Hello. I previously posted a question (and received a helpful answer) regarding digital signatures in this thread: http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/f9d20238-a6c0-433c-b328-555f46464f7e Based on that answer, I set up a second CA system on our domain with an online self-signed root. I've attempted to issue Digital Signature certificates from this CA, but I'm still receiving the same error when I attempt to use the certificate to sign a document in Word 2007 on Windows 7 Enterprise. "Your signature could not be added to the document. If your signature requires a smart card, ensure that your card reader is installed correctly." Certutil -verify output for the document signing cert is as follows: C:\Users\user>certutil -verify C:\Users\user\Desktop\cert.cer Issuer: CN=CA DC=school DC=edu Subject: E=user@school.edu CN=LastName, FirstName OU=4325 OU=4300 OU=Users OU=BigOU DC=University DC=school DC=edu Cert Serial Number: 1c0891bb000000000005 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 7 Hours, 17 Minutes, 7 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 7 Hours, 17 Minutes, 7 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=CA, DC=school, DC=edu NotBefore: 3/15/2010 11:10 AM NotAfter: 3/15/2011 11:10 AM Subject: E=user@school.edu, CN="LastName, FirstName", OU=4325, OU=4300, OU=Users, OU=FSA, DC=University, DC=school, DC=edu Serial: 1c0891bb000000000005 SubjectAltName: Other Name:Principal Name=user@University.school.edu, RFC822 Name=user@school.edu Template: LU Document Signing d4 62 71 bc 0c d9 b5 6b e0 68 f4 9d 4f 1a fc a3 4e ae d9 a7 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 3d: Issuer: CN=CA, DC=school, DC=edu 09 28 7a 85 9c e0 c5 89 29 2e 7f 8a 9d 91 ca 48 57 60 bc 2e Delta CRL 3e: Issuer: CN=CA, DC=school, DC=edu a8 32 e8 c9 34 1d 5b 33 e0 8e a3 d4 51 01 07 9b 29 90 af ca Issuance[0] = 1.3.6.1.4.1.311.21.8.4357558.16474036.1918878.4109104.11981914.22.1.401 Medium Assurance Application[0] = 1.3.6.1.4.1.311.10.3.12 Document Signing CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=CA, DC=school, DC=edu NotBefore: 2/14/2010 4:06 PM NotAfter: 2/14/2020 4:16 PM Subject: CN=CA, DC=school, DC=edu Serial: 3d1d92b5b59e7a8c4afbd863b8210e6a Template: CA c5 28 2b a7 6d 18 0e 1d b6 3b d8 cc a7 c0 34 71 a7 e6 7f 9e Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: 10 50 11 6d fe 07 e9 d7 9c c1 50 b6 95 d6 0d c5 18 2e 0e b6 Full chain: 70 a2 9d f0 03 ac d6 78 29 4c 42 0e b0 98 92 77 a7 94 28 d2 ------------------------------------ Verified Issuance Policies: 1.3.6.1.4.1.311.21.8.4357558.16474036.1918878.4109104.11981914.22.1.401 Medium Assurance Verified Application Policies: 1.3.6.1.4.1.311.10.3.12 Document Signing Leaf certificate revocation check passed CertUtil: -verify command completed successfully.

Does the client workstation on which you are trying to sign the document trust the CA certificate (is Windows able to verify your signing certificate if you double-click on it)?Also, have you tried signing in a non-MS Office application (e.g. Adobe Acrobat)? Does it work there?

Hi,do you have corresponding private key in your local profile? You can check by using certutil -store my 1c0891bb000000000005, you should see "Signature test passed". For more verbose output use certutil -v -store my 1c0891bb000000000005RegardsMartin Rublik

Yes, all machines joined to our domain trust the CA the certificate was issued from. Yes, I can sign documents in Adobe Acrobat Pro v9.

Martin, this could be my problem, but I'm not sure why it would be happening. I can't think of a reason why the private key wouldn't be there. Output of that command is as follows: CertUtil: -store command FAILED: 0x80090011 (-2146893807) CertUtil: Object was not found.

Try this instead:certutil -store -user my 1c0891bb000000000005Paul Adare CTO IdentIT Inc. ILM MVP

Which certificate template did you duplicate in order to create your certificate template?Paul Adare CTO IdentIT Inc. ILM MVP

Thanks, Paul. I get the full "Signature Test Passed" output when using that command.

Is the certificate actually stored on a smart card or is it a software-based certificate? When you duplicated the certificate template, did you create a 2003 or 2008 version template?Paul Adare CTO IdentIT Inc. ILM MVP

It is a software-based certificate. I created a 2003 version template.

Ok, what steps, exactly, are you using to attempt to sign the document, and where exactly in the process are you getting the error message?I've been able to get this to work with both a software based and smart card certificate. No issues.Paul Adare CTO IdentIT Inc. ILM MVP

I open Word 2007 with a new document. I add some gibberish text to the document. I save the document to my desktop. From the ribbon menu, I select "Prepare -> Add a Digital Signature" The "Sign" dialog appears and has the correct certificate selected by default. I click the "Sign" button. I receive the error "Your signature could not be added to the document. If your signature requires a smart card, ensure that your card reader is installed correctly."

Can you run the following command and then paste the output that relates to the certificate you're trying to use:certutil -store -user myPaul Adare CTO IdentIT Inc. ILM MVP

BTW - I think you're rapidly approaching the point where your best bet is to open a case with PSS in order to get this resolved.Paul Adare CTO IdentIT Inc. ILM MVP

Paul, I'm working with a different certificate now than I was when I originally started this thread. I had revoked and reissued as a part of troubleshooting. But, here is the output you requested: C:\Users\username>certutil -store -user my 10e857e8000000000006 my ================ Certificate 0 ================ Serial Number: 10e857e8000000000006 Issuer: CN=CA, DC=school, DC=edu NotBefore: 3/16/2010 9:53 AM NotAfter: 3/16/2011 9:53 AM Subject: E=username@school.edu, CN=LastName, FirstName, OU=4325, OU=4300, OU=Users, OU=FSA, DC=University, DC=school, DC=edu Non-root Certificate Template: SchoolDocumentSigning, School Document Signing Cert Hash(sha1): c1 1b d7 cb 59 37 1d c9 a4 9b 90 3d 70 b3 c8 60 78 d0 c2 f7 Key Container = 9b97923f148d8e80a9367c602b2aee65_d1ec4be0-d847-4b88-aba6-de2f92953a2e Simple container name: le-SchoolDocumentSigning-c52d5fa8-a57d-410f-b159-ab77df0d4de0 Provider = Microsoft Enhanced RSA and AES Cryptographic Provider Signature test passed CertUtil: -store command completed successfully.

This is about the only info I can find on the error that seems useful: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.word.application.errors&tid=9cd63943-ca4f-4e7f-ab47-ad79c6df60f3&cat=&lang=&cr=&sloc=&p=1 But would that apply to certificates created with AD Certificate Services?

Hi 1-Request a new certificate from your CA2-Use your email address (the one you are using on that machine) [when you sign a certificater, you sign it using the account you are logged in with, this is the idea behind signing]3- install the issued certificate and make sure it is in your Certificate container under the certificate mmc (for the logged on user) this way the certificate is installed under your name, in your profile4-Make sure your CA is a trusted publisher...how? (open outlook, privacy options, trusted publisher. view the Trusted publisher certificate and make sure you have no warning all the way up to the root)Try signing again. To Remember: Always backup your certificates, always encrypt the (zipped, password protected backup) , store the backup offsite, and store the password in a very safe plce. at last shutdown your CA and use your ICA to issue certificates Good luck Hany Eskarous

Hi, I also get the same error msg when trying to sign any office product document. I have my own CA, which i installed the CRT from the local account in the trusted root CA then issued a certificate to one of my computers on the network I can still sign Adobe products, but when I go into the properties, it says my certificate is apart of an untrusted chain "Not really sure how to fix that" I'm not really sure what to do, both of my certificates pass the test, the issued cert to my computer does have a valid CRL and also an Authority Info Access. Any help would be greatly appreciated. Thanks.

Issue resolved. For the certificate template I created I had selected both "Microsoft Enhanced Cryptographic Provider v1.0" and "Microsoft Enhanced RSA and AES Cryptographic Provider" as available CSPs. Windows XP clients could only enroll using the former. Windows Vista and Windows 7 clients were able to enroll using either, but as the site always defaulted them to the MSE RSA/AES CSP, this is what they all used. My XP users could successfully use the certificates issued to them to sign documents in Office 2007. My Vista/7 users (including myself) received the error that I originally posted when attempting to sign documents in Office. All users were able to sign documents in other applications. I enrolled for a new certificate on Windows 7, but this time selected the MSECP v1.0 CSP and installed the new certificate. I was then able to successfully sign documents in Office 2007. Therefore, it would appear that Office 2007 is not compatible with certificates issued using the MSE RSA/AES CSP.

I have the same problem occuring in Word (can't sign), BUT... I am not the issuer of my certificate. It is issued by a CA, and I can't siply reissue it. Moreover, I get this: C:\Users\Zoran Babi>certutil -store -user my 3f1d6119 my ================ Certificate 1 ================ Serial Number: 3f1d6119 Issuer: OU=RDC, O=FINA, C=HR NotBefore: 29.7.2008. 8:25 NotAfter: 29.7.2010. 8:55 Subject: CN=ZORAN BABI 0.7668.8558.4, OU=OSOBNI, OU=RDC, O=FINA, C=HR Non-root Certificate Template: Cert Hash(sha1): bd 33 cf 3a 84 6f 3c cd 20 01 4f 67 6a 01 ec ba 24 01 e7 a8 Key Container = {46374E66-F87E-4EDA-A61F-7EEB8D6A05E7} Provider = ActivClient Cryptographic Service Provider Private key is NOT exportable ERROR: Could not verify certificate public key against private key CertUtil: -store command completed successfully. MS doesn't know anything about this, saying the issue has nothing to do w/ them... Anyone?

Hello ZoranB, I'm having the same issue, the private key is on the HSM card (SafeNet) and is set to not exportable, have you found a solution? steve.