Cannot decrypt message in Outlook Web Access with the S/MIME control when the recipient's digital certificate is missing from the local system

  • Article

 

Problem description

To successfully decrypt and read an encrypted e-mail message, an e-mail client that supports S/MIME is required. Also, the e-mail client must be able to access the private key for the recipient's encryption certificate on the local computer or smart card to successfully decrypt and display the message.

When a recipient attempts to read an encrypted e-mail message in Outlook Web Access on a computer that does not have the private key for the recipient's encryption certificate on the local computer or smart card, the following message is displayed at the top of the e-mail message:

This message can't be decrypted. If you have a smart card-based digital ID, insert the card and try to open the message again.

Resolution

To resolve this issue, make the private key for the recipient's encryption certificate available on the computer that is running Outlook Web Access. This can be done in one of three ways:

  • Use a smart card that contains the recipient's encryption certificate.

  • Install the recipient's encryption certificate into the personal certificate store on the Outlook Web Access computer as part of the digital certificate enrollment process.

  • Manually import the recipient's encryption certificate into the personal certificate store on the Outlook Web Access computer.

If users must be able to use S/MIME functionality with Outlook Web Access on multiple computers, it is recommended that smart cards be used to store the digital certificates. Smart cards simplify the process of making digital certificates available to multiple computers and are the preferred solution. By design, the digital certificates on a smart card are automatically copied to the personal certificate store on the computer when the smart card is inserted. This automatically makes the digital certificate available with minimal interaction from the user. In addition, because Outlook Web Access forces the digital certificates that are copied from smart cards to be purged when the user logs off Outlook Web Access, smart cards offer more control over the distribution of digital certificates with private keys and can be a more secure option than manually copying encryption certificates.

To install the encryption certificate as part of the enrollment process, you should check with the public key infrastructure (PKI) administrator to determine the enrollment process for your organization, and then use that process to install the recipient's encryption certificate in the personal certificate store on the Outlook Web Access computer.

Although it is possible to import the certificate manually, this practice is generally not recommended because of the complexity of the operation, and the possibility that the recipient's encryption certificate may not be exportable. To explore this option, you should check with the PKI administrator to determine if encryption certificates can be exported, and if this is allowed under your organization's security policy. If this is a viable option, you should obtain information from your PKI administrator regarding the process of exporting the encryption certificate. You should then see online Help in Certificate Manager on the destination computer regarding the process of importing the encryption certificate.