Digital Certificate sign/encrypt but not Open Outlook Message RRS feed

  • Question

  • Dear,

    I'm working on a VSTO solution to encrypt and sign messages. I have a V3 Certificate based on an A3 Token CSP.

    I can send encrypted and signed messages to anyone but not to myself. The Certificate is OK, since I had opened encrypted messages sent to me.

    The problem is when I open an ecrypted message sent to myself, Outlook says something like (translated from PT-BR): "the name of your digital ID was not found by the adjacent security system". 

    The error code is 0x80090020

    It's weird since:

    1- I have the CER file into my own CONTACT record.

    2-I have CER files into STORES (Personal.MY, LocalMachine.MY, Personal.TrustedPeople, LocalMachine.TrustedPeople)

    3- In my Token CSP I cannot export a PFX/P12 file. My token does not export "private keys".

    So, how can I see messages that I own send to others with carbon-copy to myself? Is it impossible?

    Thanks a lot for any help.

    Thursday, May 24, 2018 8:08 PM

All replies

  • Hi David,

    Can you open the encrypted messages from Sent Item folder?

    We could try recreate your contact record and then re-add certificate to check the result.

    Besides, can you open encrypted email on the web mail?

    Any updates, please feel free to tell me.



    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, May 25, 2018 7:42 AM
  • Hi Perry,

    I appreciate your efforts to help me. Let's see what is going on here and NO, I cannot open the message in SENT folder. The same error I get when I received the message (in case I'm in CC).

    1- I deleted my own contact and recreated it, importing my own certificate. No results.

    2- I cannot open the p7m file in Gmail Web because it does not provide support to S/MIME in my account (not a Gsuite, just a single personal one).

    3- I sign mails in Outlook normally. I encrypt them to other accounts (Self-Signed accounts I had created here) and open it normally. But, if I try to REPLY the same message, Outlook reports that my GMAIL account has no certificate, what is wrong: the certificate should be there in my Contact record since I had created it manually thru CONTACTS.

    4- In a NEW message if clicked over my own name and try to edit, I haven't this option (like my name is not in CONTACTS). But in REPLY of the message sent at step 3, I can see ADD TO CONTACTS. I performed it again and Outlook says "there is another contact, what do you want to do (add or join)".

        I added a NEW record and imported again my certitifcate (.CER).

    5- If I try to encrypt the Reply Message (see step 3) I got "there is no Certificate". If I click again over the Recipient name (my own box and the same which sent the mail, and Resolved by Outlook) and cannot see the EDIT INFO, but only ADD TO CONTACT.  Weird since I did it exactly seconds before!

    6- Just to see if problem is in OUtlook, I entried in my VSTO and try to search my Record and Certificate using my own code using the below function - it functions all the time 100%. But this time, I got NULL, which means my records and/or my certificate was not found (but the Recip name IS resolved!):

         For Each recip As Microsoft.Office.Interop.Outlook.Recipient In mail.Recipients
               If recip.Resolve() = True Then
           Dim X5092 As System.Security.Cryptography.X509Certificates.X509Certificate2 = Nothing
                   Dim TheCert As Object = Recip.AddressEntry.PropertyAccessor.GetProperty("http://schemas.microsoft.com/mapi/proptag/0x3A701102")
    If TheCert IsNot Nothing Then
    Dim CertBytes() As Byte = TheCert(0)
              End If
         Next recip

    So, after all these steps I conducted an external Maintenance (see Maintenance PST) and performed the same above steps, but with the same results.

    My own Certificate is a Certisign based on Gemalto SafeNet A3 Token and it's utilized normally without any problem outside Outlook. I utilize it to Govern accesses, singing and even encryption - but all of them outside Outlook.

    So, the problem seems based on how Outlook operates on Certificates. I tried to find documention to understand it without any usefull result. For instance, Outlook does not "see" the Stores, it add each Certificate in a custom format of each Contact's record and I can see (thru my VSTO) that certificate is appended in Contact record with some bytes BEFORE and AFTER the Certificate itself (non-documented bytes). I utilize the above function to return the Contact's Certificate.

    My Certificate is authorized to SEND MAILS and CLIENT AUTHORIZATION and my e-mail is the same, either in Outlook as within it (david.svaiter@gmail.com).  

    One important point:

    When I add my Certificate in TrustCenter I only see encryption algorithms 3DES and RC2 - but my Certificate shows RSA/AES256. And I cannot change it to AES (I don't see this option).  But, in my Self-Signed Certificates (for testing purposes) I can see AES and other SHA modes.

    I'm sorry for this long message but I'm really crazy here. How can I see my own messages sent to myself if encrypted by Outlook?

    • Edited by David BenS Friday, May 25, 2018 3:45 PM
    Friday, May 25, 2018 3:40 PM