Have you ever tried to open a digitally signed e-mail and been greeted with a message like this one:

Signature: Invalid

It doesn’t really tell you much about why Outlook doesn’t like the signature.  In almost all cases, this type of error is shown because of a problem with the signer’s digital certificate.  It can also occur if the message was tampered with, although this is a rare case.  But, it would be nice to know for sure why the signature isn’t valid.  Enter Simple CAPI, a free tool available from us nice folks at Gemini Security Solutions.  This tool can help you figure out just what is going wrong with that certificate.

Step 1:  Locate the certificate in the CAPI stores

Simple CAPI allows you to diagnose problems with certificates that are present in your Windows certificate store.  For secure e-mail, other users’ certificates will typically be located in the Other People container, with the store type set to User Store.  Select these options in the main Simple CAPI window, and find the user’s certificate in the list.

Simple CAPI certificate selection

With the certificate selected, press the Validate Certificate button at the bottom of the window.

Step 2: Specify Validation Parameters

The certificate validation screen presents some options for the validation process.  The default options should be selected, as these options are what programs like Outlook typically use when they validate certificates.  You can also disable revocation checking by selecting NoCheck from the Revocation Mode drop-down list, although this may lead to incomplete validation results.

Validate Certificate Dialog

Click the Build button to check the certificate path for errors.

Step 3: View Results

The certificate path building operation may take a few minutes, depending on the size of the revocation information that the application needs to download.  Once the certificate path is checked, the results of the validation operation are presented.  In this particular case, Simple CAPI has returned the error “A required certificate was not within its validity period when verifying against the current system clock or the timestamp in the signed file”.  This error appears under the user’s certificate – telling us that the e-mail signature was found to be invalid because the certificate was expired.

Signature Validation Results

If the Simple CAPI validation tool finds no errors with the certificate, then it’s possible that the data in the original message was changed or corrupted.  If you still need some help figuring out why a particular certificate is failing, though, contact us and maybe we can help!

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, April 7th, 2009 at 5:06 pm by Walt Turnes and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.