Some email clients unable to decrypt email sent from Outlook 2010


When sending an encrypted message from Microsoft Office Outlook 2010 to a recipient using a third-party email client, such as Lotus Notes, Entrust, SeaMonkey, or Thunderbird, the recipient may not be able to read the encrypted message. In the case of the Thunderbird email client, it may display the following message in the body of the message when they open it: 

Thunderbird cannot decrypt this message

The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.

Possible solutions:

  • If you have a smartcard, please insert it now.
  • If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12".

  The Thunderbird client may display the following warning:

Message Security

Message Has No Digital Signature

This message does not include the sender's digital signature. The absence of a digital signature means that the message could have been sent by someone pretending to have this email address. It is also possible that the message has been altered while in transit over the network. However, it is unlikely that either event has occurred.

Message Cannot Be Decrypted

This message was encrypted before it was sent to you, but it cannot be decrypted. There are unknown problems with this encrypted message.

Also, Microsoft Entourage 2008 (included in Microsoft Office 2008 for Mac) and Microsoft Outlook 2011 for Mac may be unable to decrypt email messages sent from Outlook 2010. You may see the following error on Outlook 2011 for Mac:

The security of this message cannot be verified because of an error.


The Cryptographic Message Syntax (CMS) is documented in RFC 5652. That specification allows using either the subjectKeyIdentifier or issuerAndSerialNumber as the SignerIdentifier. The release (RTM) version of Outlook 2010 uses subjectKeyIdentifier as the SignerIdentifier, whereas earlier versions use issuerAndSerialNumber. If the subjectKeyIdentifier extension is not defined in the certificate, Outlook 2010 RTM generates one. Some email clients or third-party operating systems are unable to use the Outlook-generated subjectKeyIdentifier. This results in the recipient being unable to decrypt and read the message.


This issue is fixed in Microsoft Office 2010 Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base: 

2460049 Description of Office 2010 SP1 

After you install SP1, Outlook reverts to using issuerAndSerialNumber as the SignerIdentifier. This is true even if the subjectKeyIdentifier extension is present in the certificate.

To force Outlook to use subjectKeyIdentifier as the SignerIdentifier, set the UseIssuerSerialNumber registry value to 0 (Zero). The UseIssuerSerialNumber registry value is described in detail in the "Resolution" section.

Note Outlook 2013 behaves the same as Outlook 2010 SP1.


If you are unable to install Microsoft Office 2010 Service Pack 1, you can use the following workaround.

To have us work around this problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard. 

Microsoft Fix it
Fix this problem
Microsoft Fix it 50724

Note This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.

Let me fix it myself

On the sender's client, use the following registry value to make Outlook 2010 revert to the behavior found in earlier Outlook versions.

Important This method contains steps that tell you how to modify the registry. However, serious problems may occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For more protection, back up the registry before you modify it so that you can restore the registry if a problem occurs. For more information about how to back up and then restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

  1. Start Registry Editor.
  2. Locate and then click to select the following registry subkey:


    Note Create the \Security registry subkey if it does not exist.
  3. Add the following registry data to the this key:

    Value type:   DWORD
    Value name: UseIssuerSerialNumber
    Value data:  1
  4. Exit Registry Editor.

More Information

By default, Microsoft Outlook 2013 uses issuerAndSerialNumber as the SignerIdentifier. This prevents the issue in the "Symptoms" section of this article from occurring. 

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For information about how to contact any of the companies mentioned in this article, visit the following Microsoft Web site: