locked
can I digitally sign a document with a certificate store in active directory? RRS feed

  • Question

  • WE have a CA and I have configured a group of test users to have user certificates autoenrolled to them and be stored in AD.  I have made the private key exportable and the cert is valid for client authentication and code signing.  When I open the certificate mmc snap in, I can verify that the cert is there, but it does not show up as an option when I try to digitally sign a word document.  I have also tried to save the cert to a file and import it into my personal certificate store, but it still does not show up as a cert when I try to sign my document.

    I did notice that when I exported the cert to a file, it did not ask me if I wanted to export the private key.  But I have verified that the template does have "allow private key to be exported?" enabled.

    Tuesday, May 10, 2011 2:09 PM

Answers

  • From what I have read, only the public key gets stored in AD allowing other members of the domain to trust your signed documents.  I went ahead and made a gpo that would generate a digital signature each time any user logs onto a machine if they don't already have one.  If I'm wrong, and a cert stored in AD should allow a user to sign a doc from any PC in the domain, I never figured out how to make it work.
    • Marked as answer by dang1414 Monday, August 1, 2011 6:55 PM
    Monday, August 1, 2011 6:54 PM

All replies

  • Based on the information here, it sounds as though the certificate import had some issues and may have lead to the keyset not being bound. Have you tried repackaging the certificate? Also have you tested a different type of certificate or even a selfcert to verify it's the certificate and not Word or Windows?

    Also, have you tried using CertUtil to extract the private key?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thanks!
    Adrian
    Microsoft Online Community Support

    • Marked as answer by Sally Tang Friday, May 20, 2011 8:47 AM
    • Unmarked as answer by dang1414 Monday, August 1, 2011 6:54 PM
    Friday, May 13, 2011 1:08 PM
  • From what I have read, only the public key gets stored in AD allowing other members of the domain to trust your signed documents.  I went ahead and made a gpo that would generate a digital signature each time any user logs onto a machine if they don't already have one.  If I'm wrong, and a cert stored in AD should allow a user to sign a doc from any PC in the domain, I never figured out how to make it work.
    • Marked as answer by dang1414 Monday, August 1, 2011 6:55 PM
    Monday, August 1, 2011 6:54 PM