On Fri, Sep 02, 2005, Jason Haar wrote: > Dr. Stephen Henson wrote: > > Outlook can send digitally signed emails - and receive - just fine. It > can send encrypted emails that can be read by Thunderbird, but it can't > decrypt them - whether sent by itself or by Thunderbird. > > I'm sure it's a problem with how Outlook handles these particular certs. > Something about our "home made" PKI isn't sitting pretty with Outlook. > IE is totally happy with client certs WRT accessing (say) HTTPS Web > servers that require client certs - but Outlook doesn't like it. >
Just had another thought on this. CryptoAPI has two types of RSA key referred to as "key exchange" and "signature". Signature keys can be used only to sign data but I suspect the public key can also be used for encryption. Key exchange keys can be used for by signing and decryption. By default the PKCS#12 files OpenSSL creates should be key exchange keys unless you supply the -keysig command line argument. If you generate keys on the Windows machine using Xenroll then you need to explicitly tell it to generate a key exchange key because the default is a signature key. You can test the key type by exporting the key to a PKCS#12 file and looking at the output the pkcs12 utility produces around the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
