IBM Support

LO80179: CAN NOT EXTRACT X.509 CERTIFICATE FROM A MESSAGE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as returned (APAR cannot be resolved without additional info from IBM or customer.)

Error description

  • To obtain someone's Internet certificate for mail encryption

If you want to send someone encrypted mail, but you don't have
that person's
Internet certificate, have them send you a message that is
signed with their
Internet certificate.
When you receive the e-mail, select the e-mail, choose Actions -
Tools - Add
Sender to Address Book, and be sure to select "Include X.509
certificates when
encountered" under the Advanced tab.
Notes creates a Contact document and adds any Internet
certificates sent with
the mail message to the Contact document..
When you send an encrypted message to this recipient, Notes
extracts the
Internet certificate for encryption from the Contact document
and uses the
recipient's certificate to encrypt the message.

--> the user gets stored but nothing appears under
certificates.

If you want to enable someone to send you encrypted mail using
your Internet
certificate, have the recipient add you to their Personal
Address Book by
following the same procedure as above.

--> Our client requires us to use PKCS #7, but we got a
certificate from
Verisigh that is PCCS #12.

In our tests with the Verisign provider esign-la.com, the cross
certificate was
created, as you can see below, but with our client the cross
certificate has
not being created,
but It does show up in the Internet Certifiers... as trusted
root, I presume...

Notes client 853 FP 3
Domino Server 853 FP 5
Mail template 8.5  local replica
Setting up S/MIME to one user

Followed the Technote below:
http://www-01.ibm.com/support/docview.wss?uid=swg21383011

Downloaded a user certificate from verisign:

See Image 1 below

Customer mentioned they had problems  at step 8 & 9 in the
technote above

See Images 2 & 3 below

They are still stuck in the part where they are supposed to
extract the x509
certificate from a signed message sent to us by the other party
all
documentation points to below:

"
When you open the signed message, you will be prompted to cross
certify. If you
wish to establish trust with the certificate authority that
issued their
certificate in one simple step
(in addition to trusting the user's certificate), you may select
it from the
Subject name list box.
Confirmation that the message was signed will appear in the
status bar.
Then choose Tools - Add Sender to Address Book from the menu.
The default action (on the Advanced tab) is to "Include x.509
certificates when
encountered." When a Contact document is added to your personal
address book,
the sender's public key will be available to you and you will be
able to
encrypt messages to him or her.
"
but this is not happening so far

See Image 4

The issue is happening when they try to pick up the certificate.


Have tried to do the following:

- Remove recent contact for the sender and the contact manually
added
- Access the certificates view and drop down the list for
internet cross
certified
- Remove the internet cross certified added when the user cross
certified
- Open the message which was signed by the sender
- The user should be prompted to again cross certify and be able
to then add
the user again via more - add sender to contacts
However the above does not work

Customer has tried to replace the design of the mailfile to a
pre 853 design
and is still unable to obtain the internet certificate in the
contact records
They attempted to revert back but issue is still happening

Finally informed customer that it appeared the Root & CA
certificate are missing

See image 5 (good + bad export)


You need to include all certs in path(chain) used to validate
the certificate
so it is not a safe certificate as we can not build the cert
chain
By default the option is not checked but it must be:

See image 6

Advised customer simple way is to send a signed mail
The user should send one another a signed only mail NOT
encrypted


User has performed all of the above and now gets the following


We are not receiving the cross certification pop up instead we
have an error
message that is displayed see below:

See image 7


See all attachment & images below

Local fix

  • n/a

Problem summary

  • 



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is associated with SPR# KRUL9JGC4M.
The record was returned to the person who created it for more
 information.

    



APAR Information




    

  • APAR number
    LO80179
    • 

  • Reported component name
    NOTES CLIENT
    • 

  • Reported component ID
    5724E6255
    • 

  • Reported release
    853
    • 

  • Status
    CLOSED  RET
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-04-28
    • 

  • Closed date
    2014-08-15
    • 

  • Last modified date
    2014-08-15
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTWP","label":"Lotus Notes"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.3","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            15 August 2014
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback