From: Nick on
I have a co-worker that his email encryption stopped working about three
weeks and I can't figure out why. I have tried deleting and reloading his
certificate from our CA(We have our own CA for the company so certificates
are generated by the server). I was able to get it to where he could send
encrypted emails again but he still can' receive them. Any time he tried to
open it he gets the error "Your digital ID name cannot be found by the
underlying security system". I downloaded Cryptigo p7mviewer to see what it
said the issue was and when I moved the email from outlook to p7mviewer it
said that problem was that my private key was not available. The way I
understand it he should not have or need my private key to open the email. I
went through and checked to make sure that I had his certificate trusted and
that he had mine and we both did. I verified the serial number on his to
make sure it wasn't an old copy he had deleted. What I need to know is why
his outlook is looking for my private key to decrypt the email when outlook
should have used his public key.

Thanks in advance for any help

-Nick
From: Brian Tillman [MVP-Outlook] on
"Nick" <Nick(a)discussions.microsoft.com> wrote in message
news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com...

>I have a co-worker that his email encryption stopped working about three
> weeks and I can't figure out why. I have tried deleting and reloading his
> certificate from our CA(We have our own CA for the company so certificates
> are generated by the server). I was able to get it to where he could send
> encrypted emails again but he still can' receive them. Any time he tried to
> open it he gets the error "Your digital ID name cannot be found by the
> underlying security system". I downloaded Cryptigo p7mviewer to see what it
> said the issue was and when I moved the email from outlook to p7mviewer it
> said that problem was that my private key was not available. The way I
> understand it he should not have or need my private key to open the email.

He doesn't need your private key, he needs his or you need yours. When you
try to open the encrypted message, the underlying crypto subsystem expects
that the person opening the message has the private key matching the public
key used to encrypt the message.

> I went through and checked to make sure that I had his certificate trusted
> and
> that he had mine and we both did. I verified the serial number on his to
> make sure it wasn't an old copy he had deleted. What I need to know is why
> his outlook is looking for my private key to decrypt the email when outlook
> should have used his public key.

No, Outlook uses the recipient's _private_ key to decrypt the message. The
recipient's public key is used by the sender to encrypt the message.

It sounds to me like the sender has a public key for a revoked certificate and
if you say that you deleteed his cert and reissued another from the PKI
server, then it's likely that is the case. When a new cert is issued, to
someone, that person must send the new public key to his potential senders so
they can use the correct public key to encrypt.
--
Brian Tillman [MVP-Outlook]

From: Nick on


"Brian Tillman [MVP-Outlook]" wrote:

> "Nick" <Nick(a)discussions.microsoft.com> wrote in message
> news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com...
>
> >I have a co-worker that his email encryption stopped working about three
> > weeks and I can't figure out why. I have tried deleting and reloading his
> > certificate from our CA(We have our own CA for the company so certificates
> > are generated by the server). I was able to get it to where he could send
> > encrypted emails again but he still can' receive them. Any time he tried to
> > open it he gets the error "Your digital ID name cannot be found by the
> > underlying security system". I downloaded Cryptigo p7mviewer to see what it
> > said the issue was and when I moved the email from outlook to p7mviewer it
> > said that problem was that my private key was not available. The way I
> > understand it he should not have or need my private key to open the email.
>
> He doesn't need your private key, he needs his or you need yours. When you
> try to open the encrypted message, the underlying crypto subsystem expects
> that the person opening the message has the private key matching the public
> key used to encrypt the message.
>
> > I went through and checked to make sure that I had his certificate trusted
> > and
> > that he had mine and we both did. I verified the serial number on his to
> > make sure it wasn't an old copy he had deleted. What I need to know is why
> > his outlook is looking for my private key to decrypt the email when outlook
> > should have used his public key.
>
> No, Outlook uses the recipient's _private_ key to decrypt the message. The
> recipient's public key is used by the sender to encrypt the message.
>
> It sounds to me like the sender has a public key for a revoked certificate and
> if you say that you deleteed his cert and reissued another from the PKI
> server, then it's likely that is the case. When a new cert is issued, to
> someone, that person must send the new public key to his potential senders so
> they can use the correct public key to encrypt.
> --
> Brian Tillman [MVP-Outlook]
>
> .
>

I sent his new key to myself when I issued it so I know that it is the
correct one. We both have eachother's most current public key and he can
send them to me with no problem. What I don't get is why the program I used
to diagnose the issue is saying that it is looking for my private key as
opposed to his private key when I send him an encrypted email.

-Nick
From: VanguardLH on
Nick wrote:

> I have a co-worker that his email encryption stopped working about three
> weeks and I can't figure out why. I have tried deleting and reloading
> his certificate from our CA(We have our own CA for the company so
> certificates are generated by the server). I was able to get it to where
> he could send encrypted emails again but he still can' receive them. Any
> time he tried to open it he gets the error "Your digital ID name cannot
> be found by the underlying security system". I downloaded Cryptigo
> p7mviewer to see what it said the issue was and when I moved the email
> from outlook to p7mviewer it said that problem was that my private key
> was not available. The way I understand it he should not have or need my
> private key to open the email. I went through and checked to make sure
> that I had his certificate trusted and that he had mine and we both did.
> I verified the serial number on his to make sure it wasn't an old copy he
> had deleted.

His certificate has nothing to do with him *sending* encrypted emails. The
sender must have the public key from the e-mail cert for the *recipient*.
You digitally sign an e-mail. That puts the public key into your e-mail.
You send that digitally signed e-mail to someone from whom you want to
*receive* encrypted e-mails (i.e., you getting their encrypted e-mails is
by you sending an invite to do so by giving them your public key). They
use YOUR public key to encrypt THEIR e-mail. You get their encrypted
e-mail and decrypt it using your private key that only you have.

So for your user to send encrypted e-mails means they must get the public
key for the e-mail cert from the person to whom they want to send those
encrypted e-mails. If the user is just entering the recipient's e-mail
address in the To/Cc/Bcc fields then they are not sending an encrypted
e-mail. They have to use the record they saved in their contacts list for
the recipient when they saved that recipient into their contacts list. The
contact record has the public key for the recipient saved in it. When this
user gets a digitally signed e-mail from the other party, they have to save
that other party as a record in their contacts list. That also records the
other party's public key. Later when this user wants to send an encrypted
e-mail to that other party, they must use the contact record that they
saved previously which contains the public key for that other party.

> What I need to know is why his outlook is looking for my private key to
> decrypt the email when outlook should have used his public key.

Wrong. He uses YOUR public key (that he must've saved previously) to
encrypt HIS e-mail. You use YOUR private key to decrypt that e-mail. He
never got your private key. Only you have the private key. He doesn't use
his public key to encrypt. He uses his public key to digitally sign his
e-mail and then YOU can use his public key to encrypt e-mails that you send
to him (and then he uses his private key that only he has to decrypt it).

You got some of the x.509 certificate handling right but got it reversed as
to whose public key gets used to encrypt the e-mail. For this user to send
you an encrypt e-mail, they need YOUR public key to encrypt their e-mail
and then you use YOUR private key to decrypt it. My guess is that this
user either did not save your digital key (the public key) as a contact
record or they are manually entering your e-mail address (or using the
cached copy from the .nk2 cache file) which doesn't use the saved contact
record at all.

They need to get a digitally signed e-mail from you. It must contain
whatever is your current public key for your e-mail cert. If you change
your e-mail cert, you'll have to send them another digitally signed e-mail
with your new public key. From that digitally signed e-mail, they must
save you as a contact record. When they want to use your public key to
encrypt their e-mail sent to you, they MUST use the contact record where
they saved your digital key. Manually entering the e-mail address or
pulling it out of the cached list (.nk2 file) will NOT use the contact
record where is recorded your public key.

If you changed to a newer e-mail cert, send another digitally signed e-mail
to the other party and have them replace their current contact record so
the new contact has your new public key. They must use that contact record
when they select you as a recipient for their e-mail so it gets encrypted
using your public key stored in that contact record. They will also have
to manually elect to encrypt their e-mail (using your public key) before
they send it, or enable the option to always encrypt their outgoing e-mails
(for those where the public key is available in the contact records for
those recipients).

Your certificate:
- Public key. You give this to OTHERS by digitally signing your e-mails.
THEY use your public key to encrypt THEIR e-mails they send to you.
- Private key. Only you have this. Others encrypt their e-mails using
your public key that they got in your digitally signed e-mails. Anyone
else that intercepts a copy cannot decrypt, even those that also have
your public key. Only YOU have the private key to decrypt the e-mail.
From: VanguardLH on
Nick wrote:

> "Brian Tillman [MVP-Outlook]" wrote:
>
>> "Nick" <Nick(a)discussions.microsoft.com> wrote in message
>> news:4CBFF2C3-C50A-448B-824E-60AE05536E6D(a)microsoft.com...
>>
>>>I have a co-worker that his email encryption stopped working about three
>>> weeks and I can't figure out why. I have tried deleting and reloading his
>>> certificate from our CA(We have our own CA for the company so certificates
>>> are generated by the server). I was able to get it to where he could send
>>> encrypted emails again but he still can' receive them. Any time he tried to
>>> open it he gets the error "Your digital ID name cannot be found by the
>>> underlying security system". I downloaded Cryptigo p7mviewer to see what it
>>> said the issue was and when I moved the email from outlook to p7mviewer it
>>> said that problem was that my private key was not available. The way I
>>> understand it he should not have or need my private key to open the email.
>>
>> He doesn't need your private key, he needs his or you need yours. When you
>> try to open the encrypted message, the underlying crypto subsystem expects
>> that the person opening the message has the private key matching the public
>> key used to encrypt the message.
>>
>>> I went through and checked to make sure that I had his certificate trusted
>>> and
>>> that he had mine and we both did. I verified the serial number on his to
>>> make sure it wasn't an old copy he had deleted. What I need to know is why
>>> his outlook is looking for my private key to decrypt the email when outlook
>>> should have used his public key.
>>
>> No, Outlook uses the recipient's _private_ key to decrypt the message. The
>> recipient's public key is used by the sender to encrypt the message.
>>
>> It sounds to me like the sender has a public key for a revoked certificate and
>> if you say that you deleteed his cert and reissued another from the PKI
>> server, then it's likely that is the case. When a new cert is issued, to
>> someone, that person must send the new public key to his potential senders so
>> they can use the correct public key to encrypt.
>> --
>> Brian Tillman [MVP-Outlook]
>>
>> .
>>
>
> I sent his new key to myself when I issued it so I know that it is the
> correct one. We both have eachother's most current public key and he can
> send them to me with no problem. What I don't get is why the program I used
> to diagnose the issue is saying that it is looking for my private key as
> opposed to his private key when I send him an encrypted email.
>
> -Nick

Huh? Why would you issue HIS certificate to YOUR host (for use by YOUR
e-mail client)? You can't use his e-mail cert. You don't have an e-mail
account with the correct e-mail addresses encoded within that cert. You
MUST send encrypted e-mails using the account encoded within the cert. You
can't use save a cert for an e-mail account that you can't use.

When you issue yourself a cert, you save it in your host's cert repository.
It has the e-mail address that you specified when you requested the cert.
That e-mail address must match to the e-mail account that you use to send an
digitally signed e-mail. Outlook will not let you use a cert that has, say,
someone(a)otherdomain.com when you are sending it through an account whose
e-mail address is me(a)domain.com. You don't need and cannot use the other
person's cert. You need to use YOUR cert to digitally sign your e-mails and
which matches on the e-mail address for the account through which you send
your digitally signed e-mails (sp to give your public key to the recipient).

The only way [that I know of how] to "send his new key to yourself" would be
for you to import HIS cert into HIS host and use HIS e-mail client to
digitally sign HIS e-mail that HE sends to you (and you then save as a
contact to record HIS public key for use by YOUR e-mail client). You would
then need to use that contact record where HIS public key got stored when
you wanted to send him an encrypted e-mail.

"The program to diagnose the issue". We are supposed to know what was that
program that you never identified? "looking ... for his private key when I
send him an encrypted e-mail". Wrong! You need to use his PUBLIC key when
you send him an encrypted e-mail.

For him to send you an encrypted e-mail:
- Did you import YOUR e-mail cert into YOUR host? That gives you:
o The public key that you need to digitally sign your e-mails.
* HE needs your *public* key to encrypt HIS e-mails sent to you.
o The private key that **ONLY** you have.
* You will use your private key to decrypt e-mails send to you that were
encrypted with your public key.
* Lots of users may have your public key, especially if you opt to
always digitally sign your outbound e-mails. None of them can decrypt
an e-mail that was encrypted using your public key. Only you have
your private key usable for decryption.
- Did he get a digitally signed e-mail from you?
o That gives him YOUR public key.
* He MUST save you in a contact record. That stores your public key in
that contact record which he will use to send you encrypted e-mails.
o He will need to use YOUR public key to encrypt HIS e-mails sent to you.
o He must use the contact record where your public key got saved when he
wants to encrypt his e-mails sent to you.
* He must NOT manually enter your e-mail address.
* He must NOT use a cached entry (from the .nk2 file) for your e-mail
address from his nickname cache. That is a cache of his *manual*
entries. No contact record is involved with [cached] manual entries.
* He MUST use the contact record to specify you as the recipient since
that is where your public key got stored. Your public key stored in
his contact record used to specify you as the recipient is how he can
encrypt e-mails that he sends to you.

For him to send you an encrypted e-mail, he doesn't even need his own e-mail
certificate. He could be completely nude of any certificates for himself.
Whether he can encrypt e-mails to you depends solely on whether or not you
gave him your public key. He doesn't need any certificate to send you an
encrypted e-mail. He only needs YOUR public key from YOUR e-mail cert that
YOU previously gave him through a digitally signed e-mail. His own e-mail
cert, if he even has one, is NOT involved in sending you an encrypted
e-mail. You getting encrypted e-mails is all about YOUR e-mail cert: they
use YOUR public key to encrypt and you use YOUR private key to decrypt.