Mailing List Message #106778
From: Gib Henry <>
Subject: Re: SSL/TLS Cert works in clients, but not in CGP
Date: Tue, 6 Mar 2018 14:57:50 -0600
To: CommuniGate Pro Discussions <>

Thanks for the response, Nicolas.  I had thought of that, and asked Comodo for the complete chain, which I had installed before reporting the problem.  Didn’t change anything.  :-(

I may not have made clear that Apple Mail does not report any error, but it won’t show the text of the message, either, just a padlock and the word “Encrypted,” though Apple Mail works fine with encrypted email sent from Thunderbird. 

And the identity of a signed (but not encrypted) email from CGP or Pronto is verified in Thunderbird, using the same certificate.

To sum up:

  • Encrypted email from all 4 clients (Thunderbird, Apple Mail, and CGP webmail, and Pronto) is readable by CGP webmail;
  • Encrypted email from the non-CGP clients (T’bird, Mail) is readable by all 4 clients;
  • Encrypted email from the two CGP clients is readable by both of those clients; but
  • Encrypted email from the two CGP clients is not readable by either of the non-CGP clients.

Does that suggest that CGP’s webmail/Pronto encryption is the culprit?

To double-check, I deleted the certificate, then exported it from Thunderbird and imported it to CGP.  Again, the serial numbers match.  This time I sent email from each client both to myself, and to my address.  I got slightly different results (the results are by reading the outgoing message in Sent Items).  Here are the results:

Test # Sent from Thunder-bird Apple Mail Pronto CGP
Email sent from to

1 CGP no no no PKCS7: recipient key decryption failed
2 Pronto no no no PKCS7: recipient key decryption failed
3 Thunderbird
4 Apple Mail no SMIME: data cannot be decrypted with the available key

Email sent from to

A CGP no no
B Pronto no no
C Thunderbird
D Apple Mail * *

* Apple Mail didn’t sync sent copies in time for this report

Suggestions????    Cheers,

On 3/6/18 9:21 AM, Nicolas Hatier wrote:
It's likely Thunderbird and your browser knows about the certificate authority who issued your cert, and CGP doesn't.

Make sure you add the full certificate authority chain in CGP (Users / Domains / yourdomain / Security, at the bottom). If it still doesn't work, check if the root authority of the chain is present in the Trusted root list (Users / Security). You have the option to add a root authority there.

Nicolas Hatier, ing. <>
Niversoft idées logicielles -

On 2018-03-04 21:13, Gib Henry wrote:

I have an S/MIME certificate which works fine for signing, encrypting, and decrypting email with Mac OS and iOS devices via CGP (this list won’t accept signed email).  I installed it into CGP 6.1.19 via webmail Settings/Secure Mail (it’s also installed in the browser used).  When I send encrypted email via CGP webmail or Pronto, the recipient email clients cannot read it: 

  • iOS Mail says “This message is encrypted.  Install a profile containing your encryption identity to decrypt this message.”  (The same certificate is installed—the serial numbers and dates match!)
  • Thunderbird says: “The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.”  (Again, it is installed in Thunderbird, and the serial numbers and dates match.)
  • CGP Webmail and Pronto both can unlock and display the email’s encrypted text, but flag the signature in red:  “Content Unaltered as verified By:  presented certificate is issued by an unknown authority: <>”.  Curiously, the issuing authority is the same one that issued the domain SSL certificate (Comodo).  They’re all current.
  • Mac OS and iOS devices also cannot read the CGP-originated copy in Sent Items, but CGP webmail and Pronto can.
  • Email sent from me to me in Thunderbird is decrypted and readable in both T’bird and CGP; the reply from CGP is not readable in T’bird.
  • Email only signed from CGP shows as validly signed in Thunderbird, so evidently the certificate is working correctly.

I have uninstalled and reinstalled twice, and have ensured that the Comodo chain is complete.

Two questions: 

  1. Is this problem more likely to lie with CGP, or elsewhere? 
  2. If it’s my key, and it’s installed, why can’t the email client find it in messages via webmail and Pronto, but can find it in messages via other iOS and Mac OS clients?

Thanks in advance for any insight you can offer.  Cheers,

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster