Welcome to this Entrust Entelligence™ Security Provider for Windows release.

Browse through the topics below to find out about features, limitations, platform and operating system requirements, and known issues for this release.

Note: Numbers shown in parenthesis are used by Entrust's internal tracking system.

• System requirements
• Smart card support
• Interoperability with other Entrust products
• New features
• Fixed in this release
• Known issues
• Documentation
• File descriptions
• Customer support

System requirements [top]

This section describes system requirements for this product.

Microsoft® Windows

To use the features of Security Provider on a Microsoft Windows operating system, computers must meet the following requirements:

• Microsoft Windows 7 SP1—All 32-bit and 64-bit editions
• Microsoft Windows 8.1 and Windows 8.1 Tablet (Intel) edition in Desktop mode
• Microsoft Windows Server 2008 R2 SP1—All 64-bit editions
• Microsoft Windows Server 2012 R2—All 64-bit editions

Note: The above operating system list excludes Itanium-based operating systems.

Refer to the Microsoft Web site for information about computer hardware requirements for the specific operating system where Security Provider will be installed.

Attention: If you are using Windows 2008R2 SP1 or Windows 7 SP1 platforms, install the Microsoft security update described in the knowledge base article KB3033929 (http://www.microsoft.com/en-us/download/details.aspx?id=46148) .

Smart card support [top]

Security Provider only works with smart cards that are supported in a Microsoft Windows environment. The smart card vendor provides a Cryptographic Service Provider (CSP) that communicates with the smart card.

Security Provider does not support the PKCS #11 standard for communicating with the smart card. Some Entrust Ready smart card vendors provide an installation option that modifies the vendor's installation.

The Platform Support & Integration Center of Entrust TrustedCare Online lists officially-supported configurations for Entrust and Entrust Ready products, including hardware. If you are registered for our support programs, you can view this information at: https://www.entrust.com/trustedcare

Interoperability with other Entrust products [top]

The following table shows which Entrust products Security Provider 9.3 for Windows interoperates with. This information is valid on the release date of Security Provider 9.3 for Windows and may change.

Refer to the Entrust TrustedCare Online Platform Support & Integration Center at https://www.entrust.com/trustedcare for the most up-to-date list of officially supported versions.

New features [top]

The following features have been added in this release:

PIV smart card enhancements:

Improved life cycle management for 3rd party PIV card users

Security Provider for Windows now detects approaching end-of-life for 3rd party PIV card certificates and notifies users.

Configurable certificate update message

The message informing users that they should contact their administrator about a certificate update can be customized. (198975)

Support for old or expired keys

PIV smart cards have a limited storage capacity. Older keys that have been used in the past, but have been replaced may still be required to access secure documents and email. These keys are now managed by Security Provider for Windows. (195448)

Improved PIV smart card management

Security Provider for Windows works seamlessly with Entrust IdentityGuard to perform key and certificate updates as required for PIV smart card users. Security Provider generates and manages keys as required for key updates and recovery operations.

Notification plugins are automatically invoked on PIV smart-card insert

Security Provider for Windows automatically invokes the notification plugins for the following applications when the smart-card is inserted in the reader:

• Microsoft Outlook
• Entrust Entelligence Security Provider for Outlook
• Nortel VPN
• Cisco VPN

(197208)

Installation improvements:

The installer automatically warns administrators about these incompatible Entrust products

If any of the following Entrust products are installed, the installer asks the Administrator to uninstall the incompatible product or products and retry the installation:

• Security Provider 9.1 PIV Feature Pack
• Security Provider 9.2 FIPS Feature Pack
• Security Provider for Outlook 9.1 or lower
• Security Provider Language Packs

(189451)

The installer automatically removes previously installed versions of Security Provider for Windows

The installer now removes existing installed versions of Security Provider for Windows automatically. Administrators do not need to uninstall the previous version of this product before installation (this does not apply to feature packs, language packs, or Entrust products other than Security Provider for Windows). (188442)

Other improvements:

Virtual smart card support

Security Provider for Windows supports virtual smart cards on Windows 8.1 and supported versions of Windows Server 2012 R2. Security Provider can use either the user's Entrust Certificate Store or the Machine's Trusted Platform Module (TPM) chip to emulate the functionality of physical smart cards.

Support for Microsoft Windows service digital IDs 

Security Provider for Windows has added support for Microsoft Windows service digital IDs. This aligns with  Microsoft's recommendations that their applications leveraging a certificate use a certificate generated and maintained within the host's service account for that application. See the Entrust Entelligence Security Provider Administration Guide for details. (187787)

Microsoft Application Virtualization (App-V) support

Security Provider for Windows will work with virtualized applications if Security Provider is installed directly on client machines. For specific information see the Entrust Entelligence Security Provider Administration Guide. (171871)

New CRL/OCSP functionality

Administrators can now assign Entrust CRL Revocation Provider or Entrust OCSP Revocation Provider based on the CA (Certification Authority) in the DN of the certificate.  (172466)

Certificate Explorer now refreshes automatically

The Certificate Explorer window now refreshes automatically after a user enrolls, logs-in to a new security store, inserts (or removes) a smart card, or imports a P7C (certificate) file. (194623)

Administrators can specify a  default destination folder when decrypting a file over the network is allowed

Previously, administrators could select a default local destination folder for users decrypting a file when decrypting over the network was disabled. This capability has been extended, allowing administrators to specify a default local destination folder when decryption over the network is enabled. This feature uses the new registry setting DecryptionFolder. See the Entrust Entelligence Security Provider for Windows Administration Guide for more information. (188887)

Improvements in viewing logs

The 9.3 release contains improvements for viewing logs using Microsoft Excel or Internet Explorer. (182031)

Removing certificates from the Other People certificate store on logout

Security Provider for Windows will now remove the certificates from the Other People certificate store if the new registry setting, DeleteOtherPeopleCertsAtLogout, is enabled. (133415)

Re-encryption notice for edited files

File security now asks users if they want to re-encrypt an edited file when they save and close it. This is designed to remind users that they could lose their changes if they simply close the file. If the user elects to re-encrypt the file, the edited version is encrypted. (133037)

TrueDelete now supports folder deletion from the right-click menu

Users can securely delete a folder and all files, and sub-folders within it from the right-click menu. Sub-folder deletion is controlled by the registry setting IncludedFolders. See the Entrust Entelligence Security Provider for Windows Administration Guide for details. (197984) (158041)

Extended checking of revocation status

Security Provider for Windows checks the revocation status of the certificate used to sign a file at the time that the signature was created, even if the certificate has since expired. (189519) 

Fixed in this release [top]

This section describes the known issues in previous releases that are fixed in 9.3. 

Encrypting a file with a password does not work with elliptic curve keys

Users were not able to encrypt a file with a password using elliptic curve keys. This limitation has been resolved. (173485)

Issue viewing the Security Provider log contents

Security Provider for Windows version 9.3 has improved how log contents are viewed. See the Entrust Entelligence Security Provider for Windows Administration Guide for more information. (170038)

Online help search results appear as HTML pages

When searching the Security Provider for Windows online help, the search results displayed certain topics using file names similar to filename_1234.html instead of topic names. The current online help does not have this issue. (100741)

Known issues and limitations [top]

This section describes the known issues and limitations for this release of Security Provider. 

Issue decrypting a file with a semicolon in the file name

Security Provider for Windows file security allows you to secure files with a semicolon in the file name. However, when you attempt to unsecure the file, Security Provider does not recognize the file type. Users should remove any semicolons from file names before securing them. (199704)

Menu issue when using Security Provider TrueDelete or File Security

If a user attempts to either delete files using TrueDelete or secure them (using either the certificate or password option) and both of the following conditions are present:

• the user selects more than 16 files
• one or more of the selected files are of a type that cannot be processed (securing an already secured file or deleting a prohibited file type, for example)

  the Security Provider for Windows menu for the action does not display correctly. (198055)

Building an Administrative install point on Microsoft IIS 7.x requires additional instructions

Additional arguments are required when using the msiexec command to build and patch the install point. Additionally, the .mst extension (application/octet-stream) must be added to the MIME types on IIS. For complete instructions, see the technote TN 8718 - How do I build and install ESP from an administrative install point on IIS 7.x? .

Supported elliptic curve algorithms

Due to a limitation of Microsoft CNG, Security Provider 9.3 supports only the following elliptic curve algorithms: EC-P-256, EC-P-384, and EC-P-521. (170458, 170530)

Users with Elliptic Curve Algorithm based digital IDs cannot encrypt email messages using native Outlook

Users with elliptic curve based digital IDs cannot encrypt email messages using native Outlook. Email signing using these IDs is supported. (170388)

Users with Elliptic Curve Algorithm based digital IDs cannot sign documents using Adobe Acrobat

Users with elliptic curve based digital IDs cannot sign documents using Adobe Acrobat. This application only supports RSA based digital IDs. (170353)

Roaming users on a CA with elliptic curve keys

Roaming users using a CA with elliptic curve keys are not supported by the Roaming Server (as of version 8.0 patch 164237). Roaming digital ID management fails during the attempt. (170210)

Exporting the elliptic curve private key with the certificate

When using an elliptic curve based digital ID, the private key cannot be exported with the certificate. (173048)

"Decrypt, Verify, and Open" may fail on Windows Server 2008

When users select the "Decrypt, Verify, and Open" option on the context menu of secured .bmp or .jpg file, the operation fails on Windows Server 2008. The operation fails because Security Provider must execute the "open" verb, but for .bmp or .jpg file types, there is no "open" verb registered by default on Windows Server 2008. (146606)

Microsoft Certificate Services certificates not imported to Entrust security stores on Windows 7

When a user enrolls for a Microsoft digital ID on Windows 7 using the MMC Certificate snap-in and the ID is placed in an Entrust security store (.epf file), only the private portion of the ID is imported to the Entrust security store—public certificates are not imported, as expected. Because the certificates are available in the Personal certificate store on the computer where the user enrolled, the ID can still be used if the user remains at that computer. Roaming with the ID (by moving the .epf file to a different computer) is not possible. (109099)

Issuer DN in user's certificate and Subject DN in CA certificate must use the same encoding

Security Manager can be configured to use either a default DN encoding method, or a UTF8 encoding method. The encoding method used to encode the Certificate Authority (CA) certificate must be the same encoding method used to encode the user's certificate. If the encodings are different, Security Provider cannot find the CA certificate on the user's computer, and does not perform digital ID management. (77215)

Digital ID management feature not notified of certificate type change

When you replace a user's certificate type using Security Manager, by obsoleting the user's original certificate type, the Security Provider digital ID management feature is only notified by Security Manager when the original and replaced certificate types are V2. If the user's original certificate type is V1, obsoleted, and then replaced with a V2 certificate type, the digital ID management feature is not notified by Security Manager that a change has taken place. (77481)

Documentation [top]

Security Provider includes the following documentation:

• Entrust Entelligence Security Provider 9.3 for Windows Release Notes—this document
• Entrust Entelligence Security Provider 9.3 for Windows online help—installed with the software
• Entrust Entelligence Security Provider 9.3 for Windows Administration Guide
• Entrust Entelligence Security Provider 9.3 for Windows Error Message Guide

File descriptions [top]

This section describes the Security Provider for Windows setup files. Security Provider processes are signed using Entrust code signing certificates.

Security Provider 32-bit edition files:

Security Provider 64-bit edition files:

Attention: The Entrust Entelligence Custom Installation Wizard is not part of the download package and must be downloaded separately.

Customer support [top]

Entrust recognizes the importance of providing quick and easy access to our support resources. The following subsections provide details about the technical support and professional services available to you.

Technical support

Entrust offers a variety of technical support programs to help you keep Entrust products up and running. To learn more about the full range of Entrust technical support services, visit our Web site at: http://www.entrust.com/

If you are registered for our support programs, you can use our Web-based support services.

Entrust TrustedCare Online offers technical resources including online versions of Entrust product documentation, white papers and technical notes, and a comprehensive Knowledge Base at: https://www.entrust.com/trustedcare

If you contact Entrust Customer Support, please provide as much of the following information as possible:

• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed

Telephone numbers

For telephone assistance in obtaining certificates call one of the numbers below:

• 1-866-267-9297 in North America
• 1-613-270-2680 outside North America

For support assistance by telephone call one of the numbers below:

• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America

Email address

The email address for Customer Support is: support@entrust.com

Feedback concerning documentation can be directed to http://www.entrust.com/products/feedback/index.cfm.

Online

To submit a question online, go to our Web address: http://www.entrust.com/

Professional Services

The Entrust team assists e-businesses around the world to deploy and maintain secure transactions and communications with their partners, customers, suppliers and employees. We offer a full range of professional services to deploy our e-business solutions successfully for wired and wireless networks, including planning and design, installation, system integration, deployment support, and custom software development.

Whether you choose to operate your Entrust solution in-house or subscribe to hosted services, Entrust Professional Services will design and implement the right solution for your e-business needs. For more information about Entrust Professional Services please visit our Web site at: http://www.entrust.com/