locked
Outlook 2016 insists that I "have no certificates which can be used to send from your email address", but I have two... RRS feed

  • Question

  • Outlook 2016 is refusing to let me digitally sign an email, saying:

    "Microsoft Outlook cannot sign or encrypt this message because you have no certificates which can be used to send from your email address.

    Yet, I have two such certificates, each of which contain SubjectAltName containing:

    "RFC822 Name=libove@felines.org"
    (libove@felines.org is the email address from which I'm trying to send the message, as which I'm trying to sign the message).

    Enhanced Key usage for these certificates include:

    Secure Email (1.3.6.1.5.5.7.3.4)
    Client Authentication (1.3.6.1.5.5.7.3.2)

    So, why, really, is Outlook refusing to allow me to use these certificates to sign emails?

    thank you,
    Jay Libove, CISSP, CIPP/US, CIPT, CISM

    Thursday, April 26, 2018 6:25 AM

All replies

  • Hi Jay Libove,

    Please check certificate status via following steps.

    1. Go to File > Options > Trust Center > Trust Center Settings > Email Security.

    2. Under Encrypted email, click Settings.

    3. In Change Security Settings window, click Choose next to "Encryption Certificate", there should be a Windows Security window prompted, select "Click here to view certificate properties".

    4. Check if the Certificate status is OK in Certificate Path tab.

    5. Under General tab, make sure the certificate is valid and not expired. 

    If issue continues, we could create following registry key to check the result.

    (Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

    Please refer to this article about how to back up and restore the registry in Windows)

    1. Click Start, click Run, type regedit in the Open box, and then click OK

    2. Locate the following registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security

    3. If a Security registry key does not exist, create a new key.

    4. Right-click the Security key, click New, and then click DWORD Value.

    5. Type SupressNameChecks, and then press ENTER.

    6. Set value to 1.

    What's more, if the suggestion above don't work, we may try re-importing the digital ID to your Outlook.

    Any updates, please feel free to tell me.

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.




    • Edited by Perry-Pan Friday, April 27, 2018 5:41 AM
    • Proposed as answer by Perry-Pan Saturday, April 28, 2018 4:22 AM
    • Unproposed as answer by Jay Libove Monday, April 30, 2018 8:44 AM
    • Proposed as answer by acontrario Friday, November 30, 2018 3:40 PM
    • Unproposed as answer by Jay Libove Friday, November 30, 2018 6:47 PM
    Friday, April 27, 2018 5:34 AM
  • Hi Jay Libove,

    Any updates with this issue?

    Please feel free to tell me if you need further assistance.

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, April 30, 2018 6:34 AM
  • I did NOT make any of the changes you described.

    Instead, I set default email encryption options (default signing profile) to be exactly the same as what Outlook refused to let me use when I set it individually for one message and now it will sign.

    Yet more poor quality, inconsistent user experience, from Microsoft.

    By the way, do NOT mark your own posts as answers! That's not up to you. It's up to us, the customers, the users, to decide whether you've helped us or whether you're correct!

    • Proposed as answer by Perry-Pan Monday, April 30, 2018 8:46 AM
    Monday, April 30, 2018 8:44 AM
  • Hi Jay Libove,

    So glad to see that your issue has been solved.

    The proposed answer is different from the final answer which only gives a reference to users. As we didn’t hear from you for several days, I mark the reply as a proposed answer in case it is helpful to other forum members.

    Thank you for sharing the fix here which will benefit other users a lot.

    By the way, it's recommended to mark your reply as the answer so that they can easily and quickly find the useful reply here and this case could be closed. Thank you for your understanding.

    Have a nice day!

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.



    • Edited by Perry-Pan Monday, April 30, 2018 9:02 AM
    Monday, April 30, 2018 8:46 AM
  • Hi Jay Libove,

    Thank you for sharing the fix here. Hope that my reply won't bother you.

    Would you mind marking your reply as answer so that it will benefit other users in this forum a lot and this case could be closed? 

    Thank you for your understanding and support. Have a nice day!

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, May 2, 2018 1:15 AM
  • No, I won't mark anything as an answer, and you'd best not either.

    I was incorrect. The problem was not "solved" by setting up the defaults for how signing would be carried out. I un-did the default settings, and still was able to sign a sent email.

    So, the real problem was transient - "Microsoft Outlook 2016 is unreliable".

    There's no solution for that.

    Hi Jay Libove,

    Thank you for sharing the fix here. Hope that my reply won't bother you.

    Would you mind marking your reply as answer so that it will benefit other users in this forum a lot and this case could be closed? 

    Thank you for your understanding and support. Have a nice day!

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, May 2, 2018 5:05 AM
  • Hi

    I saw you mentioned that you haven't tried the suggestion above. It was reported by many users to be useful if you get those certificate error message. If it is convenient for you, you could try them to check the result.

    Regards,

    Perry

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    • Edited by Perry-Pan Thursday, May 3, 2018 1:06 AM
    Thursday, May 3, 2018 1:04 AM
  • Hi Perry. Nice workaround. The registry hack worked for me. My question is how can I validate the "Droid" (ie Name) that Outlook is looking for. What is the name its trying to validate.  I'd rather not turn off any security checking.

    BEGIN RANT

    This process is actually easier under Linux.

    I think that for a normal user just trying to do basic personal email encryption and signing with a self generated cert, this is a real tremendous pain in the a$$.

    Running Windows 10 Home I had to use powershell to generate a cert. I thought I had all the LDAP CN stuff right, but obviously not and now I needed a registry hack to make the cert work.

    I mean really this should be as simple as a one click operation included with the base OS, not something that I pay $10 a month forever to get a cert just to make sure Harry the hacker can't read my emails to mom.

    END MICRO$OFT BASHING RANT

    Thursday, December 5, 2019 2:52 AM