S/MIME Cert Not Trusted

Question

I have been using the sample for S/MIME email before we purchase. It was easy to use and works well.

The only issue I’m having is with the certificate I use to sign and encrypt the email. I am using our server certificate which is registered with GoDaddy.com and has a valid date until 2016. When the end user receives the email the first time, our certificate path does not show the that it goes back to GoDaddy.com and the user must add our cert as the Trust Authority. Is this normal or am I doing something wrong?

Thank you,

Greg DeBacker
North Coast Health Information Network

Answer 1

1. Go Daddy's certificates require an intermediate certificate to be installed. As far as I know the validity of all Go Daddy certificates depends on this chain of trust remaining in place.

2. By default Mail.dll uses X509IncludeOption.WholeChain as IncludeOption (configurable through SignatureConfiguration.IncludeOption), which means that entire certificate chain, including the root certificate, is included when message is singed.

3. Please check if you have installed intermediate certificates on your machine. It seems to me, that they are missing or are incorrectly installed. Because of that, they are not included when the email is signed.

   Recheck the trust chain, rebuild it if necessary (you might need to delete all of the old intermediate certificates first)

   Consider skipping encryption for now (you are using recipient's certificate for that, right?).