When you use Copilot inside Microsoft 365 apps on a corporate network, you may see the error message “Self-Signed Certificate in Chain.” This error stops Copilot from generating responses or connecting to the Microsoft Graph. The root cause is a corporate proxy or network security appliance that intercepts HTTPS traffic and replaces Microsoft’s certificate with its own self-signed certificate. This article explains why this error occurs and provides the exact steps to resolve it by updating certificate trust stores on Windows 10 or Windows 11.
Key Takeaways: Fix the Self-Signed Certificate Error for Copilot
- Windows Certificate Manager (certlm.msc): Import the corporate root CA certificate into the Trusted Root Certification Authorities store to resolve the chain error.
- Group Policy > Computer Configuration > Windows Settings > Security Settings > Public Key Policies: Use this path to deploy the trusted certificate to all domain-joined computers automatically.
- Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings: Set the proxy bypass list to exclude Microsoft Graph endpoints (graph.microsoft.com and all subdomains) if certificate deployment is not possible.
Why Copilot Shows the Self-Signed Certificate Error on Corporate Networks
Corporate proxies and next-generation firewalls often perform SSL inspection. When your computer sends a request to graph.microsoft.com or copilot.microsoft.com, the proxy intercepts the connection, decrypts it, inspects the traffic, and then re-encrypts it using the organization’s own root certificate. This certificate is self-signed by the corporate IT department or the proxy vendor. Windows does not trust this certificate by default. Copilot, which runs inside Microsoft 365 apps like Word, Excel, and Teams, uses the Windows certificate store to validate the server’s identity. When the certificate chain contains an untrusted self-signed root, the connection fails and Copilot returns the error message.
This behavior is by design for security. The client application must verify that the server it connects to is the real Microsoft server. A self-signed certificate inserted by a proxy breaks that chain of trust. The fix requires adding the corporate root certificate to the Trusted Root Certification Authorities store on each Windows device that runs Copilot.
How SSL Inspection Affects Copilot Connections
SSL inspection works by having the proxy generate a new certificate for the destination domain on the fly. This certificate is signed by the proxy’s own root CA. The proxy presents this certificate to the client. If the client does not trust the proxy’s root CA, the certificate chain validation fails. Copilot calls multiple Microsoft endpoints including graph.microsoft.com, api.copilot.microsoft.com, and login.microsoftonline.com. Any of these can trigger the error if the proxy intercepts them.
Steps to Install the Corporate Root Certificate on Windows
The most reliable fix is to install the corporate root CA certificate into the local machine’s Trusted Root Certification Authorities store. You need the certificate file, typically in .cer or .crt format, from your IT department. Follow these steps on a single computer for testing.
- Open the Certificate Manager for the local machine
Press Windows key + R, type certlm.msc, and press Enter. Confirm the User Account Control prompt if it appears. - Navigate to the Trusted Root Certification Authorities store
In the left pane, expand Trusted Root Certification Authorities and select the Certificates subfolder. - Start the Certificate Import Wizard
Right-click the Certificates folder and choose All Tasks > Import. The Certificate Import Wizard opens. - Select the certificate file
Click Next, then click Browse. Locate the .cer or .crt file provided by your IT team. Select it and click Open. Click Next. - Place the certificate in the correct store
Select Place all certificates in the following store. Click Browse, choose Trusted Root Certification Authorities, and click OK. Click Next. - Complete the import
Click Finish. A dialog confirms the import was successful. Close the Certificate Manager. - Restart all Microsoft 365 apps
Close Word, Excel, Teams, and any other apps running Copilot. Reopen the app and test Copilot by typing a prompt.
Deploy the Certificate to Multiple Computers Using Group Policy
For enterprise environments with many domain-joined computers, use Group Policy to distribute the trusted certificate. This method ensures every computer in the organization trusts the corporate proxy certificate without manual steps.
- Open Group Policy Management Console
On a domain controller, open Group Policy Management. Create a new Group Policy Object or edit an existing one that applies to the target computers. - Navigate to the certificate policy settings
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. - Right-click Trusted Root Certification Authorities
Select Import. The Certificate Import Wizard opens. - Import the corporate root certificate
Browse to the certificate file, select it, and complete the wizard. The certificate appears in the policy list. - Link the GPO to the correct Organizational Unit
Right-click the OU containing the target computers and choose Link an Existing GPO. Select the GPO you configured. - Force a Group Policy update on client computers
On a test computer, open Command Prompt as administrator and run gpupdate /force. Restart the computer to apply the certificate changes. - Verify the certificate is installed
Open certlm.msc on the client computer and confirm the certificate is in the Trusted Root Certification Authorities store. Test Copilot in a Microsoft 365 app.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Output Instead of Tenant-Specific Data
If the certificate error disappears but Copilot returns generic answers without accessing your Microsoft 365 data, the proxy may still be blocking specific endpoints. Add these URLs to the proxy bypass list: graph.microsoft.com and all subdomains, api.copilot.microsoft.com, login.microsoftonline.com, and office.com. Configure the bypass in Internet Options or via a registry key.
Certificate Error Appears Only in Certain Apps
If Copilot works in Word but fails in Teams, the issue is likely that Teams uses a different network stack or certificate validation method. Ensure the certificate is installed in the local machine store, not just the user store. Teams runs as the logged-in user but reads the machine store for certificate validation.
Copilot Cannot Connect at All After Certificate Import
If the error persists after importing the certificate, the proxy may be using an intermediate CA that is also self-signed. Import both the root and intermediate CA certificates into the Trusted Root Certification Authorities store and the Intermediate Certification Authorities store respectively. Contact your IT team to confirm the full certificate chain.
Copilot Pro vs Copilot for Microsoft 365: Connection Behavior Differences
| Item | Copilot Pro | Copilot for Microsoft 365 |
|---|---|---|
| Authentication | Microsoft account or work/school account | Work/school account with Microsoft 365 license |
| Endpoints used | copilot.microsoft.com, api.copilot.microsoft.com | graph.microsoft.com, api.copilot.microsoft.com, login.microsoftonline.com |
| SSL inspection impact | Affects all endpoints | Affects all endpoints plus Microsoft Graph data calls |
| Certificate trust requirement | Trusted root certificate for all endpoints | Trusted root certificate plus intermediate CA for Graph |
After you install the corporate root certificate and configure proxy bypasses, Copilot should connect without errors. Test the fix by opening a Microsoft 365 app, launching the Copilot pane, and asking a question about your tenant data. If the error returns, verify that the certificate is in the correct store and that the Group Policy update was applied. For persistent issues, work with your network team to exclude Microsoft 365 endpoints from SSL inspection entirely. This approach eliminates the certificate conflict and ensures Copilot works reliably on corporate networks.