Re: What does Outlook 2003 look for in a S/MIME cert?
Dr. Stephen Henson wrote: By default the PKCS#12 files OpenSSL creates should be key exchange keys unless you supply the -keysig command line argument. I Groan! Well spotted Steve! It appears we scripted calls to openssl with the -keyex option when making certs (it was specifically to stop people using client certs for email - well that worked!!! ;-)... I removed that and now a cert can decrypt S/MIME emails :-) Thanks for that Steve! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
On Fri, Sep 02, 2005, Jason Haar wrote: Dr. Stephen Henson wrote: Outlook can send digitally signed emails - and receive - just fine. It can send encrypted emails that can be read by Thunderbird, but it can't decrypt them - whether sent by itself or by Thunderbird. I'm sure it's a problem with how Outlook handles these particular certs. Something about our home made PKI isn't sitting pretty with Outlook. IE is totally happy with client certs WRT accessing (say) HTTPS Web servers that require client certs - but Outlook doesn't like it. Just had another thought on this. CryptoAPI has two types of RSA key referred to as key exchange and signature. Signature keys can be used only to sign data but I suspect the public key can also be used for encryption. Key exchange keys can be used for by signing and decryption. By default the PKCS#12 files OpenSSL creates should be key exchange keys unless you supply the -keysig command line argument. If you generate keys on the Windows machine using Xenroll then you need to explicitly tell it to generate a key exchange key because the default is a signature key. You can test the key type by exporting the key to a PKCS#12 file and looking at the output the pkcs12 utility produces around the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
What does Outlook 2003 look for in a S/MIME cert?
I am having difficulty getting Outlook to read S/MIME encrypted emails, and I'm wondering what's wrong. We have an internal PKI, and I have created a signed cert that can be used for S/MIME. Thunderbird happily sends and receives signed and encrypted emails with it. Under Windows (which trusts the CA), Outlook is happy to associate the cert with digital signing, and can send both signed and encrypted emails. However (and here's the shocker) *IT CAN'T READ THE SENT ITEMS COPY OF THE EMAIL IT JUST SENT* Stupid or what? ;-) So I'm thinking there must be something about the cert or the CA that signed the cert that Outlook 2003 (fully patched) doesn't like. I'm hoping someone on this list will go oh that was a known problem back with XYZ - do this. PS: The CA was created by OpenSSL-0.9.? some 4 years ago. As such some of it's OIDs/etc may be responsible for this issue. Hopefully someone knows? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
Richard Levitte wrote: Jason Haar writes: Under Windows (which trusts the CA), Outlook is happy to associate the cert with digital signing, and can send both signed and encrypted emails. However (and here's the shocker) *IT CAN'T READ THE SENT ITEMS COPY OF THE EMAIL IT JUST SENT* Stupid or what? ;-) My first thought is that OutLook may have stored the encrypted mail in the Sent Items folder. Meaning it's encrypted using the recipient's public key, meaning only the recipient can read them. No - that's not it. I thought of that and so sent myself the email. As such it's encrypted with my private key + my public key (i.e. I am Bob and Alice) - so that can't be it. It's as though it has encrypting rights but not decrypting rights. However, I've checked the extendedkey options and that's not the case - they're not even mentioned - it's a cert that can do S/MIME - that's it. Thunderbird is 100% happy, Outlook is happy enough sending with it - just not reading. I also made sure my public key was associated with a Contacts entry for myself (that's how Outlook tracks public keys) - so it should have all it needs to do the job. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
In message [EMAIL PROTECTED] on Wed, 31 Aug 2005 07:11:28 +1200, Jason Haar [EMAIL PROTECTED] said: Jason.Haar Richard Levitte wrote: Jason.Haar Jason.Haar Jason Haar writes: Jason.Haar Jason.Haar ... *IT CAN'T READ THE SENT ITEMS COPY OF THE EMAIL Jason.Haar IT JUST SENT* Jason.Haar Jason.Haar My first thought is that OutLook may have stored the Jason.Haar encrypted mail in the Sent Items folder... Jason.Haar Jason.Haar No - that's not it. ... In that case, I'm as clueless as you are... I don't use OutLook, so I'm not much help... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
On Wed, Aug 31, 2005, Jason Haar wrote: No - that's not it. I thought of that and so sent myself the email. As such it's encrypted with my private key + my public key (i.e. I am Bob and Alice) - so that can't be it. It's as though it has encrypting rights but not decrypting rights. However, I've checked the extendedkey options and that's not the case - they're not even mentioned - it's a cert that can do S/MIME - that's it. Thunderbird is 100% happy, Outlook is happy enough sending with it - just not reading. I also made sure my public key was associated with a Contacts entry for myself (that's how Outlook tracks public keys) - so it should have all it needs to do the job. Where was the private key used created? Was it generated under CryptoAPI or imported as a PKCS#12 file from an external source? Due to various deficiencies in the internal format for Windows private keys there are some which it can use the public key but not the private key because it can't be represented in its format. An example if if the two primes are of different size. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
Dr. Stephen Henson wrote: Where was the private key used created? Was it generated under CryptoAPI or imported as a PKCS#12 file from an external source? It was created using OpenSSL - turned into a p12 and imported. Due to various deficiencies in the internal format for Windows private keys there are some which it can use the public key but not the private key because it can't be represented in its format. An example if if the two primes are of different size. Unless you know something specific to Outlook, I don't think that's the problem. We use the same method to create standard user certs for accessing HTTPS web sites - and they work fine under Windows/MSIE. The other thing is that I can use Outlook to send an encrypted email to myself, then access that mailbox using Thunderbird (with the same cert) - and Thunderbird reads it fine. So Outlook must have successfully used the private key to do the encryption. It's weird - it can generate encrypted emails, but can't read them... Is anyone successfully using S/MIME within Outlook? I don't expect many on this list to be Outlook users - but I expect a lot are like me and mainly have Outlook users surrounding them :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
On Wed, Aug 31, 2005, Jason Haar wrote: The other thing is that I can use Outlook to send an encrypted email to myself, then access that mailbox using Thunderbird (with the same cert) - and Thunderbird reads it fine. So Outlook must have successfully used the private key to do the encryption. It's weird - it can generate encrypted emails, but can't read them... Sending encrypted mail just uses the public key but if SSL client authentication works then something will use the private key OK. What about signed mail using that certificate, does that verify OK? Can thunderbird generated encrypted mail using the same key and certificate be read using Outlook? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]