Archived Forum Post

Index of archived forum posts

Question:

Email digital signature issue: needs to "edit trust" when opened in outlook at very first time

Jan 28 '15 at 07:41

Hi, I have a question regarding to Email digital signature. I used the following codes to sign and send email to my customers. Everything was fine, except when my customers received this email and opened it with outlook 2007/2010/2013, at the very first time, it would indicate the signature is invalid, but after "edit trust", the signature became valid. Why?

Ps. The key(pfx file) is bought from Symantec.com

//-------------------------------
 CkCert cert;
    const char pfxFilepath = "test.pfx";
    const char pfxPassword = "secret";
    success = cert.LoadPfxFile(pfxFilepath,pfxPassword);  
if (success == false) { cout << cert.lastErrorText(); return; }

email.LoadEml("test.eml"); mime.LoadMime(email.getMime());
mime.put_SigningHashAlg("sha-1"); mime.ConvertToSigned(cert); mailman.put_SmtpHost("192.168.1.12"); success =mailman.SendMime("test@test.com", "test@test.com", mime.getMime());

//-----------------------------------

Best Regards, Tom


Answer

If using Edit Trust allows the signature to be trusted, that suggests that the root CA certificate used by Symantec is not itself in the existing trusted roots on those systems. You could need to ask your customers to check the Symantec root cert details and compare them to the trusted roots in the certificate store on their PC, I would guess that the certificate does not exist. If that's the case you will need to contact Symantec support and ask them why they are signing certificates with a root certificate that is not present by default in the Windows certificate store.

Dan


Answer

Hi

I found the source of the problem. The problem is from windows XP. If the certification was exported from windows 7, then it would be OK. But, if the certification is exported from windows XP, it would have the issues. I googled it and found out there was a update for windows XP.

Tom


Answer

Hi Dan,

Thank you very much for your help. I encountered a very strange situation. I found out if I ran this codes in windows server 2012, the email received in Outlook 2013 was OK, but OutLook 2010/2007 is not. But, if I ran this codes in windows 7 under my account, then it was fine for all outlook 2013/2010/2007 versions. And, this situation is only happened with one pfx file (I tried many pfx files, the others were all fine). Do you have any idea?

Best Regards,

Tom


Answer

Hi Tom,

Sorry, my certificate handling knowledge is pretty small, mostly to do with web servers rather than email. Have you compared the Trusted Roots stores on Windows Server 2012 to your Windows 7 one, to see if maybe you have an outdated root certificate in Windows Server 2012?

Dan