|Applies To||Keon Web PassPort|
Microsoft Windows 2000 Server SP4
Keon Certificate Authority 6.x
RFC 2630 - Cryptographic Message Syntax information:
|Issue||Renewed Keon Web PassPort certificates having problems with old encrypted email|
Cannot decrypt an old email using the renewed encryption certificate. Encryption certificate renewed using same key pair. Original (old) encryption certificate no longer present.
Microsoft Outlook uses S/MIMEv1 implementation
|Resolution||The problem is that Microsoft Outlook uses version 1 of S/MIME, which uses the certificate serial number to identify the certificate.|
- For users with certificates in Web browser, users should NOT delete their old certs when renewing (contrary to advice we have given in the past)
- For Keon Web PassPort users, contact RSA Security Professional Services or Customer Support. Tools have been created by RSA Security Engineering to enable a second virtual card to be created for the renewed certificate, leaving the old certificates in place to access old encrypted email.
For Smart Card users, as long as old encryption certificate is still registered in the Web browser and pointed to the Smart Card / USB token, it will still work. If taken to a different system, the renewed encryption certificate would not work on old encrypted mail.
|Notes||Microsoft has made some changes in how this works in Outlook 2010 along with some bug fixes in Microsoft Office 2010 Service Pack 1 (SP1) as per the following Microsoft article:|
"Some email clients unable to decrypt email sent from Outlook 2010":
Here are a few quotes from the above Microsoft article:
"Cause: The Cryptographic Message Syntax (CMS) is documented in RFC 5652. That specification allows using either the subjectKeyIdentifier or issuerAndSerialNumber as the SignerIdentifier. The release (RTM) version of Outlook 2010 uses subjectKeyIdentifier as the SignerIdentifier, whereas earlier versions use issuerAndSerialNumber. If the subjectKeyIdentifier extension is not defined in the certificate, Outlook 2010 RTM generates one. Some email clients or third-party operating systems are unable to use the Outlook-generated subjectKeyIdentifier. This results in the recipient being unable to decrypt and read the message."
"Resolution: This issue is fixed in Microsoft Office 2010 Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2460049 Description of Office 2010 SP1
After installing SP1, if the subjectKeyIdentifier extension is not present in the certificate, Outlook reverts to using issuerAndSerialNumber as the SignerIdentifier."
"More Information: By default, Microsoft Outlook 2013 uses issuerAndSerialNumber as the SignerIdentifier. This prevents the issue in the 'Symptoms' section of this article from occurring."
|Legacy Article ID||a21882|