client certificate, use your Web browser's security features to install the certificate. (Some Web browsers may refer to client certificates as browser or personal certificates.)

Back to top

Where can I view my certificate?

Your certificate can be viewed in Microsoft Internet Explorer by following these instructions View | Tools > Internet Options > Content > Personal | Certificates

Back to top

I don't see the certificate in my personal certificate list.

Your personal certificate can only be accessed if you are running Internet Explorer under the same user profile, and on the same machine as when you made the certificate request.

Note: Certificates are tied to email addresses. Make sure the email address on your account matches the certificate.

Back to top

Unable to send yourself encrypted email with Microsoft Outlook 2000.

Answer:  

This is caused by an implementation error in Outlook; there is no complete explanation as to why the error occurs.

To send an encrypted e-mail, you must add your name to your personal address book:

Send a signed message to yourself Right-click your name in the "From:" field, and select Add to personal address book. Note: This does not affect the security of the e-mail sent.

Applies to: Microsoft Outlook 2000

Back to top

How do I export and import a Personal Email certificate in Microsoft Internet Explorer?

Answer:  

To Export your Certificate/Key Pair from Microsoft Internet Explorer:

1. From the menu bar, click on Tools > Internet Options. 2. Click on the Content tab. 3. Click on the Certificates button. 4. In the Personal tab, select the certificate you wish to export. 5. Click on Export. 6. Click on Next. 7. Select the Yes, export the Private Key option. 8. Click on Next. 9. Enter the password to protect the certificate and private key being exported. Enter this password again to confirm then click Next. 10. Browse to the directory where you wish to store the file and select a file name. 11. Click Save and then Next. 12. Click on Finish. 13. You should see the message "The export was successful." 14. Click OK.

To Import your Certificate/Key Pair into Microsoft Internet Explorer:

1. From the menu bar, click on Tools > Internet Options. 2. Click on the Content tab. 3. Click on the Certificates button. 4. Click on Import. 5. Select the certificate file. 6. Click on Next. 7. Enter the password that was used to protect the file. 8. Select the box Mark the private key as exportable. 9. Click on Next. 10. Click on Next. Note: The box "Automatically select the certificate store based on the type of certificate" should remain checked. 11. Click on Next. 12. Click on Finish. 13. You should see the message "The import was successful." 14. Click OK.   Goal:   Export and import certificate Export a certificate Import a certificate Move Personal Email Certificate   Applies to: S/MIME Certificate Microsoft Outlook General Use

Back to top

How to Export and Import a Personal Certificate in a Netscape browser?

Answer:  

To EXPORT your certificate from Netscape, follow these instructions.

1. Go to Security by clicking on the lock icon. Or, click on Communicator on the toolbar > Tools > Security Info. 2. Under Certificates, click on: Yours 3. Select the certificate to export. 4. Click on: Export 5. Enter the Netscape browser certificate store password. 6. Enter the password to protect the certificate and private key being exported.  Enter this password again to confirm. 7. Browse to the directory where you wish to store the file and select a file name. Click OK. 8. You should see the message "Your certificate have been successfully exported."

To IMPORT your certificate into Netscape, follow these instructions.

1. Go to Security by clicking on the lock icon. Or, click on Communicator on the toolbar > Tools > Security Info. 2. Under Certificates, click on: Yours 3. Click on: Import a Certificate 4. Browse to select the certificate file to import. 5. Enter the password protecting the file. 6. You should see the message "Your certificate have been successfully imported."     Goal:   Move Personal Email Certificate   Applies to: General Use S/MIME Certificate Netscape Communicator Netscape Messenger

Back to top

Can I request a certificate for Internet Explorer for the Mac?

Microsoft Internet Explorer on the Apple Macintosh platform is not S/MIME compatible and will not have the ability to sign or encrypt email messages using S/MIME.

If S/MIME support is absolutely essential, you will need to use an S/MIME compatible Internet browser/Mail client like Netscape Communicator/Netscape Messenger to request a Personal Certificate on an Apple Macintosh platform.

Back to top

Answer:  

To add a person's certificate to your address book from a signed message you receive follow these steps:

 Click the message to select it.  On the File menu, click Properties, and then click the Security tab.  Click Add the certificate to the address book.  Click OK

The default trust relationship for new certificates are "Not Trust". To use the certificate, change the trust relationship by following these steps:

 On the Tools menu, click Address Book.  Click the person's entry to select it, and then click Properties.  Click the Certificates tab.  Select the certificate, and then click Properties.  On the General tab, click Trusted By Me in the Trusted box.  Click OK, click OK, and then click Close on the File menu to close the Address Book.

Goal:   Add  Digital ID to your address book Add certificate to address book   Applies to: Microsoft Outlook Express General Use

Back to top

How to add a Certificate to contacts list in Outlook 2000.

Answer:  

To send someone an encrypted message, you need a copy of that person's digital ID. Have the person send you a digitally signed message, and then use the following steps when you receive the message:

1. Open the digitally signed message. 2. Right-click the name in the From field, and then click Add To Contacts on the shortcut menu. 3. If you have an entry for this person on your contacts list, click Update This Address.

The digital ID is stored with your contact entry for this person. You can now send encrypted messages to this person.    Goal:   Add Certificate to contacts list   Applies to: Microsoft Outlook 2000 S/MIME Certificate Contact List General Use

Back to top

How to add a Certificate to contacts list in Outlook 2002.

Answer:  

To send someone an encrypted message, you need a copy of that person's digital ID. Have the person send you a digitally signed message, and then use the following steps when you receive the message:

1. Open the digitally signed message. 2. Right-click the name in the From field, and then click Add To Contacts on the shortcut menu. 3. If you have an entry for this person on your contacts list, click Update This Address.

The digital ID is stored with your contact entry for this person. You can now send encrypted messages to this person.   Notes:   - For more information on how to encrypt mail messages, please refer to solution http://support.microsoft.com/default.aspx?scid=kb;en-us;Q286159

Goal:   Add Certificate to contacts list   Applies to: Microsoft Outlook 2002 Contact List

Back to top

I cannot see my certificate in the Outlook selection box, even though I can see it in IE.

Having more than one email address on a single certificate can cause this problem. You won't see your certificate in the selection box because Outlook cannot associate it with a single email address. You must request a certificate with only one email address. This may also occur if you are using a profile with a different email address than the one on the certificate.

Back to top

I get an error when I send encrypted mail to myself using Outlook 2000.

This error is caused by an implementation error in Outlook; there is no complete explanation as to why the error occurs. To send yourself encrypted email you have to add yourself to your personal address book with these instructions:

• Send yourself a signed message
•  Right click on your name in the "From:" field, and select "Add to personal address book"

This does not affect the security of the email sent.

Verify the validity of the certificate on the Server computer

• Click Start, click Run, type mmc, and then click OK.
• On the Console menu, click Add/Remove Snap-in.
• Click Add, click Certificates, and then click Add.
• Click Computer account, click Next, leave the Local computer option selected, and then click Finish.
• Click Close, and then click OK.
• Under Console Root, expand Certificates (Local Computer).
• Expand Personal, and then click Certificates.
• In the right pane, double-click a certificate. 
• Click the Certification Path tab, and then examine the information in the Certificate status box. This box should contain the following status information:
• This certificate is OK.
• Click OK.
• If the certificate is not valid, remove it. To do this, follow these steps:
  • Right-click the certificate, and then click Delete.
  • On the following message that appears, click Yes:

You will not be able to decrypt data encrypted using this certificate. Do you wish to delete this certificate?

• Follow steps 8 through 11 to remove certificates that are not valid. 
• If the computer certificate was not valid, obtain a new certificate. For additional information about how to request a certificate in Windows, visit the following Microsoft Web site:

• If you obtained a new certificate, reset the certificate reference on the SSL listener in ISA Server. To do this, follow these steps:
  • Start the ISA Management tool.
  • Expand Servers and Arrays, right-click your ISA Server computer, and then click Properties.
  • Click the Incoming Web Requests tab.
  • In the Identification box, click your Server computer, and then click Edit.
  • Click Select, click the new certificate that you obtained, and then click OK two times.
  • Click OK, click Save the changes and restart the service(s), and then click OK.

Back to top

Error Messages

Error: '-2146885628' when retrieving your certificate.

With this error, Internet Explorer reports that it cannot find the private key corresponding to this certificate. Check that all certificates are valid.

Back to top

Error: "Unable to generate PKCS#10"

Public Key Cryptography Standards (PKCS). This error message occurs if you choose the incorrect Cryptographic Service Provider for your browser during the Certificate request process. Find the instructions to resolve this error at this KB solution:

To resolve this error check that you are using the correct Cryptographic Service Provider (CSP) for your browser:

• If you are using a 40 bit browser, select the Microsoft Base Cryptographic Provider or default option.
• If you are using a 128 bit browser, select the Microsoft Enhanced Provider. You will have to reload your browser and request the certificate again.

Back to top

Error: "Error 5: certificate not installed"

The error occurs when there is no private key that corresponds to the certificate being installed. In order to remove this error message:

Check that you are using the exact browser to install the certificate as the one that you requested the certificate with.

Make sure that you are logged into the correct profile that you used to request the certificate.

Back to top

Error: "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from the CA which issued the certificate"

Microsoft Internet Explorer is shipped with the Certificate Revocation List (CRL) Checking option enabled. Any Certification Authority does not yet utilize this feature. The CRL protocol has since been superseded by OCSP.

Answer:  

In order to remove this error message, you need to disable this option in Internet Explorer:

 Click on Tools > Internet Options > Advanced > Security >  Un-tick "Check for Publisher's Certificate Revocation".   Close and reopen the browser.

The CRL can be manually downloaded, and added to the path in your browser. You can download the CRL from Root Certificate Download page at http://www.wisekey.com/Repository/cacertificates.htm

Once you have downloaded the CRL, right click on the file that you downloaded and click on install CRL, which will then add it to the path in your browser.

This does not affect the actual security of your signed email.

After you install your certificate, you need to enable it to sign your email by following these instructions.

Go into Microsoft Outlook Express and click on Tools > Accounts > Mail > Properties > Security Check the box next to Use Digital ID for sending - This should enable the button just below Digital ID Click on that button and you should see your certificate displayed Select it, then hit Apply, and OK

Symptoms:   Error: "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from the CA which issued the certificate" Error: Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list Error: Windows cannot determine the validity of this certificate Error occurs when receiving signed email Error occurs when sending signed email   Cause:    Microsoft Internet Explorer is shipped with the Certificate Revocation List (CRL) Checking option enabled.   Notes:   The CRL protocol has since been superseded by OCSP. This does not affect the actual security of your signed email.    Applies to: Personal Email Certificate Error Messages Certificate Revocation List (CRL)

Back to top

Error: "Your key set cannot be found by the underlying security system", when I send or receive signed or encrypted messages Outlook 2000.

Error: "Your key set cannot be found by the underlying security system"

Answer:   In order to resolve this error, read the Microsoft Article Q195670

Microsoft has documented this error at the following link http://support.microsoft.com/support/kb/articles/Q195/6/70.ASP   Symptoms:   Error: "Your key set cannot be found by the underlying security system" Error occurs when sending signed email Error occurs when receiving signed email    Cause:    The cause to this error according to Microsoft knowledge base article Q195670 is:

Pressing ESC at the Windows Logon dialog box and so failed to log on to Windows.

Deleted your Windows Password file (*.pwl). Outlook uses this file as part of the security key set. If you fail to log on to Windows or delete the password file, the key set is incomplete and you will not be able to use your security certificate.   Applies to: S/MIME Certificate Microsoft Outlook 2000 Personal Email Certificate Error Messages

Back to top

Error: "Your digital ID name cannot be found by the underlying security system"

Error: ''Your digital ID name cannot be found by the underlying security system''

Answer:   Resolution can be found in the following Microsoft Knowledge Base article: http://support.microsoft.com/support/kb/articles/Q258/5/27.ASP   Symptoms:   Error: "Your digital ID name cannot be found by the underlying security system" Error occurs when sending signed e-mail Error occurs when sending encrypted e-mail    Cause:    This behavior can occur if your digital ID is damaged or corrupted. It can also occur if your digital ID is set up in a single Microsoft Windows 95 or Microsoft Windows 98 profile environment, and multiple user profiles with a domain log on are enabled. The default computer profile has full access to the digital ID, but other profiles for Windows cannot use it. Or if the certificate is not installed on the machine.   Applies to: Personal Email Certificate Error Messages Microsoft Outlook 2000

Back to top

Error: "This message could not be sent. An error has occurred."

Error: ''Windows does not have enough information to verify this certificate''

Answer: To resolve this you have to install the Root Certificate. The WISeKey root certificate can be found at the following link: http://www.wisekey.com/Repository/cacertificates.htm

Symptoms:   Error: "Windows does not have enough information to verify this certificate" Error occurs when sending signed email   Cause:    The browser does not have the WISeKey Root Certificate installed and as a result cannot verify the signature in the certificate.   Applies to: Microsoft Outlook Express Personal Email Certificate Error Messages

Back to top

Error: "This message cannot be secured using the selected security settings"

1. Due to having more than one email address on one certificate:

Answer:  

1. You have more than one email address on a certificate.

It is necessary to request a certificate for each individual email address.

Read the Microsoft Article Q195670 at the following link: http://support.microsoft.com/support/kb/articles/Q195/6/70.ASP

2. You use two or more Internet e-mail accounts. Because Outlook does not offer the Send Using feature, the wrong e-mail address is associated with the digital ID.

Resolutions: To resolve this problem, use one of the following methods.

Add the From Field to Messages: To ensure that the correct e-mail address is being used for the digital ID, add and use the From field in your outgoing message:

• Create a new e-mail message.
• On the View menu, click From Field.
• Type the e-mail address you used when you obtained your digital ID in the From field, and type your message.
• On the View menu, click Options, click to select the Security options you want. Click Close, and then click Send.

Create another Profile for the Internet E-mail Address: Create a separate profile for the Internet e-mail address you used when you obtained your digital ID.

• Quit Outlook if it is running.
• Click Start, point to Settings, and click Control Panel.
• Double-click the Mail icon, click Show Profiles, and click Add to add a new profile.
• Follow the Inbox Setup Wizard to create a new profile using the Internet e-mail address you used when you obtained your digital ID. 

Symptoms:   Error: "The message cannot be secured using the selected Security Setting. Your email address may not match the email address on the certificate, or some other problem exists with the certificate". Error: "This message cannot be secured using the selected security settings" Your key set cannot be found by the underlying security system Error occurs when sending signed email

Cause:    This error occurs for the following reasons:

• You have more than one email address on a certificate.
• You use two or more Internet e-mail accounts. Outlook does not offer the Send Using feature, the wrong e-mail address is associated with the digital ID. 

Notes:   For more information please refer to Microsoft:  http://support.microsoft.com/default.aspx?scid=kb;en-us;238578   Applies to: S/MIME Certificate Microsoft Outlook 2000 Personal Email Certificate Error Messages

2. Due to not enabling the certificate in Outlook 2000:

Configure certificate to be used in Microsoft Outlook

Answer:   If you are using Microsoft Outlook Express 4.0:

After you install your certificate, you need to enable it to sign your e-mail by following these instructions.

• Go into Microsoft Outlook Express and click on Tools -> Accounts -> Mail -> Properties -> Security
• Check the box next to “Use Digital ID for sending”
• This should enable the button just below “Digital ID”
• Click on that button and you should see your certificate displayed
• Select it, then hit Apply, and OK

If you are using Microsoft Outlook Express 5.5:

• Go to: Tools > Accounts > Mail
• Select your e-mail account and click the Properties button
• note: Your e-mail address in your certificate must exactly match the e-mail account you are associating the ID with.
• From Mail Properties for the account, select the Security tab
• Click the Select button next to the Signing certificate
• Select your certificate from the list
• Click OK
• note: Your name should appear in the grayed out box next to the Certificate button
• Click the Apply button or the changes will not be committed
• note: You now have the option to send signed messages.

Goal:   Configure certificate Encrypt email Use certificate Sign email   Applies to: Microsoft Outlook 98 Microsoft Outlook Express 4.0 Microsoft Outlook 2000 Microsoft Outlook Express 5.5 Sign and Encrypt Email Microsoft Outlook

Back to top

Error: Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired"

Error: The Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired

Answer:  

You will receive this error if you have disabled the CRL checker in your browser or the registry. To enable the CRL checking do the following:

• Go to Internet Explorer
• Select Tools, then Internet Options
• Choose Advanced and under Security, enable Check for Publisher's certificate revocation.

Then you will also need to check if you have disabled the CRL checking in your registry, by doing the following:

For Outlook 2000

• Start Registry Editor (Regedt32.exe).
• Locate the following subkey in the registry:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook
• Select> Security and delete the following registry value:
• Value Name: EnableSRFeatures Data Type: REG_DWORD Value: 1
• Quit Registry Editor.

For Outlook 2002

• Start Registry Editor (Regedt32.exe).
• Locate and click the following key in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook

• Select> Security  and then delete the following registry value:

Value name: UseCRLChasing Data type: REG_DWORD Radix: Hexadecimal Value data: 1

• Quit Registry Editor.

Once complete with the registry editor, please restart your machine.

Symptoms:   Error: "The Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired"     Cause:    This error occurs because the certificate is not being checked against a CRL (certificate revocation list) . This option could have been disabled in your registry.   Notes:   Please visit the related links from Microsoft: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q278207 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q269784 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q258727 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232165 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q289749

Applies to: Certificate Revocation List (CRL) Microsoft Outlook 2000 Microsoft Outlook 2002

Back to top

You can configure your Web server's Secure Sockets Layer (SSL) security features to verify the integrity of your content, verify the identity of users, and encrypt network transmissions.

To set up SSL on your Web server

• Your Web server requires a valid server certificate to establish SSL communications. Use the Web Server Certificate Wizard to either generate a certificate request file (NewKeyRq.txt, by default) that you can send to a certification authority

If you are not using Microsoft® Certificate Services 2.0 to issue your own server certificates, then a third-party certification authority must approve your request and issue your server certificate. Note    Depending on the level of identification assurance offered by your server certificate, you can expect to wait anywhere from several days to several months for the certification authority to approve your request and send you a certificate file.

• After you receive a server certificate file, use the wizard to install your server certificate file. The installation process attaches, or binds, your certificate to a Web site.

Note   You can have only one server certificate per Web site.

• In the IIS snap-in, select the Web site that you want to protect with SSL and open its property sheets. On the Web Site property sheet, under Web Site Identification select Advanced.
• In the Advanced Multiple Web Site Configuration dialog box, under Multiple SSL identities of this Web Site, make sure that the Web site IP address is assigned to port 443, the default port for secure communications.

You can have multiple SSL ports per Web site. To configure more SSL ports, click Add under Multiple SSL identities of this Web Site.

• On the Directory Security or File Security property sheet, under Secure Communications, click Edit.
• On the Secure Communications dialog box, configure your Web server to require a secure channel. If you require 128-bit key encryption, make sure your users' Web browsers support 128-bit encryption. For more information, see Encryption.
• Under Secure Communications, click Edit. You have the option of enabling your Web server's SSL client certificate authentication and mapping features. See the following:
  • Enabling Client Certificates
  • Mapping Client Certificates to User Accounts

To obtain a server certificate from a certification authority.

If you are replacing your current server certificate, IIS will continue to use the old certificate until the new request has been completed.

Find a certification authority that provides services that meet your business needs and then request a server certificate. Consider the following issues when choosing a certification authority:

Will the certification authority be able to issue you a certificate that is compatible with all browsers used to access your server?

• Is the certification authority a recognized and trusted entity?
• How will the certification authority provide verification of your identity?
• Does the authority have a system for receiving online certificate requests, such as requests generated by the Web Server Certificate Wizard?
• How much will the certificate cost initially and for renewal or other services?
• Is the certification authority familiar with your organization or company's business interests?

Learn about OISTE

You can require users attempting to access your Web site to log on with a client certificate. Requiring a client certificate, however, does not protect your content from unauthorized access. Any user with a client certificate can establish a secure connection and access your resource. To protect your Web content from unauthorized access you must do either of the following:

• Use Basic, Digest, or integrated Windows authentication, in addition to requiring a client certificate.
• Create a Windows account mapping for client certificates. For more information, see Mapping Client Certificates to User Accounts.

Important

• Your Web server cannot process client certificates unless you have previously installed a server certificate and enabled your server's secure communication features.
• When you attempt to set properties for a specific Web site, your Web server will prompt you for permission to reset the properties of individual directories and files in the Web site. If you choose to reset these properties, your previous settings will be replaced by the new settings. This is also true for setting properties for a directory containing subdirectories or files with previously set security properties.

To enable client certificates

• In the IIS snap-in, select a Web site, directory, or file, and open its property sheets.
• If you have not previously obtained a server certificate, select the Directory Security property sheet, under Secure Communications, click Server Certificate. For more information, see Using the New Security Task Wizards.
• If you have previously obtained a server certificate, select the Directory Security or File Security property sheet, then under Secure Communications, click Edit.
• In the Secure Communications dialog box, select the Require secure channel (SSL) check box. Requiring a secure channel means that user cannot connect to this site without using a secure link (that is, the link's URL must begin with https://).
• Under Client certificates select one of the following to enable client certificate authentication:
  • Accept client certificates Users can access the resource with a client certificate, but the certificate is not required.
  • Require client certificates The server will request a client certificate before connecting the user to the resource. Users without a valid client certificate will be denied access.
  • Ignore client certificates Users with or without a client certificate will be granted access.

Back to top