question

DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 asked DieterTontsch-0908 edited

S/MIME Encryption, which public key of recipient was used

Does anyone know of a way how to figure out which public key (certificate) Outlook used to encrypt mail for a certain recipient?
The idea is that we are using AD-integrated Certificates and one user has 4 published certificates linked to his AD object. Now another user from our organization (Outlook/Active Directory/Exchange on-prem), just sent an email with S/MIME via Outlook to this recipient. And we'd like to figure out which certificate (from the 4) his Outlook used to encrypt the mail? Because if any other user sends an encrypted message to this recipient, the certificate with longest validity is used and the recipient can open this mail just fine. This he cannot do for the email of my first sender.

kind regards,
Dieter

windows-active-directoryoffice-exchange-server-mailflowoffice-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Evgenij-Smirnov avatar image
0 Votes"
Evgenij-Smirnov answered DieterTontsch-0908 commented

And on another note: Does the problematic sender, by any chance, have the recipient stored as contact in Outlook? If that contact has a certificate stored in it, chances are it will get used.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thanks for that hint, but I am aware about this and i checked it, the sender has no contact for this recipient in Outlook. All comes form AD GAL.

0 Votes 0 ·
DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 answered GaryNebbett commented

Thanks, this is quite sophisticated, we are trying to figure it out based on that. But this definitely helps. Would have been nicer if there would have been some possibility to check on recipients certificate within the email, though.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DieterTontsch-0908,

I may be missing some important point, but can't you just click on the "padlock" symbol on the received message and navigate through the dialogs to the certificate?

Gary

113860-image.png


0 Votes 0 ·
image.png (73.5 KiB)
DieterTontsch-0908 avatar image
0 Votes"
DieterTontsch-0908 answered

OK @GaryNebbett,

you are partially right. If the recipient is able to open the Email he/she will be able to see, the way you described it, which certificate was used to encrypt. As a sender, like in sent items, I do not see this option. There I can only see my certificate, e.g. the one of the sender, like myself.

But what if the recipient, due to missing matching certificate, actually priv. key of the certificate used, cannot open that email vor verification? Or can he? I don't see a chance to verify an encrypted email as long as i don't have the matching priv. key for it, as a recipient.

And again as the sender of this email I do not know which certificate I used to encrypt for this particular recipient. That is my problem. But still, your post helped me. I have overseen this. I knew about this padlock, but I always thought it only shows information of the sender.

cheers,
Dieter

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered DieterTontsch-0908 edited

Hello @DieterTontsch-0908,

If the easy way does not work, you could try the hard way - this should work for both the sender (message in Sent Items) and the recipient.

The Transport Message Headers of the message will probably contain lines like:

 Content-Type: application/pkcs7-mime;
  smime-type=enveloped-data;
  name="smime.p7m"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
  filename="smime.p7m"

The first step is to export the smime.p7m attachment to a file. That is easier said than done, since Outlook does not seem to provide such a function; I use MFCMAPI:

113878-image.png

The saved file (smime.p7m) is a PKCS #7 enveloped data DER encoded binary blob (the base64 encoding is decoded when saving the data) - just use your favourite ASN.1 dumper (or perhaps just certutil -asn smime.p7m) to see its contents (which identifies the certificate via issuer and serial number information).

Gary



image.png (100.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Brilliant, this works. Even though it's quite complicated, but once one knows how to handle it, it works.
Maybe one thing to mention, with certutil -asn smime.p7m it's really hard to find the required information about certificates, especially if you don't know where to look at. With this command certutil smime.p7m | findstr Serial you filter out only serials, and from there it is a easy task to figure out the certificate in charge.

0 Votes 0 ·