You see an error that Outlook cannot verify the security certificate for the server. This prevents you from sending or receiving emails. The error occurs when Outlook’s security check fails to validate the server’s digital certificate. This article explains the root cause and provides step-by-step methods to resolve the connection issue.
Key Takeaways: Fixing Outlook Security Certificate Errors
- File > Account Settings > Server Settings > More Settings > Advanced: Adjusts the server port numbers and encryption type to match your email provider’s requirements.
- Control Panel > Internet Options > Content > Certificates > Trusted Root Certification Authorities: Manually install or verify the correct root certificate authority is trusted by Windows.
- Windows Date & Time Settings: Corrects a system clock that is out of sync, which is a common cause of certificate validation failure.
Why Outlook Fails to Verify Server Certificates
Outlook uses the Secure Sockets Layer and Transport Layer Security protocols to encrypt your connection to the mail server. Part of establishing this secure connection involves verifying the server’s digital certificate. This certificate is a digital file issued by a trusted authority that confirms the server’s identity.
The verification fails when Outlook or Windows cannot confirm the certificate is valid and trustworthy. The most frequent technical causes are an incorrect system date and time, a missing intermediate certificate on your PC, or the server using a certificate that does not match the hostname you are connecting to. Antivirus or firewall software that intercepts encrypted traffic can also create a fake certificate that Outlook rejects.
How Certificate Chain Validation Works
A server certificate is part of a chain of trust. The server presents its certificate, which is signed by an intermediate certificate authority. That intermediate CA’s certificate is signed by a root certificate authority. Your Windows computer must trust that root CA. If any certificate in this chain is expired, revoked, or missing from your local store, the validation will fail and trigger the error.
Steps to Resolve the Security Certificate Error
Follow these methods in order. Start with the simplest system check before moving to more advanced configuration changes.
- Check Your System Date and Time
Right-click the clock in your Windows taskbar and select Adjust date and time. Ensure the Set time automatically and Set time zone automatically options are turned on. An incorrect date, even by a few days, will cause certificates to appear invalid. - Update Your Root Certificates
Open Windows Update by searching for it in the Start menu. Click Check for updates and install all available updates, especially optional updates labeled as root certificate updates. This ensures your PC has the latest list of trusted authorities. - Verify Your Account Server Settings
In Outlook, go to File > Account Settings > Account Settings. Select your email account and click Change. Click More Settings, then go to the Advanced tab. Verify the incoming and outgoing server ports match your provider’s official settings. Confirm the encryption connection type is set correctly, often SSL/TLS or STARTTLS. - Inspect Certificates in Internet Options
Open the Windows Control Panel and go to Internet Options. Select the Content tab and click Certificates. In the Certificates window, click the Trusted Root Certification Authorities tab. Look for certificates from authorities like DigiCert, GlobalSign, or Sectigo. If unsure, you can close this window; do not delete certificates. - Temporarily Disable Security Software Interception
Some antivirus suites have an email scanning or SSL scanning feature. Open your security software’s settings and look for a setting related to scanning encrypted connections or email protection. Disable this feature temporarily, restart Outlook, and test the connection. Remember to re-enable it later.
Advanced Fix: Manually Adjust Registry Settings
If the error persists and you are connecting to a corporate server, your administrator may provide a specific certificate. You can configure Outlook to trust it by adding a registry key. Press Windows key + R, type regedit, and press Enter. Navigate carefully to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security. Create a new String Value named SecureHostNames. For its value data, enter the server hostname followed by a colon and the port, like mail.contoso.com:993. This tells Outlook to bypass strict validation for that specific host.
If the Certificate Error Still Appears
Outlook Says the Certificate Name is Invalid
This means the name on the server’s certificate does not match the address Outlook is using to connect. Contact your email provider or IT department to confirm the exact incoming and outgoing server hostnames. For example, they may require mail.provider.com instead of imap.provider.com. Update these names in File > Account Settings > Server Settings.
Error Occurs After a Recent Windows Update
A Windows update can sometimes change system security policies. Search for “Windows Security” in the Start menu and open the app. Go to App & browser control and click Reputation-based protection settings. Temporarily turn off the Check apps and files option. Test Outlook, then turn the setting back on. This rules out a Windows Defender SmartScreen block.
Certificate Error When Using a VPN or Proxy
Corporate networks often use a proxy server that decrypts and re-encrypts traffic. This process presents a different certificate to Outlook. You may need to import your company’s root CA certificate. Obtain the .cer file from your IT team, open Internet Options > Content > Certificates, click Import, and follow the wizard to place it in the Trusted Root Certification Authorities store.
Manual Configuration vs Automatic Setup Comparison
| Item | Automatic Account Setup | Manual Server Configuration |
|---|---|---|
| Certificate Handling | Outlook relies on Windows to validate the chain automatically | Allows you to specify exact ports and encryption methods |
| Best For | Standard consumer accounts like Outlook.com or Gmail | Corporate accounts, custom domains, or older IMAP servers |
| Error Flexibility | Less control; errors often require system-level fixes | More control to adjust settings matching the server’s certificate |
| Setup Complexity | Simple, only requires email address and password | Requires knowledge of server hostnames, ports, and encryption type |
You can now diagnose and fix the common security certificate error in Outlook. Start by ensuring your Windows clock is correct, as this is the fastest solution. If you manage your own domain, verify your mail server’s SSL certificate is issued for the correct hostname. For persistent issues in a business environment, consult your IT department to obtain and install the specific root certificate used by your company’s servers.