Sending S/MIME encrypted messages with Outlook for iOS is not possible: "There's a problem with one of your S/MIME encryption certificates."

Assume the following scenario:

There's a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more info.
There is a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more information.
Continue reading „Das Senden von S/MIME verschlüsselten Nachrichten mit Outlook for iOS ist nicht möglich: „There’s a problem with one of your S/MIME encryption certificates.““

Subsequent archiving of private keys

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.

An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.

But what if private key archiving has not been set up and users have already applied for corresponding certificates?

Continue reading „Nachträgliche Archivierung privater Schlüssel“

Transferring S/MIME certificates to Microsoft Intune

In a modern networked world, the confidential transmission of messages in the corporate environment is essential for business success. Despite their Age it is still impossible to imagine modern corporate communications without e-mail. However, its use has changed significantly over the decades.

Nowadays, it is common to be able to read and write business e-mails on mobile devices such as smartphones and tablets. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with the corresponding certificates. How do these certificates get to the end devices of the users in a scalable way?

Continue reading „Übertragen von S/MIME Zertifikaten zu Microsoft Intune“

Microsoft Outlook: Signed e-mail messages are rejected by the receiving mail server with error message "Invalid S/MIME encrypted message."

Assume the following scenario:

  • A user sends an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The sender uses Microsoft Outlook for Macintosh.
  • The receiving mail server rejects the message and sends back a Non-Delivery Report (NDR):
550 5.6.0 M2MCVT.StorageError.Exception: ConversionFailedException - , Content conversion: Invalid S/MIME encrypted message.; storage error in content conversion.
Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten werden vom empfangenden Mailserver abgelehnt mit Fehlermeldung „Invalid S/MIME encrypted message.““

Microsoft Outlook: Signed e-mail messages appear invalid with error message "No certificate was found to verify the signature of this message."

Assume the following scenario

  • A user receives an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The user (the recipient) uses Microsoft Outlook for Windows.
  • The sender uses Microsoft Outlook for Macintosh.
  • The certificate used to sign the message is valid.
  • The e-mail signature is displayed as invalid. Inspection of the signature reveals that no details about the signature certificate can be displayed.
Error: No certificate was found to verify the signature of this message.
Signed by (certificate subject name unknown) using RSA/SHA256 at 15:44:59 19.05.2021.
Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten erscheinen ungültig mit Fehlermeldung „Es wurde kein Zertifikat zum Überprüfen der Signatur dieser Nachricht gefunden.““

Microsoft Outlook: "This message cannot be encrypted or signed by Microsoft Outlook because there are no certificates for sending messages from the email address [...]."

Assume the following scenario:

  • A user wants to send a signed e-mail
  • The operation fails with the following error message:
This message cannot be encrypted or signed by Microsoft Outlook because there are no certificates for sending messages from the email address "rudi.ratlos@adcslabor.de". Either request a new digital ID for this account, or use the Accounts button to send the message using an account for which you have certificates.
Continue reading „Microsoft Outlook: „Diese Nachricht kann von Microsoft Outlook weder verschlüsselt noch signiert werden, da keine Zertifikate für das Senden von Nachrichten von der E-Mail Adresse […] vorhanden sind.““

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Internal error." appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Unfortunately, there is a problem opening this item. This may be temporary. If this error occurs again, you should restart Outlook. Error in the underlying security system. Internal error.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Interner Fehler.““

S/MIME with the Outlook app for Apple IOS and Android only possible with devices managed via Intune

If you want to make S/MIME certificates available to your users on the smartphone as well, you may be surprised to discover that this is not possible with the Outlook app unless you also use Microsoft Intune as a management solution for the devices.

Microsoft has published in an article "Sensitivity labeling and protection in Outlook for iOS and Android" now clarified that this is due to the respective system architecture.

Continue reading „S/MIME mit der Outlook App für Apple IOS und Android nur mit über Intune verwalteten Geräten möglich“

Microsoft Outlook: Find out recipient certificates for S/MIME encrypted mails

For troubleshooting e-mail messages encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME), the encrypted part of a message can be exported. See article "Microsoft Outlook: Extracting an encrypted S/MIME message from an email„.

To find out with which certificates a message has been encrypted, you can proceed as follows...

Continue reading „Microsoft Outlook: Empfänger-Zertifikate bei S/MIME verschlüsselten Mails herausfinden“

Microsoft Outlook: Extracting an encrypted S/MIME message from an email

The encrypted part of an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME) is always contained in a file called "smime.p7m" as an attachment to the mail.

Outlook does not display this attachment, but it can be analyzed using the free Microsoft MFCMAPI extracted from the e-mail.

Continue reading „Microsoft Outlook: Extrahieren einer verschlüsselten S/MIME Nachricht aus einer E-Mail“

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Your digital ID name cannot be found by the underlying security system" appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your digital ID name cannot be found by the underlying security system.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Your digital ID name cannot be found by the underlying security system.““

Microsoft Outlook: Correctly signed e-mails (S/MIME) are displayed as invalid after the signature certificate expires

Assume the following scenario:

  • A user has received an email message in the past.
  • The message was signed with an S/MIME certificate.
  • The sender's signature certificate was issued by a certification authority that has been granted trust status with the recipient.
  • Thus, the signature was recognized as valid at the time the message was received.
  • The user opens the mail again some time later and finds that the signature is classified as invalid.
Continue reading „Microsoft Outlook: Korrekt signierte E-Mails (S/MIME) werden nach Ablauf des Signaturzertifikats als ungültig angezeigt“

Microsoft Outlook: View which algorithm was used for an S/MIME encrypted or signed email

Below is a description of where it is possible to view which symmetric algorithm was used to encrypt an email received, and which hash algorithm was used for a signed email.

Continue reading „Microsoft Outlook: Einsehen, welcher Algorithmus für eine S/MIME verschlüsselte oder signierte E-Mail verwendet wurde“

Microsoft Outlook: Control the encryption algorithm used for S/MIME.

When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.

Microsoft Outlook uses (if available and required) the information in the "S/MIME Capabilities" extension of a certificate. Below is a description of how it is used and which algorithms are selected.

Continue reading „Microsoft Outlook: Den verwendeten Verschlüsselungsalgorithmus für S/MIME steuern“

The "S/MIME Capabilities" certificate extension

When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.

Among other things, the Microsoft Outlook extension is evaluated and used to determine the symmetric algorithm for an encrypted email.

Continue reading „Die „S/MIME Capabilities“ Zertifikaterweiterung“
en_USEnglish