ARCHIVED: Known issues with using S/MIME client certificates to digitally sign or encrypt email at IU
To view all the content available to you here, use the green button at the top of this page to log into the Knowledge Base.
Due to enhanced security features in Exchange Online, digital signatures are no longer required at IU; however, digital signatures will continue to work as expected if you wish to continue using them.
On this page:
- Creating and renewing S/MIME client certificates
- Sending digitally signed messages
- Receiving digitally signed messages
Creating and renewing S/MIME client certificates
| Issue | Description | Status | Last updated |
|---|---|---|---|
| Some users receive certificates with an earlier expiration. | While the default for new and renewed S/MIME client certificates is set to three years, you may receive a client certificate with a one-year expiration date. If your username changes, you must ARCHIVED: request a new S/MIME client certificate. |
Known issue | June 27, 2017 |
Sending digitally signed messages
| Issues by platform | Description | Status | Last updated |
|---|---|---|---|
| iOS (iPhone, iPad, etc.) | |||
| S/MIME client certificate is invalid after using Quick Start to transfer data to a new iOS device. | When using the Quick Start method to transfer data from an old iOS device to a new iOS device, the S/MIME client certificate appears to transfer but is invalid. This is due to the issuer being changed when the certificate is transferred. To resolve the issue, remove and re-add your S/MIME client certificate. | Known issue | November 9, 2021 |
| In iOS, mail sent from apps other than Mail is not digitally signed. | In iOS, if you use the share function (usually represented by a square with an upward facing arrow going out of it) in apps such as Photos to send mail, the messages will not be digitally signed. This will be the case even if you have configured the Mail app to sign messages by default. This problem does not affect Mail itself, so you can use it to send signed messages, including attachments, normally. | Known issue | January 19, 2017 |
| In iOS 13.2, when replying to a message with a digitally signed reply, the message may not send. | When sending a reply that is digitally signed, the message may either 1) get stuck in the Outbox, where you can try to resend it, or 2) result in the message, "Cannot Send Mail. The message was rejected by the server." | Fixed in iOS 13.2.2 | November 11, 2019 |
| Android | |||
| The Gmail app on Android devices does not support S/MIME. |
Google does not currently support the S/MIME protocol on their Gmail Android application. You cannot digitally sign messages with this app; see below for potential issues with receiving messages. As a workaround, the Android device may have another native email app that supports S/MIME. For devices that do not come with another email app (including the Google Pixel and Pixel XL), you will need to download a third-party email app from the app store. Note: UITS does not endorse any specific third-party Android apps; however, owners have reported success using the third-party email app "Nine - Outlook for Android". This is not a free app. |
Known issue | July 20, 2016 |
| Android on some Motorola devices does not support S/MIME. | The default email application installed on some Motorola devices does not currently support signing email with S/MIME client certificates. | Known issue | July 20, 2016 |
| Some LG Android devices cannot digitally sign messages. | On some LG Android devices, when you attempt to digitally sign messages, the S/MIME client certificates become invalid and the messages display this error: "Error: The message contents may have been altered." | Known issue | October 14, 2016 |
| Some Android devices receive warning icon that looks like a triangle with an exclamation point in the taskbar. | After you have installed your S/MIME client certificate on some Android devices, a warning icon that looks like a triangle with an exclamation point inside appears in the taskbar with the error message: "Network may be monitored By an unknown third party". Tapping the message will display "A trusted certificate on your phone is allowing a third party to monitor your network activity, including your emails, apps, and secure websites. CHECK TRUSTED CREDENTIALS". | Known issue | July 20, 2016 |
| Some email clients on Android devices cannot send encrypted email. | On some devices/clients, you can resolve this by ensuring in the app's settings that the S/MIME client certificate is set as the encryption certificate in addition to the signing certificate. On others, there is no setting for an encryption certificate, meaning that encrypted messages cannot be sent. Note: UITS does not endorse any specific third-party Android apps; however, owners have reported success using the third-party email app "Nine - Outlook for Android". This is not a free app. |
Known issue | July 6, 2018 |
| Windows | |||
| Outlook for Windows does not send email from secondary accounts when email signing is set as the default. | Outlook for Windows will not allow you to sign email messages without a valid certificate for that email address. Outlook will display an error reading "Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address". You'll need to either install a valid client certificate for the email address, or go to in the mail message and turn off . | Known issue | July 21, 2016 |
| Outlook in IUanyWare sometimes cannot send signed messages. | You may experience intermittent issues sending signed email messages through Outlook when using IUanyWare. No error is produced, but clicking the button has no effect. | Known issue | August 5, 2016 |
| In Outlook for Windows, when multiple accounts are on the same profile, certificates cannot be published to the GAL. | The option is not available under "E-mail Security" in Outlook for Windows when multiple email accounts are mapped to the same profile. As a workaround, create a new profile with just the email account for which you wish to publish the certificates. | Known issue | July 21, 2016 |
| macOS | |||
| In Outlook 2016 for Mac, a signed email message reports, "The signing certificate for this message is not valid or trusted". | If you receive this message, launch Keychain Access and ensure that both the "Microsoft_Intermediate_Certificates" and "Microsoft_Entity_Certificates" are present under "Keychains". If either or both are missing, choose from the menu, and select the missing keychain. You will need to do this for each missing keychain. | Known issue | December 1, 2016 |
| In Outlook for macOS, it is not possible to sign or encrypt messages sent from accounts added as an additional mailbox. | If you have access to an account with "full access with send-as" (FASA) permission, you can add it as an additional mailbox to your own account; however, you cannot send digitally signed or encrypted messages from it. If you know the passphrase for the account, you can add it as a separate account, and then digitally sign and encrypt messages normally. | Known issue | July 6, 2020 |
| General issues affecting all platforms | |||
| Error appears when sending digitally signed email via IU List and appending headers or footers. | Results in "Error: The message contents may have been altered". | Known issue | June 12, 2018 |
| When you use an ActiveSync client to reply with a digitally signed message (and, in some cases, to reply to a signed message), the "You replied to this message on [date]" indicator will not appear in clients such as Outlook and macOS, or in Outlook on the web. | This issue has been replicated on both Android and iOS devices, and on Windows 10 Mail. Microsoft has indicated that this is due to a known limitation of ActiveSync while using S/MIME. | Known issue | May 3, 2018 |
| Attachments are stripped off when sent to some Gmail accounts. | Some Gmail accounts are unable to properly read signed email messages. As a result, all attachments will show up as winmail.dat files, and will not be accessible. |
Known issue | July 20, 2016 |
Receiving digitally signed messages
| Issues by platform | Description | Status | Last updated |
|---|---|---|---|
| Android | |||
| Some Android devices do not display attachment icon on signed messages. | Using the standard mail app on some Android devices, email messages with attachments may not display the attachment icon until you open the signed message and tap . | Known issue | September 28, 2017 |
| The Gmail app on Android devices does not support S/MIME. | Google does not currently support the S/MIME protocol on the Gmail Android application. You can receive digitally signed messages; however, you will not be able to verify digital signatures, and you may not be able to open email attachments. As a workaround, the Android device may have another native email app that supports S/MIME. For devices that do not come with another email app (including the Google Pixel and Pixel XL), you will need to download a third-party email app from the app store. Note: UITS does not endorse any specific third-party Android apps; however, owners have reported success using the third-party email app "Nine - Outlook for Android". This is not a free app. |
Known issue | July 20, 2016 |
| Some Samsung Galaxy devices cannot validate most signatures. | After selecting within an email message, you may see an error message, such as "Verification failed" or "Error occurred while parsing signed message." If the email message has attachments, this issue may prevent you from opening them. As a workaround, you can try using the Gmail app to access your email account rather than the native email app. Although S/MIME is not officially supported in the Gmail Android App (as described above), you may have better results in opening signed attachments. When reading signed messages sent from a Samsung phone, you may see a warning that says "Unable to verify signature, Root CA not installed." You can ignore this message. |
Known issue | September 15, 2016 |
| Some email clients on Android devices cannot read encrypted email. | On some devices/clients, you can resolve this by ensuring in the app's settings that the S/MIME client certificate is set as the encryption certificate in addition to the signing certificate. On others, there is no setting for an encryption certificate, meaning that encrypted messages cannot be read. Note: UITS does not endorse any specific third-party Android apps; however, owners have reported success using the third-party email app "Nine - Outlook for Android". This is not a free app. |
Known issue | July 6, 2018 |
| macOS | |||
| In Outlook 2016 for Mac, signed email messages report, "The signing certificate for this message is not valid or trusted". | If you receive this message, launch Keychain Access and ensure that both the "Microsoft_Intermediate_Certificates" and "Microsoft_Entity_Certificates" are present under "Keychains". If either or both are missing, choose from the menu, and select the missing keychain. You will need to do this for each missing keychain. | Known issue | December 1, 2016 |
| Linux/Unix | |||
| Older versions of Mutt, the text-based mail client for Unix systems, sometimes have digital signature validation issues. | You may experience issues validating digital signatures when using older versions of Mutt. Due to the way Outlook clients generate digital signatures, you may see an error similar to "Error: Inconsistent multipart/signed structure!" This issue has been resolved in the updated version of Mutt. | Resolved | August 22, 2016 |
| General issues affecting all platforms | |||
| In Conversations view, Outlook on the web does not provide preview text or a Reading Pane view for any digitally signed (S/MIME) email message. | If you use Conversations view in Outlook on the web, preview text and Reading Pane view are not available for digitally signed (S/MIME) email. To read a digitally signed message, you must open it in a new window. Turning off Conversations view enables normal preview and Reading Pane functionality for S/MIME messages. You can enable preview text in Conversations view by installing the Microsoft S/MIME Active X Control plug-in and restarting your browser; however, Reading Pane functionality for encrypted messages cannot be enabled in Conversations view. | Resolved | May 20, 2022 |
This is document aluf in the Knowledge Base.
Last modified on 2023-05-18 10:28:29.