Security Services Division-FAQ

Information Technology Support Group

How do I get a personal certificate?:
Your identity must be validated and approved, then when you request a certificate, a private key is generated and stored in your browser. A certificate request file is made from this private key and sent to ca.it-sg.com, which we then sign and issue to you as a certificate. You then download and install in your web browser, from where you can enable it for use with your email account. Send an email or call from contact information
How do personal certificates work?:
Email messages are secured using the S/MIME protocol, which is completely integrated into the most popular email clients. In order for someone to encrypt email messages to you they will need your public key (your certificate) They receive your public key by you sending them a signed email. Once you have exchanged keys you can encrypt email. Receiving an Email certificate from IT-SG.com will enable you to distribute your public key to individuals so that they can encrypt mail to you with confidence.
What will IT-SG Support?:
We are more than happy to help wherever certificates are used.
Note for IE 5.x users
We have had many users of IE 5.x report errors when using SSL, particularly with scripts and forms. We know this problem is not specific to IT-SG.com, but with the browser accessing the page. Microsoft has released Service Packs and fixes for IE5.x to correct some of these problems. If you have trouble connecting to or using the IT-SG.com web site, we suggest you install all the latest updates.
We have included one of the major fixes in the following FAQ. You can also try using a different browser, such as Netscape, or an earlier version of IE.

Important IE 5.01 schannel.dll update!

According to Microsoft, the version of Internet Explorer 5.01 that was released on the web contains an incorrect internal key in the schannel.dll file. This files manages some of your most important security functions. This bug may cause programs and services on your computer that use SSL (Secure Socket Layer) or Security Support Provider Interface (SSPI) to no longer function. Installing this update will eliminate the problem by providing you with a corrected schannel.dll file.
You should read the article from the Microsoft Knowledge Base (KB)
To resolve this issue, you need to apply Q247367.exe, to install a version of the schannel.dll file with the correct key. You can download it from the Microsoft's Web site.
Also try the Internet Explorer 5.01 Service Pack 1 or the High Encryption Pack for Internet Explorer 5.x from Microsoft's Internet Explorer Downloads site.

Internet Explorer Script Error: Visual Basic (VB) Script errors

A Visual Basic script is responsible for generating your private/public key pair. This error can occur when trying to install your certificate if you upgraded your browser after making the request. It is possible that not all files were upgraded. The solution is to reinstall Internet Explorer.

Another possible reason for script errors is if you set your Internet Explorer security preferences to "High" (under the Security tab). This seems to cause problems initialising the variables needed for the VBScript on our site to execute properly. Setting the security level to "Medium" will solve the problem.

Can I request a certificate for Internet Explorer for the Mac?

Microsoft Internet Explorer on the Apple Macintosh platform is not S/MIME compatible and will not have the ability to sign or encrypt email messages using S/MIME.

If S/MIME support is absolutely essential it is possible to request an S/MIME certificate with Netscape on the Apple Macintosh platform.

Not prompted for username and password when accessing account

In order to get the prompt for the IT-SG.com ID and password the browser security level must be set to medium by following these instructions:

View | Tools > Internet Options > Security >
Set your security settings to 'Medium'.

Check that Active X and Java scripting is enabled.

Check that IE - >Internet Options> connections> LAN Settings >Proxy Server > use a proxy server is deselected

Error: '-2146885628' when retrieving your certificate.

With this error, Internet Explorer reports that it cannot find the private key corresponding to this certificate.

Firstly, check that you are using the same user profile that you used to request the certificate. The key is 'attached' to that user account.

If the browser or operating system software has been reinstalled, then the private key has been lost.
If you backed up the private key or key pair by exporting to a *.p12 or *.p7 file, you may be able to restore them by importing those files.
If you have not backed up these files, you will have to request a new certificate here.

I have no option to choose from in the Cryptographic Service Provider (CSP) list

Our server captures the contents of the CSP list from your browser, this determines the encryption capabilities.

If you do not have Visual Basic Scripts installed, your browser will not be able to provide that information to us, and the drop-down list will be empty.

In order to get the option to choose the CSP you have to enable scripting in your browser:

View | Tools > Internet Options > Advanced
Check all boxes related to scripting

Also, check the following:

View | Tools > Internet Options > Security > Custom Level
All the settings under 'Scripting' need to be enabled.

If you chose not to install these when you set up the software, reinstalling Internet Explorer with those options will fix the problem.

Go to the Microsoft website to install the latest Visual Basic Scripts

When I click on the 'Next' nothing happens

There are three possible causes for this error, if the no option from the CSP drop-down list was selected or if Active X controls in your browser have not been enabled or have been disabled on your firewall.

You need to choose the correct CSP option for your browser. If you are using a 40bit browser, select the Microsoft Base Cryptographic Provider or default option. If you are using a 128bit browser, select the Microsoft Enhanced Provider. Also try reloading our browser.

In order to get the option to choose the CSP you have to enable scripting in your browser:

View | Tools > Internet Options > Advanced
Check all boxes related to scripting

Also, check the following:

View | Tools > Internet Options > Security > Custom Level
All the settings under 'Scripting' need to be enabled.

If you chose not to install these when you set up the software, reinstalling Internet Explorer with those options will fix the problem.

Go to the Microsoft website to install the latest Visual Basic Scripts

IT-SG.com system sends Active X controls to browser. Some firewalls filter ActiveX instructions.
Contact your System Administrator to find out if certain file types are being blocked by your firewall.
Check your security settings and set it to medium:
View | Tools > Internet Options > Security > Security level should be set to "Medium".

Error: "Unable to generate PKCS#10"

Error message occurs if you choose the incorrect Cryptographic Service Provider for your browser.

To resolve this error check that you are using the correct Cryptographic Service Provider (CSP) for your browser:

If you are using a 40bit browser, select the Microsoft Base Cryptographic Provider or default option.
If you are using a 128bit browser, select the Microsoft Enhanced Provider.
You will have to reload your browser.

Chinese version of IE not able to complete Personal Certificate enrolment or access some parts of our site
IT-SG.com site does not support simple Chinese character set.

To resolve this you will have to change the default character set to English, or UTF8 with these instructions:

View > Encoding > Unicode UTF8
Close the browser and start again

Where can I view my certificate?

View | Tools > Internet Options > Content > Personal | Certificates

I don't see the certificate in my personal certificate list

Your personal certificate can only be accessed if you are running Internet Explorer under the same user profile, and on the same machine as when you made the certificate request.

Note: Certificates are tied to email addresses. Make sure the email address on your account matches the certificate.

Error: "Error 5: certificate not installed"

The error occurs when there is no private key that corresponds to the certificate being installed.

In order to remove this error message:
Check that you are using the exact browser to install the certificate as the one that you requested the certificate with.
Make sure that you are logged into the correct profile that you used to request the certificate.

Error: "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from the CA which issued the certificate"

Microsoft Internet Explorer is shipped with the Certificate Revocation List (CRL) Checking option enabled. Any Certification Authority does not yet utilize this feature. The CRL protocol has since been superseded by OCSP.

In order to remove this error message, you need to disable this option in Internet Explorer:

View | Tools > Internet Options > Advanced > Security >
Un-tick "Check for Publisher's Certificate Revocation".
Close and reopen the browser.

The IT-SG.com CRL can be manually downloaded, and added to the path in your browser.
You can download the CRL from IT-SG.com's Root Certificate Download page
Look for the "IT-SG.com Server CA CRL".

This does not affect the actual security of your signed email.

After you install your certificate, you need to enable it to sign your email by following these instructions.
Go into Microsoft Outlook Express and click on
Tools -> Accounts -> Mail -> Properties -> Security
Check the box next to 'Use Digital ID for sending'
This should enable the button just below 'Digital ID
Click on that button and you should see your certificate displayed
Select it, then hit 'Apply', and 'OK'

How to sign email in Outlook Express 5.5

Go into Microsoft Outlook Express and click on Tools -> Accounts -> Mail
Select your email account and click the Properties button
Note: Your email address in your certificate must exactly match the email account you are associating the ID with.
From Mail Properties for the account, select the Security tab
Click the 'Select' button next to the Signing certificate
Select your certificate from the list
Click OK
Note: Your name should appear in the greyed out box next to the Certificate button
Click the Apply button or the changes will not be committed
Note: You now have the option to send signed messages.

How to sign email in Outlook Express 6.0

In Outlook Express, go to Tools > Accounts
Click on the 'Mail' tab then click on Properties
Under 'General', you should see your name & email address.

Signing Certificate
'Select the signing certificate below.
This will determine the Digital ID used when signing messages with this account

You'll than see a box called "Certificate". If empty, click on the box called "Select". Then choose your certificate by highlighting it and then click on O.K
Do the same thing under "Encryption Preferences" and the box called Certificate.
Make sure the "Box" next to "Algorithm" states 3DES
When done click Apply, then OK

Now, to send a "signed" email, simply compose a new email and from your "tools" menu from within the email message itself, go to TOOLS > and choose "Digitally Sign".
When done, send email.

To add your digital certificate to ALL OUTGOING emails, follow these steps:

In Outlook Express, go to TOOLS > OPTIONS > SECURITY > under SECURE EMAIL you'll see the options to:
Encrypt contents and attachments to all out going messages
Digitally sign all outgoing messages.
Put a "check mark" next to ONLY (if you want to) Encrypt contents and attachments to all out going messages AND NOT next to Digitally Sign.

How to add a Digital ID to your address book - Outlook Express

To add a person's certificate to your address book from a signed message you receive follow these steps:

Click the message to select it.
On the "File" menu, click "Properties", and then click the "Security" tab.
Click "Add the certificate to the address book."
Click "OK"

The default trust relationship for new certificates are "Not Trust". To use the certificate, change the trust relationship by following these steps:

On the "Tools" menu, click "Address Book".
Click the person's entry to select it, and then click "Properties".
Click the "Certificates" tab.
Select the certificate, and then click "Properties".
On the "General" tab, click "Trusted By Me" in the Trusted box.
Click "OK", click "OK", and then click "Close" on the "File" menu to close the Address Book.

I cannot see my certificate in the Outlook selection box, even though I can see it in IE.

Having more than one email address on a single certificate can cause this problem. You won't see your certificate in the selection box because Outlook cannot associate it with a single email address. You must request a certificate with only one email address.

This may also occur if you are using a profile with a different email address than the one on the certificate.

Error: "Access to your digital ID has been denied".

This error message will be presented if you are using the incorrect profile.
To resolve this make sure that you:

Use the same browser, machine, Windows profile and email address that you used when you requested the certificate.
Use the correct Windows log on name when starting.

If the above solution does not resolve the problem, you can also try reinstalling the certificate.

Delete the certificate from Outlook by following these instructions:
Outlook Express, Tools > Options > Security > Digital ID > Remove

Request and retrieve a new certificate from the Certificate Status Page here.

Error: "This message could not be sent. An error has occurred."

Outlook Express is unable to locate your personal certificate information when you click cancel at the Windows Log on screen or the username.pwl file has been modified or removed.

To resolve this issue, when you are prompted for user name and password, enter the correct information and press OK.

You should export the Personal Certificate before renaming or deleting the
username.pwl file, and then import the certificate after creating a new .pwl file. If you are unable to export the certificate, you need to obtain another personal certificate.
Please read the Microsoft article, which relates to this error:
http://support.microsoft.com/support/kb/articles/Q190/2/96.ASP

Error: "This program is trying to access a protected item", every time I read or send encrypted mail.

If 'strong key protection' is enabled this warning appears every time accessing the private key.

The workaround to this error message is to export the private key and certificate from Outlook Express.

Tools > Options > Security > Digital ID >
Highlight the certificate >
Export the certificate and remember to include the private key
A .pfx file is created which is the backup of the certificate.
Remove the certificate from Outlook Express
Go to the "Security" tab, and select 'Import'
Follow the wizard, and when entering your password, you will see 2 checkboxes.
Check the box, "Mark the private key exportable"
Do not select "Enable strong key protection"

I need more information about sending encrypted, 1024 bit emails.

You cannot set the strength of the encryption you use in the encrypted messages you send. The strength is determined by the public key, (in the certificate), received from the other party. You set the strength of encryption others will use in their messages to you, since they use your public key and preferences (see 'More Information' below).

More Information:
You distribute your certificate public key when you sign your email messages. You can also set the type of encryption you wish to receive.

In Outlook Express, go to Tools > Options > Security > Advanced. The default is the RC2 algorithm, which is 40 bit. If you have installed the Microsoft Enhanced Cryptographic Provider (128 bits, or High Encryption Pack), you will see these choices: DES [56 bits], RC2 (64 bit), RC2 (128 bit), and 3DES [168 bits]. The preference you choose is distributed along with your certificate (public key). It sets the strength of encryption used when your correspondent encrypts a message to you.

Error: "Windows does not have enough information to verify this certificate"

The browser does not have the IT-SG.com Root Certificate installed and as a result
cannot verify the signature in the certificate.

To resolve this you have to install the IT-SG.com Root Certificate.
The IT-SG.com root certificate can be found here.

Once the IT-SG.com Root Certificate is installed in the browser it should be possible to read email with a verified IT-SG.com Personal Certificate.

How to sign email in Outlook 2000

Follow these instructions to enable your certificate in Outlook 2000

In Outlook 2000 Click on Tools > Options > Security > Set-up Secure Email
Click 'Choose', next to 'Signing certificate'
Select the certificate you want to use for signing.
Select the boxes, "Encrypt contents",
"Add digital signature" to send signed or encrypted e-mail.

You can only encrypt messages to recipients who have first sent you their certificate via a signed email and once you have added their Digital ID's to your Address Book.

How to add a Digital ID to your address book - Outlook 2000

To send someone an encrypted message, you need a copy of that person's digital ID.
Have the person send you a digitally signed message, when you receive the message, follow these steps:

Open the digitally signed message.
Right-click the name in the "From" field, and on the shortcut menu click "Add To Contacts".
If you have an entry for this person on your contacts list, click "Update This Address".

The digital ID is stored with your contact entry for this person. You can now send encrypted e-mail messages to this person. To view the certificates for a contact, double-click the person's name, and then click the Certificates tab.

How to sign email in Outlook 2002
Follow these instructions to send a digitally signed email message:

Open a new message.
On the View menu, click Options.
Click to select the Add digital signature to outgoing message check box, and then click Close.
Complete and send the message.

Follow these instructions to send encrypted email:
Open a new message.
On the View menu, click Options.
Click to select the Encrypt message contents and attachments check box, and then click Close.
Complete and send the message.

Note: To send someone an encrypted message, you need a copy of that person's digital ID in your address book.

How to add a Digital ID to your address book - Outlook 2002

To send someone an encrypted message, you need a copy of that person's digital ID.
Have the person send you a digitally signed message, and then use the following steps when you receive the message:

Open the digitally signed message.
Right-click the name in the "From" field, and then click "Add To Contacts" on the shortcut menu.
If you have an entry for this person on your contacts list, click "Update This Address".

The digital ID is stored with your contact entry for this person. You can now send encrypted messages to this person.

I get an error when I send encrypted mail to myself using Outlook 2000.

This error is caused by an implementation error in Outlook; there is no complete explanation as to why the error occurs.

To send yourself encrypted email you have to add yourself to your personal address book with these instructions:

Send yourself a signed message
Right click on your name in the "From:" field, and select "Add to personal
address book"

This does not affect the security of the email sent.

When importing my certificate in Outlook, I get asked for my key set files?

You do not need to import your certificate into Outlook. It is installed and stored in Internet Explorer.
Once installed in IE, you then enable the certificate in Outlook.

Using Outlook 2000, I can't view signed or encrypted email in the Preview Plain.
When sending email, select "Send Clear Text Signed" and "Add digital signature to message" from your Options > Security menu. This seems to fix the problem.

Outlook 2000 does not allow me to send encrypted mail, even though I can send signed mail.
This error is caused by an implementation error in Outlook; there is no complete explanation as to why the error occurs.

To send yourself encrypted email you have to add yourself to your personal address book with these instructions:

Send yourself a signed message
Right click on your name in the "From:" field, and select "Add to personal
address book"

This does not affect the security of the email sent.

Error: "Your key set cannot be found by the underlying security system", when I send or receive signed or encrypted messages Outlook 2000.

The cause to this error according to Microsoft knowledge base article Q195670 is:
Pressing ESC at the Windows Logon dialog box and so failed to log on to Windows.
Deleted your Windows Password file (*.pwl). Outlook uses this file as part of the security key set. If you fail to log on to Windows or delete the password file, the key set is incomplete and you will not be able to use your security certificate.

In order to resolve this error, read the Microsoft Article Q195670, which can be found at the following url,
http://support.microsoft.com/support/kb/articles/Q195/6/70.ASP

Error: "Your digital ID name cannot be found by the underlying security system"

This behaviour can occur if your digital ID is damaged or corrupted. It can also occur if your digital ID is set up in a single Microsoft Windows 95 or Microsoft Windows 98 profile environment, and multiple user profiles with a domain log on are enabled. The default computer profile has full access to the digital ID, but other profiles for Windows cannot use it.

Resolution can be found in the following Microsoft Knowledge Base article:
http://support.microsoft.com/support/kb/articles/Q258/5/27.ASP

Error: "This message cannot be secured using the selected security settings"

This error can may occur if you have more than one email address on a certificate or if the certificate has not been enabled in Outlook correctly.

It is necessary to request a certificate for each individual email address.
The certificate can be requested at the following url:

Read the Microsoft Article at the following url: http://support.microsoft.com/support/kb/articles/Q195/6/70.ASP

Error: "The Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired"

This error occurs because the certificate is being checked against a CRL (certificate revocation list). That CRL cannot be found is corrupted, or unavailable. The certificate itself may be valid, but since it is unable to get a verified response from the CRL, the certificate appears to be invalid.

The command listed below tells the machine not to check against the CRL, thus avoiding the warning message altogether.

Please see Microsoft's instructions on how to disable this function:
http://support.microsoft.com/support/kb/articles/Q249/7/80.ASP

Contact Information:

Office:
Information Technology Support Group
Security Services Division
McAlester,Oklahoma 74501

Sales & Information:
(918) 426-6887
E-Mail Contact

Service & Support:
(918) 426-6887

Fax:
(918) 426-6887