Cannot verify sender's digital signatures when the sender's root CA digital certificate is not present in the Local Computer certificate store of the recipient's Exchange server

  • Article

 

Problem description

When a recipient views a digitally signed message in Outlook Web Access with the S/MIME control, the recipient's Exchange server performs the certificate validation on behalf of the recipient. For more information about this problem, see Implementing and Maintaining the Outlook Web Access S/MIME Control. To successfully validate a sender's digital signature, the recipient's Exchange server must be able to successfully validate the sender's digital certificate. To validate the sender's digital certificate, the recipient's Exchange server must be able to validate the full certificate chain. To accomplish this validation, the recipient's Exchange server must have access to the appropriate digital certificates in the certificate chain. At a minimum, the recipient's Exchange server must trust the root certification authority (CA) that issued the sender's signing certificate. For the recipient's Exchange server to trust the root CA that issued the sender's signing certificate, the digital certificate of the sender's root CA must be present in the Trusted Root Certification Authorities folder in the Local Computer certificate store of the recipient's Exchange server.

If a recipient views a message signed using a certificate whose root CA is not present in the Trusted Root Certification Authorities folder in the Local Computer certificate store of the recipient's Exchange server, Outlook Web Access displays the following error message:

The digital ID was issued by an untrusted source.

Resolution

To resolve this issue, import the digital certificate for the sender's root CA into the Trusted Root Certification Authorities folder in the Local Computer certificate store of the recipient's Exchange server. For detailed steps, see How to Import the Digital Certificate for the Sender's Root CA into the Trusted Root Certification Authorities Folder in the Local Computer Certificate Store of the Recipient's Exchange Server. Importing the digital certificate for a root CA inherently grants trust to every digital certificate issued by the hierarchy of the root CAs. Those organizations for whom this granting of trust is prohibited by their security policy will want to explore cross-certification strategies as an alternative. You should confer with your PKI administrator for information about cross-certification. For information about how to implement cross-certification when using Microsoft Windows Server™ 2003 CA, see "Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003."