In January of this year, I wrote about free S/MIME certificates from WISeID reported. Unfortunately, I have since discovered that newly requested certificates from this CA are no longer considered trustworthy. I noticed this when I requested a new 1-year certificate from WISeID. The CA still issues the certificates, but refused to issue them. NoSpamProxy to sign and encrypt mails with the new certificate. Here is a screenshot of the error:
The error message in NoSpamProxy was "Untrusted root certificate". This made me suspicious, because Windows apparently had no problem with the certificate and considers it to be valid:
It was only with the unbureaucratic help of the manufacturer of NoSpamProxy that we were able to solve the problem together. While Windows apparently still displays the S/MIME certificate as valid, as can be seen above, the root CA "OISTE WISeKey Global Root GB CA" was more or less no longer trusted. However, only for new certificates, not for the old ones.
The following message was found in the NoSpamProxy event log (abbreviated):
- Protocol name: Net at Work Mail Gateway
- Source: Gateway Role
- Event ID: 9354
- Level: Information
- Meldung: The validation of the certificate issued to E=frank@frankysweb.de, CN=frank@frankysweb.de, OU=Person’s Identity not Verified – WISeID Free Certificates (Thumbprint C4E36E94410D57AC8F04DAE4D150AC89E74C24C7, valid from 30.03.2020 22:07:24 to 31.03.2021 22:23:00) failed. The validation results for each certificate in the chain are displayed below.
The event also contains a note as to why the validation of the certificate failed:
The Root CA "OISTE WISeKey Global Root GB CA" has the status "ExplicitDistrust". After further research, the following Microsoft article came to my attention:
Here you will find the OISTE CAs with the status "NotBefore":
There is also a small, inconspicuous reference in the linked article:
Microsoft has therefore withdrawn trust from the OISTE (WISeID) root certificates without removing the CAs from the "Trusted Root Certification Authorities" repository. From a technical point of view, this procedure makes sense because Microsoft can use the NotBefore or ExplicitDistrust flag to determine the point at which certificates from a CA are no longer considered trustworthy. In my case, the old certificate was still trustworthy, but the new certificate was no longer. However, it remains unclear why the CA was no longer trusted.
NoSpamProxy therefore behaves completely correctly here and adopts the specifications of the operating system. However, Windows itself does not display the status as nicely as NoSpamProxy. If Windows had also indicated here that my new certificate was no longer trusted due to this update, the troubleshooting would have been a lot shorter.
I would therefore like to take this opportunity to A big thank you for the uncomplicated and excellent support from the manufacturer of NoSpamProxy.
By the way: Actalis is thus the last CA known to me that is still free S/MIME certificates issues. It really is time for Let's Encrypt to take over this task.