[Pki-users] Recoverable Signature Error

Ricardo Alexander Perez Ricardez rperez at osh.com.mx
Sat Oct 1 05:59:56 UTC 2016 

When I sign a Microsoft Word document, I get the message: Recoverable Signature: 

Researching I found this information: 

https://support.office.com/en-us/article/How-to-tell-if-a-digital-signature-is-trustworthy-61a46050-9a9f-40ab-a894-3ccd60c44415#bm1 

Recoverable-error digital signatures 

In Office 2010, there is a new classification category for digital signatures. Other than valid and invalid, in Office 2010 a signature can be a recoverable-error signature, which means that there is something wrong with the signature. But the error may be fixed to make the signature valid again. There are three scenarios for recoverable errors: 


    * The veifier is offline (disconnected from the Internet) therefore making it impossible to check certificate-revocation data, or to verify time stamps if they are present. 
    * The certificate used to create the signature has expired and no time stamp is available. 
    * The root certificate authority who issued the certificate is not trusted. 

The following image is an example of the Signatures pane with a recoverable error. 
Signatures pane, recoverable error 

IMPORTANT: If you experience a recoverable error, contact your system administrator, who may be able to change the signature's state to valid. 

When I check the details of the firm, obtain the following information: Signature recoverable: Unable to verify the signer's certificate. Try again later or check the network connection. 
Type of signature: XAdES-EPES 


I check the details of the user certificate and CA, both certificates are valid and are in the certificate store windows: 


At first I thought the problem was the connection with the OCSP response, but also check the connection to the OCSP response and is successful . 

Also try to solve the problem by changing some parameters security settings Microsoft Office in the Windows registry as shown here: 

http://winintro.com/?Category=Office2013&Policy=office15.Office.Microsoft.Policies.Windows::L_CheckTheXAdESPortionsOfADigitalSignature 

None of these settings solved the problem 

I have partially solved this error, importing the Certificate Revocation List 

Download the latest CRL in binary form and install in the certificate store windows, after doing this, the signatures in Microsoft Word appear to me as valid, however after a few minutes, or when you close the document and open it again, the signatures are shown as recoverable again. 

The drawback with this partial solution is that it would have to download and install the CRL every time I go to sign a document. 

After analyzing all the information obtained from these tests, I conclude that the source of the problem is that the OCSP not get the update information of the Certificate Revocation List. 

Or when Microsoft Word is connected to OCSP response for validation, this response does not contain the updated Certificate Revocation List information. 

So even though the certificates are valid, it does not have all necessary information to consider a signature as valid. 

How can I solve this problem? 
How I can validate if the OCSP is getting updates CRL? 
How I can set the automatic update OCSP with the latest CRL? 
Do you need to modify or create a new certificate profile that includes all this information? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161001/37ee80b6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.JPG
Type: image/jpeg
Size: 80547 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161001/37ee80b6/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: recoverable.jpg
Type: image/jpeg
Size: 14188 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161001/37ee80b6/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature_details.JPG
Type: image/jpeg
Size: 40804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161001/37ee80b6/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_details2.JPG
Type: image/jpeg
Size: 147106 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161001/37ee80b6/attachment-0002.jpe>

More information about the Pki-users mailing list