000025964 - Cannot sign email with certificate from Keon Certificate Authority 6.0

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025964
Applies ToKeon Certificate Authority 6.0
Sun Solaris 2.8
Microsoft Outlook
IssueCannot sign email with certificate from Keon Certificate Authority 6.0
Cannot use certificate for S/MIME
After enrolling for certificate, signing certificate with no extensions (V1 certificate) and installing certificate from KCA 6.0, the certificate does not appear in the list when choosing an S/MIME certificate in Outlook. Enrolling for a V1 certificate from KCA 5.7 works fine.
CauseThe email address must be in the subject name (DN) for V1 certificates in order for Microsoft Outlook to identify the certificate as S/MIME capable. V1 certificates by definition have no extensions.
ResolutionBecause KCA 6.0 now uses jurisdictions to control how certificates are enrolled for and issued, the administrator has control over what gets put into the certificate's subject DN. When configuring the jurisdiction for end user certificates that will be capable of doing S/MIME, the email address must be included in the subject DN.

To edit the certificate attributes, select the CA and choose "Configure" at the bottom of the GUI under "Jurisdiction Configuration". Under "Sections | Certificate Attributes" make sure that "EA E-mail Address" appears in "Certificate Attributes Configuration" list box. If it isn't there click "New Entry" and add it. If it is in the list, highlight it and scroll down to where the configuration settings are. Make sure "Include in DN" is checked.

NOTE: The columns may not be properly aligned. "Include in DN" should be the first check box.
Legacy Article IDa7830