Question about keyusage: digitalSignature

On 16-03-16 09:43, Stefan Michael Guenther wrote:

Hello,

in our Ciphermail installation I have two certificates for my email address: One created by StartSSL and one created by the CA of Ciphermail .

The StartSSL certificate lists as KeyUsage "keyEncipherment, dataEncipherment, digitalSignature" and the local CA "keyEncipherment, digitalSignature".

But in the user profile, when I choose "S/MIME -> signing certificate" the system only offers the local certificate.
Even in an account that only has the StartSSL certificate, this is not offered for signing.

What could be the reason for that?

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail

--------------------------------------------------------------------
On this page, certificates can be imported. In most cases, imported
certificate are the certificates of external recipients or, certificates
from trusted CAs (intermediate and root certificates). Multiple
certificates can be imported at the same time from a pem or p7b encoded
file.
--------------------------------------------------------------------

If read, this implies that NO key gets imported as PKCS7 does not
contain it. What fixes this is "Import Private Keys". And this is where
the GIU is misleading. The help text reads:

--------------------------------------------------------------------
On this page, private keys and their associated certificates can be
imported. In most cases, imported keys and the associated certificates
are for internal users only. The keys are used for S/MIME signing of
outgoing email and for the decryption of incoming S/MIME encrypted
email. Keys from password protected pfx or p12 files can be imported.
--------------------------------------------------------------------

Bingo. Here PKCS12 files containing the certificate AND the key can be
imported and not only keys. Misleading is that "Import Private Keys"
does not only import keys but also certificates. Doing so fixed every
thing. The imported certificate could now be used for signing:

Private Key Available true
Private Key Accessible true

I suggest to allow PKCS12 in "Import certificates" also. This seems to
me to be more consistent. All CAs I know ship their s/MIME certificates
as PKCS12. I can't imagine any use case for importing a key for a s/MIME
certificate separately.

IMHO "Import Private Keys" has a minor bug. My PKCS12 files also contain
the complete certificate chain. The root and intermediate certificate
also get imported in "Certificates" instead into "Roots" where they IMHO
belong. I've imported the root and intermediate certificate into
"Roots", but I'm not sure if this is necessary or correct. At least it
was no harm.

Regards
Matthias

Am 16.03.2016 um 09:43 schrieb Stefan Michael Guenther:

Hello,

in our Ciphermail installation I have two certificates for my email address: One created by StartSSL and one created by the CA of Ciphermail .

The StartSSL certificate lists as KeyUsage "keyEncipherment, dataEncipherment, digitalSignature" and the local CA "keyEncipherment, digitalSignature".

But in the user profile, when I choose "S/MIME -> signing certificate" the system only offers the local certificate.
Even in an account that only has the StartSSL certificate, this is not offered for signing.

What could be the reason for that?

Regards,

Stefan

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

--

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info(a)mhcsoftware.de

HR Coburg: B2242
Geschäftsführer: Matthias Henze

On 16-03-16 11:11, Matthias Henze wrote:

Am 16.03.2016 um 09:43 schrieb Stefan Michael Guenther:

Hello,

in our Ciphermail installation I have two certificates for my email
address: One created by StartSSL and one created by the CA of
Ciphermail .

The StartSSL certificate lists as KeyUsage "keyEncipherment,
dataEncipherment, digitalSignature" and the local CA "keyEncipherment,
digitalSignature".

But in the user profile, when I choose "S/MIME -> signing certificate"
the system only offers the local certificate.
Even in an account that only has the StartSSL certificate, this is not
offered for signing.

What could be the reason for that?

Regards,

Stefan

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail

On 16/03/16 11:32, Martijn Brinkers wrote:

On 16-03-16 11:11, Matthias Henze wrote:

Hi,

Stefan asked on my behalf. The problem was the misleading GUI and
reading the texts also helped. The first, wrong, try was to import the
certificate with "Import certificates" where the help text reads:

--------------------------------------------------------------------
On this page, certificates can be imported. In most cases, imported
certificate are the certificates of external recipients or, certificates
from trusted CAs (intermediate and root certificates). Multiple
certificates can be imported at the same time from a pem or p7b encoded
file.
--------------------------------------------------------------------

If read, this implies that NO key gets imported as PKCS7 does not
contain it. What fixes this is "Import Private Keys". And this is where
the GIU is misleading. The help text reads:

--------------------------------------------------------------------
On this page, private keys and their associated certificates can be
imported. In most cases, imported keys and the associated certificates
are for internal users only. The keys are used for S/MIME signing of
outgoing email and for the decryption of incoming S/MIME encrypted
email. Keys from password protected pfx or p12 files can be imported.
--------------------------------------------------------------------

Bingo. Here PKCS12 files containing the certificate AND the key can be
imported and not only keys. Misleading is that "Import Private Keys"
does not only import keys but also certificates. Doing so fixed every
thing. The imported certificate could now be used for signing:

Private Key Available true
Private Key Accessible true

I suggest to allow PKCS12 in "Import certificates" also. This seems to
me to be more consistent. All CAs I know ship their s/MIME certificates
as PKCS12. I can't imagine any use case for importing a key for a s/MIME
certificate separately.

I could have named it "import keys and certificates" but this would have
been too long and misleading as well It's hard to come up with an
interface that everyone agrees on. I have been thinking of merging the
import keys and import certificates into one "import certificates" page.
The "problem" might be that users think they need to enter a password
when they only want to import a public key. But, I think it's a good
idea to merge the two pages into just one.

IMHO "Import Private Keys" has a minor bug. My PKCS12 files also contain
the complete certificate chain. The root and intermediate certificate
also get imported in "Certificates" instead into "Roots" where they IMHO
belong. I've imported the root and intermediate certificate into
"Roots", but I'm not sure if this is necessary or correct. At least it
was no harm.

This is certainly no bug. It's intended behavior. You do not want the
system to automagically import root certificates without admin approval.
Since you do not know what certs are in the PKCS12 file, the gateway
cannot just import the roots into the root store. If the gateway would
have skipped roots (i.e., do not import into the certificates store) you
would not be able to import the roots into the root store later. Of
course I could have added a complicated screen which allows you to see
what you are importing etc. but this has it's own problems. Therefore
all new certs are imported into the certificates store. When I merge the
import key and import certs into one page, there will be an option which
allows you to skip importing roots.

Kind regards,

Martijn Brinkers

Am 16.03.2016 um 09:43 schrieb Stefan Michael Guenther:

Hello,

in our Ciphermail installation I have two certificates for my email
address: One created by StartSSL and one created by the CA of
Ciphermail .

The StartSSL certificate lists as KeyUsage "keyEncipherment,
dataEncipherment, digitalSignature" and the local CA "keyEncipherment,
digitalSignature".

But in the user profile, when I choose "S/MIME -> signing certificate"
the system only offers the local certificate.
Even in an account that only has the StartSSL certificate, this is not
offered for signing.

What could be the reason for that?

Regards,

Stefan

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

On 16-03-16 11:42, Christian Herndler wrote:

On 16/03/16 11:32, Martijn Brinkers wrote:

On 16-03-16 11:11, Matthias Henze wrote:

Hi,

Stefan asked on my behalf. The problem was the misleading GUI and
reading the texts also helped. The first, wrong, try was to import the
certificate with "Import certificates" where the help text reads:

--------------------------------------------------------------------
On this page, certificates can be imported. In most cases, imported
certificate are the certificates of external recipients or, certificates
from trusted CAs (intermediate and root certificates). Multiple
certificates can be imported at the same time from a pem or p7b encoded
file.
--------------------------------------------------------------------

If read, this implies that NO key gets imported as PKCS7 does not
contain it. What fixes this is "Import Private Keys". And this is where
the GIU is misleading. The help text reads:

--------------------------------------------------------------------
On this page, private keys and their associated certificates can be
imported. In most cases, imported keys and the associated certificates
are for internal users only. The keys are used for S/MIME signing of
outgoing email and for the decryption of incoming S/MIME encrypted
email. Keys from password protected pfx or p12 files can be imported.
--------------------------------------------------------------------

Bingo. Here PKCS12 files containing the certificate AND the key can be
imported and not only keys. Misleading is that "Import Private Keys"
does not only import keys but also certificates. Doing so fixed every
thing. The imported certificate could now be used for signing:

Private Key Available true
Private Key Accessible true

I suggest to allow PKCS12 in "Import certificates" also. This seems to
me to be more consistent. All CAs I know ship their s/MIME certificates
as PKCS12. I can't imagine any use case for importing a key for a s/MIME
certificate separately.

I could have named it "import keys and certificates" but this would have
been too long and misleading as well It's hard to come up with an
interface that everyone agrees on. I have been thinking of merging the
import keys and import certificates into one "import certificates" page.
The "problem" might be that users think they need to enter a password
when they only want to import a public key. But, I think it's a good
idea to merge the two pages into just one.

IMHO "Import Private Keys" has a minor bug. My PKCS12 files also contain
the complete certificate chain. The root and intermediate certificate
also get imported in "Certificates" instead into "Roots" where they IMHO
belong. I've imported the root and intermediate certificate into
"Roots", but I'm not sure if this is necessary or correct. At least it
was no harm.

This is certainly no bug. It's intended behavior. You do not want the
system to automagically import root certificates without admin approval.
Since you do not know what certs are in the PKCS12 file, the gateway
cannot just import the roots into the root store. If the gateway would
have skipped roots (i.e., do not import into the certificates store) you
would not be able to import the roots into the root store later. Of
course I could have added a complicated screen which allows you to see
what you are importing etc. but this has it's own problems. Therefore
all new certs are imported into the certificates store. When I merge the
import key and import certs into one page, there will be an option which
allows you to skip importing roots.

Kind regards,

Martijn Brinkers

Am 16.03.2016 um 09:43 schrieb Stefan Michael Guenther:

Hello,

in our Ciphermail installation I have two certificates for my email
address: One created by StartSSL and one created by the CA of
Ciphermail .

The StartSSL certificate lists as KeyUsage "keyEncipherment,
dataEncipherment, digitalSignature" and the local CA "keyEncipherment,
digitalSignature".

But in the user profile, when I choose "S/MIME -> signing certificate"
the system only offers the local certificate.
Even in an account that only has the StartSSL certificate, this is not
offered for signing.

What could be the reason for that?

Regards,

Stefan

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail