0

In Microsoft Word you can add a signature line to a document. It is an item inside the document that initially looks like this:

enter image description here

Once you've added that signature line to the document you can double click it and choose a certificate to sign the document. In case you haven't created a digital ID yet, Word asks you to create one upon that double click:

enter image description here

Sorry that it's not in english. It basically asks you whether you want to use a digital ID from a Microsoft partner or create one yourself. I choose to create one myself. That digital ID will then be visible under certmgr.msc/Personal/Certificates. Also from now on, whenever I add a signature line to a Word document, I can double click it and choose that created certificate to sign it.

And now I get to the problem: under certmgr.msc/Personal/Certificates I have several other certificates. My organisation must have put them there. How come I cannot choose those certificates to sign a signature line inside Word? Inside Word I can only choose the certificate that I have created myself, it is the only select option. What about the other certificates that reside at the same location, i.e. certmgr.msc/Personal/Certificates?

Improve this question
2
  • 1
    Can you open the certificate information, for each such certificate, and show the contents of "Extended Key Usage" extension?
    – grawity_u1686
    Commented May 23, 2019 at 12:29
  • Ohh ok I get it. I thought a certificate is just an x-bit key that you can use for anything. But the "Intended Purposes" of my self-created certificate is "all" and those of my organisation are set to "Encrypting File System". That's probably why Word doesn't make them selectable for signing. Thank you!
    – Robert
    Commented May 23, 2019 at 12:51

1 Answer 1

Reset to default
1

X.509 certificates include various metadata that the issuing CA signs, along with the public key itself. (For example, they are issued for a specific name: the TLS certificate used by superuser.com is issued specifically for "superuser.com".)

One of these metadata fields is X.509v3 Extended Key Usage which indicates the specific purpose of the certificate (e.g. email signing, TLS server, EFS recovery, and so on). This prevents e.g. a stolen email certificate from being used to sign applications, or an EFS certificate from acting as a fake HTTPS server.

I cannot find official documentation saying which EKUs must be present in a certificate in order to be selectable in Word, however it's likely that they must be issued either for "Document Signing", and/or "Code Signing", and/or maybe? "Email protection".

"Email" certificates sold by many commercial CAs also include the document signing EKU, so they should be usable by Word. In a Microsoft Certificate Services environment, several basic templates such as "User" or "Code Signing" might work for this purpose, or the sysadmin might need to create a custom template.

Improve this answer
3
  • Thank you for clarifying. However many screenshots show that in english language the "Details" tab of a certificate calls the field "Enhanced Key Usage". Both of you speak of "Extended". I guess "Extended" refers to the keyword inside the certificate and "Enhanced" is what microsoft made of it in the GUI? Or was the field renamed at some point? Or is there a difference?
    – Robert
    Commented May 24, 2019 at 7:43
  • 1
    The keyword inside the certificate is actually 2.5.29.37 (an OID), but both ITU-T X.509 section 9.2.2.4 (where the entire certificate format comes from) and IETF RFC 5280 section 4.2.1.12 (adaptation for Internet usages) refer to it as "Extended Key Usage". That's about as authoritative as it gets.
    – grawity_u1686
    Commented May 24, 2019 at 10:18
  • 1
    As for "Enhanced Key Usage", I never actually noticed this, but it must be just the term Microsoft uses for the same field.
    – grawity_u1686
    Commented May 24, 2019 at 10:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .