Some email clients unable to decrypt email sent from Outlook 2010

Solution ID:    SO17230    Updated:    07/18/2011

Problem

When sending an encrypted message from Microsoft Office Outlook 2010 to a recipient using a third-party email client, such as Lotus Notes, Entrust, SeaMonkey, or Thunderbird, the recipient may not be able to read the encrypted message.  In the case of the Thunderbird email client, it may display the following message in the body of the message when they open it:        

Thunderbird cannot decrypt this message

The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.

Possible solutions:

  • If you have a smartcard, please insert it now.
  • If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12".

  The Thunderbird client may display the following warning:

Message Security

Message Has No Digital Signature

This message does not include the sender's digital signature. The absence of a digital signature means that the message could have been sent by someone pretending to have this email address. It is also possible that the message has been altered while in transit over the network. However, it is unlikely that either event has occurred.

Message Cannot Be Decrypted

This message was encrypted before it was sent to you, but it cannot be decrypted. There are unknown problems with this encrypted message.

Also, Microsoft Entourage 2008 (included in Microsoft Office 2008 for Mac) and Microsoft Outlook 2011 for Mac may be unable to decrypt email messages sent from Outlook 2010. You may see the following error on Outlook 2011 for Mac:

The security of this message cannot be verified because of an error.

Blackberry users

Some Blackberry users may also receive error messages in this case. The error displayed will be as follows:

           This S/MIME data is encrypted but cannot be decrypted 
           because the required private key is not present on your handheld.

           You may update your handheld's key store using the
           certificate synchronization software in the BlackBerry desktop manager.

          The missing certificate corresponds to one of the
          following serial number, issuer pairs:

Cause

Outlook 2010 now more fully implements the Cryptographic Message Syntax (CMS) as documented in RFC 5652.  Outlook 2010 now uses subjectKeyIdentifier as the SignerIdentifier, whereas earlier versions used issuerAndSerialNumber. Some email clients or third-party operating systems do not yet support using subjectKeyIdentifier as the SignerIdentifier, as defined per the RFC. This results in it being unable to decrypt the message.

For more information regarding the RFC, go here: http://tools.ietf.org/html/rfc5652

Solution

The recipient should check with their email client vendor to determine if an update to address this issue is available for their email client.

As a workaround, on the sender's client, you can use the following registry value to make Outlook 2010 revert to the behavior found in earlier Outlook versions.

Important This method contains steps that tell you how to modify the registry. However, serious problems may occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For more protection, back up the registry before you modify it so that you can restore the registry if a problem occurs. For more information about how to back up and then restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

  1. Start Registry Editor.
  2. Locate and then click to select the following registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\security 

    Note Create the \Security registry subkey if it does not exist.
     
  3. Add the following registry data to the this key:

    Value type:   DWORD
    Value name: UseIssuerSerialNumber
    Value data:  1
     
  4. Exit Registry Editor.

Disclaimer:

Terms of use for this information are found in Legal Notices

Contact Support

Find Answers