Article ID: 2142236 - View products that this article applies to.
When sending an encrypted message from Microsoft Office Outlook 2010 to a recipient using a third-party email client, such as Lotus Notes, Entrust, SeaMonkey, or Thunderbird, the recipient may not be able to read the encrypted message. In the case of the Thunderbird email client, it may display the following message in the body of the message when they open it:
The Thunderbird client may display the following warning:
Also, Microsoft Entourage 2008 (included in Microsoft Office 2008 for Mac) and Microsoft Outlook 2011 for Mac may be unable to decrypt email messages sent from Outlook 2010. You may see the following error on Outlook 2011 for Mac:
The Cryptographic Message Syntax (CMS) is documented in RFC 5652. That specification allows using either the subjectKeyIdentifier or issuerAndSerialNumber as the SignerIdentifier. The release (RTM) version of Outlook 2010 uses subjectKeyIdentifier as the SignerIdentifier, whereas earlier versions use issuerAndSerialNumber. If the subjectKeyIdentifier extension is not defined in the certificate, Outlook 2010 RTM generates one. Some email clients or third-party operating systems are unable to use the Outlook-generated subjectKeyIdentifier. This results in the recipient being unable to decrypt and read the message.
This issue is fixed in Microsoft Office 2010 Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
After you install SP1, Outlook reverts to using issuerAndSerialNumber as the SignerIdentifier. This is true even if the subjectKeyIdentifier extension is present in the certificate.
To force Outlook to use subjectKeyIdentifier as the SignerIdentifier, set the UseIssuerSerialNumber registry value to 0 (Zero). The UseIssuerSerialNumber registry value is described in detail in the "Resolution" section.
Note Outlook 2013 behaves the same as Outlook 2010 SP1.
If you are unable to install Microsoft Office 2010 Service Pack 1, you can use the following workaround.
To fix this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.
Fix this problem
Microsoft Fix it 50724
On the sender's client, use the following registry value to make Outlook 2010 revert to the behavior found in earlier Outlook versions.
Important This method contains steps that tell you how to modify the registry. However, serious problems may occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For more protection, back up the registry before you modify it so that you can restore the registry if a problem occurs. For more information about how to back up and then restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
By default, Microsoft Outlook 2013 uses issuerAndSerialNumber as the SignerIdentifier. This prevents the issue in the "Symptoms" section of this article from occurring.
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Article ID: 2142236 - Last Review: September 11, 2013 - Revision: 15.0
Contact us for more help