none
Digital Signature Problem Revisited

    Question

  • Hello.

    I previously posted a question (and received a helpful answer) regarding digital signatures in this thread: http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/f9d20238-a6c0-433c-b328-555f46464f7e

    Based on that answer, I set up a second CA system on our domain with an online self-signed root. I've attempted to issue Digital Signature certificates from this CA, but I'm still receiving the same error when I attempt to use the certificate to sign a document in Word 2007 on Windows 7 Enterprise.

    "Your signature could not be added to the document. If your signature requires a smart card, ensure that your card reader is installed correctly."

    Certutil -verify output for the document signing cert is as follows:

    C:\Users\user>certutil -verify C:\Users\user\Desktop\cert.cer
    Issuer:
        CN=CA
        DC=school
        DC=edu
    Subject:
        E=user@school.edu
        CN=LastName, FirstName
        OU=4325
        OU=4300
        OU=Users
        OU=BigOU
        DC=University
        DC=school
        DC=edu
    Cert Serial Number: 1c0891bb000000000005

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 7 Hours, 17 Minutes, 7 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 7 Hours, 17 Minutes, 7 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=CA, DC=school, DC=edu
      NotBefore: 3/15/2010 11:10 AM
      NotAfter: 3/15/2011 11:10 AM
      Subject: E=user@school.edu, CN="LastName, FirstName", OU=4325, OU=4300, OU=Users, OU=FSA, DC=University, DC=school, DC=edu
      Serial: 1c0891bb000000000005
      SubjectAltName: Other Name:Principal Name=user@University.school.edu, RFC822 Name=user@school.edu
      Template: LU Document Signing
      d4 62 71 bc 0c d9 b5 6b e0 68 f4 9d 4f 1a fc a3 4e ae d9 a7
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
        CRL 3d:
        Issuer: CN=CA, DC=school, DC=edu
        09 28 7a 85 9c e0 c5 89 29 2e 7f 8a 9d 91 ca 48 57 60 bc 2e
        Delta CRL 3e:
        Issuer: CN=CA, DC=school, DC=edu
        a8 32 e8 c9 34 1d 5b 33 e0 8e a3 d4 51 01 07 9b 29 90 af ca
      Issuance[0] = 1.3.6.1.4.1.311.21.8.4357558.16474036.1918878.4109104.11981914.22.1.401 Medium Assurance
      Application[0] = 1.3.6.1.4.1.311.10.3.12 Document Signing

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=CA, DC=school, DC=edu
      NotBefore: 2/14/2010 4:06 PM
      NotAfter: 2/14/2020 4:16 PM
      Subject: CN=CA, DC=school, DC=edu
      Serial: 3d1d92b5b59e7a8c4afbd863b8210e6a
      Template: CA
      c5 28 2b a7 6d 18 0e 1d b6 3b d8 cc a7 c0 34 71 a7 e6 7f 9e
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    Exclude leaf cert:
      10 50 11 6d fe 07 e9 d7 9c c1 50 b6 95 d6 0d c5 18 2e 0e b6
    Full chain:
      70 a2 9d f0 03 ac d6 78 29 4c 42 0e b0 98 92 77 a7 94 28 d2
    ------------------------------------
    Verified Issuance Policies:
        1.3.6.1.4.1.311.21.8.4357558.16474036.1918878.4109104.11981914.22.1.401 Medium Assurance
    Verified Application Policies:
        1.3.6.1.4.1.311.10.3.12 Document Signing
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.
    Monday, March 15, 2010 3:39 PM

Answers

  • Issue resolved. 

     

    For the certificate template I created I had selected both "Microsoft Enhanced Cryptographic Provider v1.0" and "Microsoft Enhanced RSA and AES Cryptographic Provider" as available CSPs.

     

    Windows XP clients could only enroll using the former. Windows Vista and Windows 7 clients were able to enroll using either, but as the site always defaulted them to the MSE RSA/AES CSP, this is what they all used.

     

    My XP users could successfully use the certificates issued to them to sign documents in Office 2007. My Vista/7 users (including myself) received the error that I originally posted when attempting to sign documents in Office. 

     

    All users were able to sign documents in other applications.

     

    I enrolled for a new certificate on Windows 7, but this time selected the MSECP v1.0 CSP and installed the new certificate. I was then able to successfully sign documents in Office 2007.

     

    Therefore, it would appear that Office 2007 is not compatible with certificates issued using the MSE RSA/AES CSP.

    • Marked as answer by Edward Teach Thursday, May 20, 2010 9:05 PM
    Thursday, May 20, 2010 9:05 PM

All replies

  • Does the client workstation on which you are trying to sign the document trust the CA certificate (is Windows able to verify your signing certificate if you double-click on it)?

    Also, have you tried signing in a non-MS Office application (e.g. Adobe Acrobat)?  Does it work there?

    Monday, March 15, 2010 7:00 PM
  • Hi,

    do you have corresponding private key in your local profile? You can check by using certutil -store my 1c0891bb000000000005, you should see "Signature test passed". For more verbose output use certutil -v -store my 1c0891bb000000000005

    Regards

    Martin Rublik
    Tuesday, March 16, 2010 9:19 AM
  • Yes, all machines joined to our domain trust the CA the certificate was issued from.

    Yes, I can sign documents in Adobe Acrobat Pro v9.
    Tuesday, March 16, 2010 1:33 PM
  • Martin, this could be my problem, but I'm not sure why it would be happening. I can't think of a reason why the private key wouldn't be there. 

    Output of that command is as follows:

    CertUtil: -store command FAILED: 0x80090011 (-2146893807)
    CertUtil: Object was not found.
    Tuesday, March 16, 2010 1:47 PM
  • Try this instead:

    certutil -store -user my 1c0891bb000000000005


    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 16, 2010 2:04 PM
  • Which certificate template did you duplicate in order to create your certificate template?

    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 16, 2010 2:11 PM
  • Thanks, Paul. I get the full "Signature Test Passed" output when using that command.
    Tuesday, March 16, 2010 2:11 PM
  • Is the certificate actually stored on a smart card or is it a software-based certificate? When you duplicated the certificate template, did you create a 2003 or 2008 version template?

    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 16, 2010 2:30 PM
  • It is a software-based certificate. I created a 2003 version template.
    Tuesday, March 16, 2010 2:32 PM
  • Ok, what steps, exactly, are you using to attempt to sign the document, and where exactly in the process are you getting the error message?

    I've been able to get this to work with both a software based and smart card certificate. No issues.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 16, 2010 2:38 PM
  • I open Word 2007 with a new document. 

    I add some gibberish text to the document.

    I save the document to my desktop.

    From the ribbon menu, I select "Prepare -> Add a Digital Signature"

    The "Sign" dialog appears and has the correct certificate selected by default.

    I click the "Sign" button.

    I receive the error "Your signature could not be added to the document. If your signature requires a smart card, ensure that your card reader is installed correctly."
    Tuesday, March 16, 2010 2:44 PM
  • Can you run the following command and then paste the output that relates to the certificate you're trying to use:

    certutil -store -user my


    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 16, 2010 3:03 PM
  • BTW - I think you're rapidly approaching the point where your best bet is to open a case with PSS in order to get this resolved.


    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 16, 2010 3:11 PM
  • Paul, I'm working with a different certificate now than I was when I originally started this thread. I had revoked and reissued as a part of troubleshooting. But, here is the output you requested:

    C:\Users\username>certutil -store -user my 10e857e8000000000006
    my
    ================ Certificate 0 ================
    Serial Number: 10e857e8000000000006
    Issuer: CN=CA, DC=school, DC=edu
     NotBefore: 3/16/2010 9:53 AM
     NotAfter: 3/16/2011 9:53 AM
    Subject: E=username@school.edu, CN=LastName, FirstName, OU=4325, OU=4300, OU=Users, OU=FSA, DC=University, DC=school, DC=edu
    Non-root Certificate
    Template: SchoolDocumentSigning, School Document Signing
    Cert Hash(sha1): c1 1b d7 cb 59 37 1d c9 a4 9b 90 3d 70 b3 c8 60 78 d0 c2 f7
      Key Container = 9b97923f148d8e80a9367c602b2aee65_d1ec4be0-d847-4b88-aba6-de2f92953a2e
      Simple container name: le-SchoolDocumentSigning-c52d5fa8-a57d-410f-b159-ab77df0d4de0
      Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
    Signature test passed
    CertUtil: -store command completed successfully.
    Tuesday, March 16, 2010 3:21 PM
  • This is about the only info I can find on the error that seems useful:

    http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.word.application.errors&tid=9cd63943-ca4f-4e7f-ab47-ad79c6df60f3&cat=&lang=&cr=&sloc=&p=1

    But would that apply to certificates created with AD Certificate Services?
    Tuesday, March 16, 2010 3:47 PM
  • Hi

    1-Request a new certificate from your CA
    2-Use your email address (the one you are using on that machine) [when you sign a certificater, you sign it using the account you are logged in with, this is the idea behind signing]
    3- install the issued certificate and make sure it is in your Certificate container under the certificate mmc (for the logged on user) this way the certificate is installed under your name, in your profile
    4-Make sure your CA is a trusted publisher...how? (open outlook, privacy options, trusted publisher. view the Trusted publisher certificate and make sure you have no warning all the way up to the root)
    Try signing again.

    To Remember: Always backup your certificates, always encrypt the (zipped, password protected backup) , store the backup offsite, and store the password in a very safe plce. at last shutdown your CA and use your ICA to issue certificates

    Good luck

    Hany Eskarous

     

    Friday, March 19, 2010 5:34 AM
  • Hi, 

    I also get the same error msg when trying to sign any office product document.

    I have my own CA, which i installed the CRT from the local account in the trusted root CA

     then issued a certificate to one of my computers on the network

     

    I can still sign Adobe products, but when I go into the properties, it says my certificate is apart of an untrusted chain "Not really sure how to fix that"

    I'm not really sure what to do, both of my certificates pass the test, the issued cert to my computer does have a valid CRL and also an Authority Info Access.

     

    Any help would be greatly appreciated.

    Thanks.

    Thursday, April 29, 2010 6:19 AM
  • Issue resolved. 

     

    For the certificate template I created I had selected both "Microsoft Enhanced Cryptographic Provider v1.0" and "Microsoft Enhanced RSA and AES Cryptographic Provider" as available CSPs.

     

    Windows XP clients could only enroll using the former. Windows Vista and Windows 7 clients were able to enroll using either, but as the site always defaulted them to the MSE RSA/AES CSP, this is what they all used.

     

    My XP users could successfully use the certificates issued to them to sign documents in Office 2007. My Vista/7 users (including myself) received the error that I originally posted when attempting to sign documents in Office. 

     

    All users were able to sign documents in other applications.

     

    I enrolled for a new certificate on Windows 7, but this time selected the MSECP v1.0 CSP and installed the new certificate. I was then able to successfully sign documents in Office 2007.

     

    Therefore, it would appear that Office 2007 is not compatible with certificates issued using the MSE RSA/AES CSP.

    • Marked as answer by Edward Teach Thursday, May 20, 2010 9:05 PM
    Thursday, May 20, 2010 9:05 PM
  • I have the same problem occuring in Word (can't sign), BUT...

    I am not the issuer of my certificate. It is issued by a CA, and I can't siply reissue it. Moreover, I get this:

    C:\Users\Zoran Babić>certutil -store -user my 3f1d6119
    my
    ================ Certificate 1 ================
    Serial Number: 3f1d6119
    Issuer: OU=RDC, O=FINA, C=HR
     NotBefore: 29.7.2008. 8:25
     NotAfter: 29.7.2010. 8:55
    Subject: CN=ZORAN BABIĆ 0.7668.8558.4, OU=OSOBNI, OU=RDC, O=FINA, C=HR
    Non-root Certificate
    Template:
    Cert Hash(sha1): bd 33 cf 3a 84 6f 3c cd 20 01 4f 67 6a 01 ec ba 24 01 e7 a8
      Key Container = {46374E66-F87E-4EDA-A61F-7EEB8D6A05E7}
      Provider = ActivClient Cryptographic Service Provider
    Private key is NOT exportable
    ERROR: Could not verify certificate public key against private key
    CertUtil: -store command completed successfully.

    MS doesn't know anything about this, saying the issue has nothing to do w/ them...

    Anyone?

    Wednesday, June 16, 2010 7:51 AM
  • Hello ZoranB,

     

    I'm having the same issue, the private key is on the HSM card (SafeNet) and is set to not exportable, have you found a solution?

     

    steve.

    Wednesday, July 21, 2010 9:05 AM
  • I have the same problem ActivClient 6.2 and Win7 +office 2010 apps. However signing office 2007 apps works fine with the same smartcard. Did you find any solutions?
    Tuesday, January 10, 2012 8:38 PM