Cannot verify sender's digital signatures when the sender's intermediate CA digital certificates do not provide authority information access and are not present in Local Computer certificate store of recipient's Exchange server

Problem description

The recipient's Exchange server validates the sender's digital signature by validating the full certificate chain of the sender's digital certificate. In addition to validating the digital certificate for the root CA, the recipient's Exchange server also validates any digital certificates for any intermediary CAs.

Issuing CAs can choose to make intermediary certificates available for download for validation by providing authority information access in the digital certificates that they issue. The recipient's Exchange server can then use the authority information access information when validating the sender's certificate chain on behalf of the recipient.

If the issuing CA does not provide authority information access, the recipient's Exchange server must have these certificates in the Intermediate Certification Authorities folder in the Local Computer certificate store of the recipient's Exchange server.

If a recipient views a message signed using a certificate that does not provide authority information access, and the recipient's Exchange server does not have the intermediate certificates present in the Intermediate Certification Authorities folder in the Local Computer certificate store of the recipient's Exchange server, Outlook Web Access displays the following error message:

The digital ID was issued by an untrusted source.

Resolution

To resolve this issue, see How to Import the Digital Certificate for the Sender's Intermediate CAs into the Intermediate Certification Authorities Folder in the Local Computer Certificate Store of the Recipient's Exchange Server.