Have Identity Certificate, can't use it

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hey everyone,

I have a valid DOD CA-11 identity certificate that doesn't expire for 2+
years. I do see it in the personal certificate store (certmgr.msc). My
problem is that neither Outlook 2003 or IE 7 recognize it.

Outlook 2003 popups a warning stating that my email account doesn't have a
valid identity certificate and IE 7 won't send my credentials when trying to
access some web sites.

I can't find anything on how to troubleshoot this or how to reset my machine
to start anew. Reformatting my machine is my last resort but I don't know if
I will resort to this if I make it that far.

Any help is appreciated.

Thanks.
 
in message
I have a valid DOD CA-11 identity certificate that doesn't expire for
2+
years. I do see it in the personal certificate store (certmgr.msc).
My
problem is that neither Outlook 2003 or IE 7 recognize it.

Outlook 2003 popups a warning stating that my email account doesn't
have a
valid identity certificate and IE 7 won't send my credentials when
trying to
access some web sites.

I can't find anything on how to troubleshoot this or how to reset my
machine
to start anew. Reformatting my machine is my last resort but I don't
know if
I will resort to this if I make it that far.
Click to expand...


Did you actually *install* the cert into Outlook?
In OL2002: Tools -> Options -> Security -> Import
With freemail certs from Thawte, I don't have to do this since the
script in their HTML page handles the import. I let all my certs expire
and removed them so I don't have anything to look at right now.

Does the e-mail address specified in the cert match one of the e-mail
addresses defined in an account in Outlook?
 
Vanguard said:
in message



Did you actually *install* the cert into Outlook?
In OL2002: Tools -> Options -> Security -> Import
With freemail certs from Thawte, I don't have to do this since the
script in their HTML page handles the import. I let all my certs expire
and removed them so I don't have anything to look at right now.

Does the e-mail address specified in the cert match one of the e-mail
addresses defined in an account in Outlook?
Click to expand...
Yeah, the certificate is contained on a CAC card (smart card) and the card
reader imported it into Outlook. Also, I do (did) have a certificate from
ORC that was imported at one time... and it doesn't work either. I am less
confident and not really worried about the ORC certificate though...
 
spearenb said:
Yeah, the certificate is contained on a CAC card (smart card) and the
card
reader imported it into Outlook. Also, I do (did) have a certificate
from
ORC that was imported at one time... and it doesn't work either. I am
less
confident and not really worried about the ORC certificate though...
Click to expand...


I don't know how a card reader can do anything by itself, so I don't see
how a .pfx file on a flash card can do anything to import a certificate.
Try following the import instructions at
http://support.microsoft.com/kb/823503/en-us.

When in Outlook under the Tools -> Options -> Security tab, is a cert
listed in the drop-down listbox for "Default Setting"? When you click
on the Settings button, do you see any certs listed?

For IE, under Internet Options -> Content -> Certificates, are any
listed there? Currently I only have one listed for the EFS cert (which
cannot be used by IE for HTTPS or by an e-mail client).

When using certmgr.msc, what purposes are listed for each cert you have
installed?
 
Vanguard said:
I don't know how a card reader can do anything by itself, so I don't see
how a .pfx file on a flash card can do anything to import a certificate.
Try following the import instructions at
http://support.microsoft.com/kb/823503/en-us.
Click to expand...
When using certmgr.msc, what purposes are listed for each cert you have
installed?
Click to expand...

The reader is ActivCard Gold and it has 'register' functionality. This was
the way I put it in the Personal/Certificates area of the certmgr.msc app.

Speaking of which, properties for the certificate include the S/MIME signing
with a Yes.

When in Outlook under the Tools -> Options -> Security tab, is a cert
listed in the drop-down listbox for "Default Setting"? When you click
on the Settings button, do you see any certs listed?
Click to expand...

Yes, I do have an entry for this certificate. I was able to select it in
the Change Security Settings window

For IE, under Internet Options -> Content -> Certificates, are any
listed there? Currently I only have one listed for the EFS cert (which
cannot be used by IE for HTTPS or by an e-mail client).
Click to expand...

Yes, I see it in there.
 
I read up some on the cert you mention having, like at
http://www.verisign.com/repository/cps/dod/ieca-cps.pdf. I don't see
that it is used for SSL connects or for e-mail.

Have you checked at the CA that issued the cert to make sure it hasn't
been revoked? You statements in your first post make it appear that you
think you still have a valid cert but that perhaps you are no longer
employed with the DOD yet still think you can identify yourself from
there. I don't know who is the CA for your cert. If it is Verisign
cert, see if you can check its status at:

Class 1 cert: https://digitalid.verisign.com/services/client/index.html
ECA cert: https://eca.verisign.com/client/revoke.htm


Did you check what the usages were listed for that cert?

I found some articles at Verisign regarding support, like:

http://www.verisign.com/support/eca-support/index.html
http://www.verisign.com/verisign-bu...solutions/eca-certificates/install/index.html
http://www.verisign.com/support/digital-id-support/page_dev029379.html
http://www.verisign.com/support/eca-support/index.html
http://www.verisign.com/static/037901.pdf
 
OK, I have some egg on my face here.....

After calling the DISA support line, I have found out that I ONLY have an ID
certificate on my card. I don't have an email or encryption certificate.

On the other hand, I was able to install my ORC certificates (meaning I
remembered my passwords) so I have an ID and encryption certificate that I
can use for email.

I think my confusion is that the ID certificates from the different
organizations are not the same. I thought the ID cert from DISA would be
akin to the ID cert from ORC and therefore, be used for email.

Anyway, Vanguard, thanks for your help. Case Closed.
 
Back
Top