We are using Windows CA for S/MIME certificates and in order for this to work with external recipients, we routinely exchange signed mails in order to establish trust or sometimes transmit our root CA in particular when multiple interlnal users are needed. Now, I face a problem with an external recipient not being able to establish this in a straighhtforward manner (they are using Thunderbird). The cause seems to be a strange issue I can observe with the certificates:
- The Certificate for "user@domain" is
Issued By "Name Of Our Internal Root CA"
- If I follow the (internally working!) certificate chain, the name of the signing CA cert is shown as "Name Of Our Internal Root CA", but looking at the details, it says
Issued By and Issued For "CN = Name Of Our Internal Root CA d1007899-9f27-4a7b-95e3-6d1a7f985a37, DC = ...", i.e., with some weird hex-code added to the common name field.
Since they are a long-term contact, they already had an older root CA cert of ours in their trust store. That one seems to have had the "correct" name in it and worked, but is of course long expired. On the other hand, that difference between names seems to be what prevents correct installation of our current root CA cert ...
Q: How can it be that our current user certs show this difference between issuer specified in the cert itself and the name in the actual CA cert (and internally, no system complains abot this difference)? What can I do in order to correct this problem (preferably with all existing user certs, but perhaps only for all newly created certs)?
