I would like to use a certificate that is stored within the certificate store of windows to sign outgoing emails with emclient.
The certificate belongs to a smart card so I cannot export the certificates private key into a p12-file and reimport that file into the certificate store of eM Client.
Outlook and Thunderbird have no problems to use this certificate but it does not show up in the certificate store of eM Client.
Any ideas how to use certificates from windows own certificate store?
It won’t show in the list in Settings. That is only for certificates stored in eM Client.
But when you send a message from the address the certificate is registered to, as long as it is visible to the Windows Crypto API, you will be able to select it in the eM Client compose window.
I just tried to send an email somewhere. Here’s the error-message:
I switched the language of eM Client to english but the underlying OS is still german. “Die Sperrprüfung konnte keine Sperrprüfung für das Zertifikat durchführen.” is in english: “The revocation check was not able to do a revocation check for this certificate”. Not the brightest error message but this seems to indicate that eM Client found my certificate but tried to do a revocation check.
So how do I disable revocation checking?
Can I do this within eM Client or must I do so within windows? Since the error message is in german while eM Client is using english as its language I assume that the german error message was produced by windows.
this problem has been discussed already. Here are some quotes:
and
We produce our certificates with our own CA. They neither contain a revocation-URL nor is a OCSP server available. We cannot revoke our certificates and hence windows cannot check whether they were revoked.
Could you please tell me what function from the windows cryptographic API is returning the error message “Die Sperrprüfung konnte keine Sperrprüfung für das Zertifikat durchführen.” when eM Client uses this function to create the S/MIME signature. Is it a function that will select a certificate? Or is it a function that will create a signature? Is eM Client using some kind of cryptographic library that is available on different platforms or is eM Client using the windows cryptographic API directly?
I understand that eM Client cannot be configured such that this error message will be avoided. So I must change the behavior of the windows OS and this will be a lot easier if I know what exact routine from the cryptographic API is used by eM Client.
I nothing helps we must add a revocation-URL to our certificates or add an empty revocation list to windows somehow or create an OCSP-server that will return an empty revocation list.
Yes, without a revocation check, you can’t use the certificate as it would be irresponsible for the application to allow you to use a revoked certificate.
PGP works differently and is not subject to the same checks, so using that rather than S/MIME may be a solution for you.
we cannot use PGP since our certificate / private keys are stored on smart cards and hence are visible via the windows certificate store only.
The problem here is that some part of the windows OS is trying to do a revocation check with a CA that does not have a revocation list. There is no revocation-URL in our certificates and this must be interpreted as if there were an empty revocation list without trying to fetch a revocation list from some OSCP server.
My impression is that windows tries to fetch a revocation list. And since there is no revocation-URL in our certificate this fails and an error message is returned to eM Client.
Maybe windows should not deliver an error message if there is no revocation-URL in a certificate.
Maybe it’s correct that windows deliveres an error message when checking the revocation list failed but the caller of the windows cryptographic API must ignore that error message if there was no revocation-URL in the certificate.
Please tell me what function from the cryptographic API eM Client is using and I can do some more inverstigations about how to avoid this error message or convice you that eM Client should ignore such error messages for certificates without revocation-URLs.
