13 martie 2012 19:17
We have S/MIME certificates assigned to every employee via Active Directory and they are using them successfully to sign and encrypt emails. We'd like to use the same certificates to digitally sign InfoPath forms. However, when we sign the form (via the browser) with the S/MIME certificate, we get an error "Revocation Status Unknown".
I'm not seeing the same error when I open the same digitally signed form in InfoPath Designer.
I'm trying to figure out which application is having the issue validating the digital signature. Is it the SharePoint Server, the InfoPath Service, the local browser (IE v8), the local OS - there are multiple areas but it's unclear who is reporting the error.
Analyzing the HTTP traffic via Fiddler appears to point to Sharepoint or the InfoPath service.
The Sharepoint server has the root certificate for the company installed and trusted.
15 martie 2012 10:58Moderator
16 martie 2012 00:39
I have nailed this down to the Section Control with Digital Signatures enabled. If we use the Signature Line Control (but that forces the form into InfoPath "client" not the browser) the digital signature doesn't have any issues.
More testing forthcoming.
19 martie 2012 17:29
Thank you for the additional information. If you are using SharePoint 2010, then I also want to make sure you are aware of the following:
- The Root Certification Authority for your users' certificates *must* reside in the Trusted Root Certificate Authorities store on *each* web front end for *both* the "Current User" and "Local Computer" certificate stores.
- That same Root Certification authority certificate needs to be added to the SharePoint Manage Trust: Central Administration | Security | Manage Trust - Click New and select the certificate for the Root Certification Authority. ** This is new for SharePoint 2010 **
Not sure if this will help you but I wanted to make sure you were aware.
Look forward to your update!
Scott Heim - Microsoft Office InfoPath and SharePoint Designer Online Community Support
3 aprilie 2012 03:47Ok....
I exported the Corporate specific Root Certificates and imported them using Central Admin on one of our Development Servers. This did not solve the Revocation Status Unknown error.
I may not have installed the certs correctly. I exported from the Certificate Store, and then used that to import. If I should try an alternate route, please let me know.
The Corporate Root Certificate is in the Local Machine Certificate Store - which local user account should I check? The Farm Admin account? Or SharePoint Admin Account? Application Pool Account?
Any other ideas welcome.
3 aprilie 2012 03:50
P.S Is there any tool or process to debug the chain of trust with this? It's a total black box right now, and I don't see anyway to control input and output to see what's happening.
P.S.S The Corporate Certs installed are the Corporate Root CA Certs, but the s/MIME certificates were created by a CA that is subordinate to the Root CA (e.g. User CA).
Root CA -> User CA -> s/MIME Certificate
The Root CA is installed on the OS and Central Admin for the Server hosting Sharepoint and InfoPath. Do we need the User CA installed too??
- Editat de APB-IT 3 aprilie 2012 03:59
12 aprilie 2012 17:38
What do I need to do to "reactive" interest in this question?
I've attempted the recommended cert import without success. I'm curious as to the need for an additional cert to be imported - see rest of message thread.
5 iulie 2012 14:12
"- That same Root Certification authority certificate needs to be added to the SharePoint Manage Trust: Central Administration | Security | Manage Trust - Click New and select the certificate for the Root Certification Authority. ** This is new for SharePoint 2010 **"
Actually it doesn't, at least not always. We are experiencing the same issue on our production and test servers, however I have a VM test server set up. It is it's own domain, ADUC and ADCS server. It does not have anything but "Local" in Managed Trusts, which was placed there by default. I do now have any issue with the VM test server. We also had both physical servers working up until about three weeks ago.
I have noticed that when exporting the certificate and running a certutil -verify <certificate name> that it returns "Revocation check skipped -- server offline". however I can download the certificate and the the CS administrators claim that it is "online". Another thing I noticed on our machines is that the Next Update date of the CRL has passed. Again, CS admins claim everything is fine.