S/MIME error when sending mail: certificate revocation check failed

eM Client Version: 9.2.1222 (ca10485) on macOS (M1 Max)

When I want to send an E-Mail with the certificate set up, the following error message is shown.
Translated roughly:
There is no valid S/MIME certificate or PGP key to sign for (The
certificate revocation check is incomplete).
Do you want to send this email without signature?

The macOS certificate dialog shows a valid green check mark, so I assume everything is fine / valid.

What can I do about this? - Apple Mail is able to sign and send mail with this certificate no problemo.
I also use eM Client on Windows with exactly the same certificate, which also works.

I wanted to provide screenshots, but I am not allowed to upload media on here. I hope, my issue gets clear.

S/MIME functions on a system of a central authority that maintains the validity of the keys. eM Client will check with the authority if the key has been revoked pretty much every time the key is used. If the key has been revoked, or it can’t be verified, you will not be able to use it.

It’s done through the system API, so there may be some issue with your OS, or access to the S/MIME authority is being blocked on your connection.

Hi @Gary!
Thanks for your response. I investigated a little bit further.
When I ask the Apple Security Framework, it returns the info, the certificate is valid:

security -v verify-cert -c smime.crt.pem -p smime
verify-cert "-c" "smime.crt.pem" "-p" "smime"
...certificate verification successful.

As I am not able to look into eM Client’s code here, I cannot what makes this fail.

Maybe as a little tip: I also tried to validate the cert for the ssl policy, which is obviously not valid:

security -v verify-cert -c smime.crt.pem -p ssl
verify-cert "-c" "smime.crt.pem" "-p" "ssl"
Cert Verify Result: Invalid Extended Key Usage for policy
No extended validation result found
Certificate Transparency (CT) status: not verified
Unable to find at least 2 signed certificate timestamps (SCTs) from approved logs

The error is “The certificate revocation check is incomplete”. eM Client is not able to validate the key with the issuer to ensure it has not been revoked.

@Gary from my understanding, the key does not need to get validated in any way.
It is the certificate that needs validation. Certificates get revoked using CRLs or OCSP. As to my knowledge, Apple Security Framework checks both if applicable.

The key needs to be validated every time it is used to ensure it has not been revoked. If it fails, it can’t be used.

@Gary maybe I need to explain differences between keys and certificates…
On a very simple level, a certificate consists of a public key, some metadata and a signature from the CA from which the certificate is obtained.
So if a CA revokes a certificate, there is a serial number in the metadata of such a certificate which gets put on a revocation list (CRL).
By the X.509 v2 standard (RFC 5280) a CRL does not contain any information about the public key.
(same with OCSP, the public key does not play any role here)

I hope now it gets clear what I mean by: this has nothing to do with the key.

The key needs to be validated every time it is used to ensure it has not been revoked. If it fails, it can’t be used.

It would be great to have a option in settings to skip CRL check / ignore fail.

Please note that currently you even get the said message when using a certificate which does not even have a CRL link set. So strictly speaking the CRL check should not be done cause there is no link in the certificate.

It is not possible. S/MIME certificates are managed by a central authority and need to be checked before they can be used. Otherwise there is no knowing if it has been revoked or not.

PGP on the other hand doesn’t have the same process, as they are not managed in that way. So that may be an option if you don’t want to allow access to the S/MIME authority.

a) the CA may not be one of those installed by default in the system, it can also be a custom CA
b) x509 certs without CRL link set are valid AFAIK and they work fine across outlook and thunderbird, also when checking the signature validity of incoming mail.
c) the published CRL may temporarily not reachable, you should still allow users to continue sending mail at their own risk

I’ve got a similar problem:
I’m testing with eM Client 10 (Beta) on Windows an the iOS Beta Client using the same certificates.

While on Windows signing an encryption works fine, on iOS tapping the certificate it says: Während der Zertifikatsüberprüfung ist ein Fehler aufgetreten: “Die Zertifikatswiderrufungsüberprüfung ist unvollständig.”.
In English sth. like: An error occurred during the certificate check: “The certificate revocation check is incomplete.”.

I don’t see, why it is incomplete.
Revocation URL is set in both, CA- and SMIME-certificate. CRL is online.