none
How do I implement and test document signing with timestamp (xades - T) in Office 2010? RRS feed

  • Question

  • I'm trying to test the new type of document signatures with timestamps in infopath 2010 and Word 2010. Specifically XadES-T. I'm able to sign documents succesffully internally using a cert from our Enterprise PKI server running win 2008 R2 ent. But the highest level the signature can reach is XadES-EPES. I've configured the registry settings referenced on Technet and in this blog:

    http://blogs.technet.com/b/office2010/archive/2009/12/08/digital-signitures-in-office-2010.aspx

    I'm even able to see the timestamp request go out of the NIC and come back successfully from the timestamp server in Wireshark(packet trapper). When trying to sign a word document with the MinXAdESLevel set to "2" (xades-t) the following error occurs, even though I can see the request and reply come back successfully in wireshark:

    "Signing cannot be completed due to problems applying the required timestamp. Check your network connection."

    I've seen a hotfix for office 2010 that indicates this problem, but I'm running sp1 so when I tried to run the hotfix it said the update was already installed.

    Is there any other way to debug the actual issue? The error shown on screen is very generic.

    If I set the MinXAdESlevel to "1" I am able to get a signature, but it's level is Xades-epes.

    -Ben


    • Edited by peacepenguin Wednesday, August 10, 2011 4:47 PM typo
    Wednesday, August 10, 2011 4:43 PM

Answers

  • Hi

     

    Thank you for using Microsoft Office for IT Professionals Forums.

     

    Which Hotfix package did you have been installed.

    1.       http://support.microsoft.com/kb/2459116

     

    2.       http://support.microsoft.com/kb/2479789

     

    If this problem for specific computer, we can follow this Method to troubleshoot.

    1.       Start Office program in Safe mode, If the problem does not occur in the safe mode, this issue might be related to some third-party add-ins in the Office program, we can try to disable them

    2.       Test this issue use another computer, If the problem does not occur in the other computer, this issue might be related Windows profile corrupt or hotfix package not work.

     

    There has some relate article about Digital Signature.

    “Plan digital signature settings for Office 2010”

    http://technet.microsoft.com/en-us/library/cc545900.aspx

    “Digital Signature Support in InfoPath 2010”

    http://blogs.msdn.com/b/infopath/archive/2010/02/18/digital-signature-support-in-infopath-2010.aspx

     

     

    Please take your time to try the suggestions and let me know the results at your earliest convenience. If anything is unclear or if there is anything I can do for you, please feel free to let me know.

     

    Sincerely

    William Zhou

    --------------------------------------------------------------------------------

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, August 11, 2011 9:04 AM

All replies

  • Hi

     

    Thank you for using Microsoft Office for IT Professionals Forums.

     

    Which Hotfix package did you have been installed.

    1.       http://support.microsoft.com/kb/2459116

     

    2.       http://support.microsoft.com/kb/2479789

     

    If this problem for specific computer, we can follow this Method to troubleshoot.

    1.       Start Office program in Safe mode, If the problem does not occur in the safe mode, this issue might be related to some third-party add-ins in the Office program, we can try to disable them

    2.       Test this issue use another computer, If the problem does not occur in the other computer, this issue might be related Windows profile corrupt or hotfix package not work.

     

    There has some relate article about Digital Signature.

    “Plan digital signature settings for Office 2010”

    http://technet.microsoft.com/en-us/library/cc545900.aspx

    “Digital Signature Support in InfoPath 2010”

    http://blogs.msdn.com/b/infopath/archive/2010/02/18/digital-signature-support-in-infopath-2010.aspx

     

     

    Please take your time to try the suggestions and let me know the results at your earliest convenience. If anything is unclear or if there is anything I can do for you, please feel free to let me know.

     

    Sincerely

    William Zhou

    --------------------------------------------------------------------------------

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, August 11, 2011 9:04 AM
  • William, Thanks for the suggestions, they didn't help but good links either way.

    I found the problem on my side, I had the wrong root cert added to my trusted root certificate store. Which results in the generic failure, instead of informing the user of untrusted Cert which would have been easy to troubleshoot. But anyway, in case someone else runs into it here's how I found the correct certificate to add to my trusted store:

     I made a word 2010 document that needed a signature applied. I set the MinXadESLevel to "2" in the registry and pointed TSALocation to a valid timestamp server. I then began a Wireshark capture of my active NIC. Then I attempted to sign the document, it failed to apply to the document but wireshark did receive an HTTP response from the TSA, it was marked in wireshark as "Protocol" -> "PKIXTSP", and "INFO" collumn reported "Reply". I selected the reply packet and looked through the content tree, under PKIX Time stamp protocol -> Timestamptoken -> SignedData -> certificates -> certificate choices -> Then right click the cert that appears there, and click "Export selected packet bytes" -> then i saved the resulting bytes as Certificate.CER onto the desktop.

    Then I imported the cert i saved to the desktop into my computers Trusted root certification authorities.

    Now the timestamp applies correctly. The problem was that the cert the TSA used when browsing to their site over HTTPS was different than the cert they used inside the TSA responder application.

    -Ben

     

    Monday, August 29, 2011 8:53 PM