I setup my ECC-enabled Certification Authority (CA) on win2008R2 to sign with ECDSA/SHA256, and have both 2003 and 2008 templates. The 2003 smartcard-user certificates can successfully do WinLogon on Win-7, but Outlook2010 gave error when attempting to use the cert for digital signature email-signing. (I suspect the CA signature which is ecdsa, is giving problem on the RSA based cert template). Is there a way around this? Or is this forbidden? More info: I duplicated smartcard-user template on ECC-enabled CA and selected 2003 option, so it gives only RSA crypto. I have a second duplicate labeled smartcarduser_ecc with 2008 option and ecdsa/sha256 crypto. I issued certificates from both templates succefully. The ecc-CERT will sign email on outlook2010 while the 2003 RSA cert will not sign email (only winlogon.) I have not tested winlogon with the ecc_Cert yet (no suitable smartcard).

I seem to narrow it down: the RSA certs that used Microsoft as CSP, not going to the smartcard, are successfully used by Outlook to sign email. Only the RSA certs whose key-pair originated from the smartcard have problem on Outlook when signing the email. The error is "Insufficient memory to perform the function". But that error does not tell the whole truth. The smartcard does not support ECC but the issuer-CA uses ECC for its own signature on the cert. That may be causing the smartcard problem even though it generated the requested RSA key pair. I need some experts in what goes on in the smartcard to correct or confirm me on this.

just to recap if I understand correctly - you actually have this scenario: ECC-RootCA ---> ECC-SecureEmailCert (template v2008 => CNG storage on the client) ---> RSA-SecureEmailCert (template v2003 => CSP storage on the client) a) I have found the following article http://technet.microsoft.com/en-us/library/cc179125.aspx which does not say anything about ECC at all. There are RSA/AES/SHA-2 mentioned, but nothing about ECC. Maybe, ECC is not completelly supported in outlook at all. b) You may be right - the problem may be the smart card (you did not say what smart card exactly and what CSP/CNG provider does it use - you can see this information in output of the CERTUTIL -SCINFO command) c) because the problem may be either smart card (its firmware) or the CSP/CNG provider that the smart card is using, I would go for issuing the two certificates into a pure software CSP/CNG - just create new templates with SecureEmail purpose only, and test the email with these certificates (ideally for the test purposes, prior to the trials, remove the smart card from the computer and delete all the pre-existing certificates from your user's certificate store, IF YOU DO NOT LOOSE ANYTHING REALLY IMPORTANT!!!, so that nothing interferes with the newly issued certificates.) Many clients also select certificates in a rather automatic way, so I would test in turns, issuing only one of the certificates at a time, trying and deleting it again. ondrej.

Thanks Ondrej. We have already confirmed that JCOP41 smartcard (which I am using) does not support ECC FP protocol used in ECDSA and Suite B crypto. The question is: does email signing on the smartcard involves manipulating the issuer-CA's signature in whatever way? If it does attempt to verify the CA signature (which is ECDSA/SHA256/AES, which the card does not have) then it will fail. If all the smartcard does is to use the RSA private key (which was generated on the smartcard) to compute the digital signature of the email, it shouldnot fail. But the certificate is involved; I suspect it most likely will verify the certificate issuer-CA's signature. p66272

This problem was resolved by a latest version of the CSP code for the smartcard--it signs email with the RSA without the reported error.