ryancdickson
commented
3 years ago @carljmosca - are you able to share a copy of the certificate with me (either here or via ryan [dot] dickson [at] gsa [dot] gov)?
Closed carljmosca closed 3 years ago
ryancdickson
commented
3 years ago @carljmosca - are you able to share a copy of the certificate with me (either here or via ryan [dot] dickson [at] gsa [dot] gov)?
carljmosca
commented
3 years ago Thank you @ryancdickson I will send an email from my own account. The one from the vendor is what I have referenced above but my account has the same issue.
carljmosca
commented
3 years ago To close the loop here, email has been sent.
ryancdickson
commented
3 years ago @carljmosca - thanks for sharing your certificate. Noting some findings below in the event they are helpful for others.
Native macOS certificate validation fails indicating name constraints are violated.
End-entity certificate Subject DN (snipped to focus on relevant data):
SET {
SEQUENCE {
OBJECT IDENTIFIER organizationName (2 5 4 10)
(X.520 DN component)
PrintableString 'XTec PIV-I SSP'
}
}
Name constraints contained in the certificate issued to WidePoint ORC NFI 4 (snipped to focus on relevant data):
SEQUENCE {
[4] {
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER countryName (2 5 4 6)
(X.520 DN component)
PrintableString 'US'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER organizationName (2 5 4 10)
(X.520 DN component)
UTF8String 'XTec PIV-I SSP'
}
}
}
}
}
The difference between the two being the encoding of "XTec PIV-I SSP" across the certificates (PrintableString vs UTF8).
I'm going to follow-up with a few team members to help identify the best path forward.
More to come.
ryancdickson
commented
3 years ago Update: Subscriber certificate was reissued. CA subject DN encoding now matches the name constraints observed in the certificate issued to WidePoint ORC NFI 4. Confirmed issue resolution with @carljmosca.
Closing issue!
Description of Issue:
Opening signed, encrypted email on macOS Outlook results in a message which says "The signing certificate for this message is not valid or trusted."
Details of Issue:
Viewing the signing certificate (from Outlook) shows the "certificate is not standards compliant" message. The chain shows the Federal Common Policy CA "This certificate is marked trusted for all users." The Federal Bridge CA G4 certificate shows "This certificate is valid" as do the two subsequent intermediate CAs. On this same Mac (running Big Sur 11.1), emails from this same party appear as correctly signed and encrypted using Thunderbird where the Common CA certificate was installed.
References (Docs, Links, Files):
If a New Page or Content is Needed, Expected Outcomes:
Link to the Content Page for Contributors: