What does Outlook 2003 look for in a S/MIME cert?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

What does Outlook 2003 look for in a S/MIME cert?

Jason Haar
I am having difficulty getting Outlook to read S/MIME encrypted emails,
and I'm wondering what's wrong.

We have an internal PKI, and I have created a signed cert that can be
used for S/MIME. Thunderbird happily sends and receives signed and
encrypted emails with it.

Under Windows (which trusts the CA), Outlook is happy to associate the
cert with digital signing, and can send both signed and encrypted
emails. However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS"
COPY OF THE EMAIL IT JUST SENT*

Stupid or what? ;-)

So I'm thinking there must be something about the cert or the CA that
signed the cert that Outlook 2003 (fully patched) doesn't like. I'm
hoping someone on this list will go "oh that was a known problem back
with XYZ - do this".

PS: The CA was created by OpenSSL-0.9.? some 4 years ago. As such some
of it's OIDs/etc may be responsible for this "issue". Hopefully someone
knows?

Thanks!


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Richard Levitte - VMS Whacker
Jason Haar writes:

> Under Windows (which trusts the CA), Outlook is happy to associate the
> cert with digital signing, and can send both signed and encrypted emails.
> However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS" COPY OF
> THE EMAIL IT JUST SENT*
>
> Stupid or what? ;-)

My first thought is that OutLook may have stored the encrypted mail in the
Sent Items folder.  Meaning it's encrypted using the recipient's public key,
meaning only the recipient can read them.

Yeah, if that's the case, it *is* stupid.

Cheers,
Richard

 -----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                       http://richard.levitte.org/ 

"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
                                               -- C.S. Lewis

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: What does Outlook 2003 look for in a S/MIME cert?

Tim.Metzinger
In reply to this post by Jason Haar
There may be an option to encrypt the mail with both the receivers and the
sender's public key - just so you can read the message.  It's debatable
whether this should be a standard setting or not.

- Tim Metzinger

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Richard Levitte
Sent: Tuesday, August 30, 2005 7:36 AM
To: [hidden email]
Cc: Jason Haar
Subject: Re: What does Outlook 2003 look for in a S/MIME cert?


Jason Haar writes:

> Under Windows (which trusts the CA), Outlook is happy to associate the
> cert with digital signing, and can send both signed and encrypted emails.
> However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS" COPY OF
> THE EMAIL IT JUST SENT*
>
> Stupid or what? ;-)

My first thought is that OutLook may have stored the encrypted mail in the
Sent Items folder.  Meaning it's encrypted using the recipient's public key,

meaning only the recipient can read them.

Yeah, if that's the case, it *is* stupid.

Cheers,
Richard

 -----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                       http://richard.levitte.org/ 

"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
                                               -- C.S. Lewis

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Jason Haar
In reply to this post by Richard Levitte - VMS Whacker
Richard Levitte wrote:

> Jason Haar writes:
>
>> Under Windows (which trusts the CA), Outlook is happy to associate
>> the cert with digital signing, and can send both signed and encrypted
>> emails. However (and here's the shocker) *IT CAN'T READ THE "SENT
>> ITEMS" COPY OF THE EMAIL IT JUST SENT*
>> Stupid or what? ;-)
>
>
> My first thought is that OutLook may have stored the encrypted mail in
> the Sent Items folder.  Meaning it's encrypted using the recipient's
> public key, meaning only the recipient can read them.


No - that's not it. I thought of that and so sent myself the email. As
such it's encrypted with my private key + my public key (i.e. I am Bob
and Alice) - so that can't be it. It's as though it has encrypting
rights but not decrypting rights. However, I've checked the extendedkey
options and that's not the case - they're not even mentioned - it's a
cert that can do S/MIME - that's it.  Thunderbird is 100% happy, Outlook
is happy enough sending with it - just not reading. I also made sure my
public key was associated with a Contacts entry for myself (that's how
Outlook tracks public keys) - so it should have all it needs to do the job.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Richard Levitte - VMS Whacker
In message <[hidden email]> on Wed, 31 Aug 2005 07:11:28 +1200, Jason Haar <[hidden email]> said:

Jason.Haar> Richard Levitte wrote:
Jason.Haar>
Jason.Haar> > Jason Haar writes:
Jason.Haar> >
Jason.Haar> >> ... *IT CAN'T READ THE "SENT ITEMS" COPY OF THE EMAIL
Jason.Haar> >> IT JUST SENT*
Jason.Haar> >
Jason.Haar> > My first thought is that OutLook may have stored the
Jason.Haar> > encrypted mail in the Sent Items folder...
Jason.Haar>
Jason.Haar> No - that's not it. ...

In that case, I'm as clueless as you are...  I don't use OutLook, so
I'm not much help...

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Dr. Stephen Henson
In reply to this post by Jason Haar
On Wed, Aug 31, 2005, Jason Haar wrote:

>
> No - that's not it. I thought of that and so sent myself the email. As
> such it's encrypted with my private key + my public key (i.e. I am Bob
> and Alice) - so that can't be it. It's as though it has encrypting
> rights but not decrypting rights. However, I've checked the extendedkey
> options and that's not the case - they're not even mentioned - it's a
> cert that can do S/MIME - that's it.  Thunderbird is 100% happy, Outlook
> is happy enough sending with it - just not reading. I also made sure my
> public key was associated with a Contacts entry for myself (that's how
> Outlook tracks public keys) - so it should have all it needs to do the job.
>

Where was the private key used created? Was it generated under CryptoAPI or
imported as a PKCS#12 file from an external source?

Due to various deficiencies in the internal format for Windows private keys
there are some which it can use the public key but not the private key because
it can't be represented in its format. An example if if the two primes are of
different size.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Jason Haar
Dr. Stephen Henson wrote:

>
>Where was the private key used created? Was it generated under CryptoAPI or
>imported as a PKCS#12 file from an external source?
>
>  
>

It was created using OpenSSL - turned into a p12 and imported.

>Due to various deficiencies in the internal format for Windows private keys
>there are some which it can use the public key but not the private key because
>it can't be represented in its format. An example if if the two primes are of
>different size.
>  
>
Unless you know something specific to Outlook, I don't think that's the
problem. We use the same method to create standard user certs for
accessing HTTPS web sites - and they work fine under Windows/MSIE.

The other thing is that I can use Outlook to send an encrypted email to
myself, then access that mailbox using Thunderbird (with the same cert)
- and Thunderbird reads it fine. So Outlook must have successfully used
the private key to do the encryption. It's weird - it can generate
encrypted emails, but can't read them...

Is anyone successfully using S/MIME within Outlook? I don't expect many
on this list to be Outlook users - but I expect a lot are like me and
mainly have Outlook users surrounding them :-)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Dr. Stephen Henson
On Wed, Aug 31, 2005, Jason Haar wrote:

>
>
> The other thing is that I can use Outlook to send an encrypted email to
> myself, then access that mailbox using Thunderbird (with the same cert)
> - and Thunderbird reads it fine. So Outlook must have successfully used
> the private key to do the encryption. It's weird - it can generate
> encrypted emails, but can't read them...
>
>

Sending encrypted mail just uses the public key but if SSL client
authentication works then something will use the private key OK.

What about signed mail using that certificate, does that verify OK? Can
thunderbird generated encrypted mail using the same key and certificate be
read using Outlook?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Jason Haar
Dr. Stephen Henson wrote:

>Sending encrypted mail just uses the public key but if SSL client
>authentication works then something will use the private key OK.
>
>What about signed mail using that certificate, does that verify OK? Can
>thunderbird generated encrypted mail using the same key and certificate be
>read using Outlook?
>
>  
>
Outlook can send digitally signed emails - and receive - just fine. It
can send encrypted emails that can be read by Thunderbird, but it can't
decrypt them - whether sent by itself or by Thunderbird.

I'm sure it's a problem with how Outlook handles these particular certs.
Something about our "home made" PKI isn't sitting pretty with Outlook.
IE is totally happy with client certs WRT accessing (say) HTTPS Web
servers that require client certs - but Outlook doesn't like it.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Dr. Stephen Henson
On Fri, Sep 02, 2005, Jason Haar wrote:

> Dr. Stephen Henson wrote:
>
> Outlook can send digitally signed emails - and receive - just fine. It
> can send encrypted emails that can be read by Thunderbird, but it can't
> decrypt them - whether sent by itself or by Thunderbird.
>
> I'm sure it's a problem with how Outlook handles these particular certs.
> Something about our "home made" PKI isn't sitting pretty with Outlook.
> IE is totally happy with client certs WRT accessing (say) HTTPS Web
> servers that require client certs - but Outlook doesn't like it.
>

Just had another thought on this. CryptoAPI has two types of RSA key referred
to as "key exchange" and "signature". Signature keys can be used only to sign
data but I suspect the public key can also be used for encryption.

Key exchange keys can be used for by signing and decryption.

By default the PKCS#12 files OpenSSL creates should be key exchange keys
unless you supply the -keysig command line argument.

If you generate keys on the Windows machine using Xenroll then you need to
explicitly tell it to generate a key exchange key because the default is a
signature key.

You can test the key type by exporting the key to a PKCS#12 file and looking
at the output the pkcs12 utility produces around the private key.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What does Outlook 2003 look for in a S/MIME cert?

Jason Haar
Dr. Stephen Henson wrote:

>By default the PKCS#12 files OpenSSL creates should be key exchange keys
>unless you supply the -keysig command line argument.
>
>I
>
Groan! Well spotted Steve! It appears we scripted calls to openssl with
the "-keyex" option when making certs (it was specifically to stop
people using client certs for email - well that worked!!! ;-)... I
removed that and now a cert can decrypt S/MIME emails :-)

Thanks for that Steve!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]