none
The server you are connected to is using a security certificate that cannot be verified

    Question

  • Hello.  I'm using outlook 2007 and when opening the client I get this message every time now. 

       The server you are connected to is using a security certificate that cannot be verified.
       The target principal name is incorrect
       <view certificate [button]>
       do you want to continue using this server?

    When I click the <view certificate> button the certificate information is as follows:

       All the intended purposes of this certificate could not be verified
       issued to: *hotmail.com
       issued by : globalsign organization validation ca - g2
       valid from 4/24/2013 to 4/24/2016

    How do I git rid of this "Internet security warning" message?

    My POP3 settings are:

       pop3.live.com [port 995 ssl enabled]
       smtp.live.com [port 587 TLS encryption]

    Sincerely

    this cert is driving me crazy

    Monday, September 16, 2013 1:33 PM

All replies

  • I've seen a couple of people post about this, and I've yet to see a definitive answer unfortunately (and I see you've been pushed from pillar to post as well between other MS forums).

    The error itself is indicating that while you're connecting to live.com for some reason you're receiving an SSL certificate back for hotmail.com, and since they're different it's complaining. This is the expected behaviour since while the certificate for hotmail.com may be valid, that's not where you were connecting to.

    What is weird is that if I login to mail.live.com via the webmail interface I get a certificate for live.com, though it also includes details for hotmail.com and the various other domains and host addresses used by the MS email services, and that's perfectly normal, but live.com is default / subject entry. The other thing I notice is that the certificate you're getting is issued by Globalsign, while the live.com certificate I get is from VeriSign, with both being current (though the latter cert expires in 2015 rather than 2016).

    In the certificate you get, if you view it and go into details with All showing, do you see an entry for Subject Alternative Name, and if so does it include things like live.com in addition to the hotmail entries? I wonder if Microsoft have some servers using one certificate and the other servers using the other (perhaps as a forum of redundancy in case someone forgets to renew one of them). If that's the case I wonder of Outlook 2007 doesn't properly handle SAN (Subject Alternative Name) entries properly, so if hotmail.com is the Subject entry on the Globalsign certificate Outlook 2007 doesn't correctly check the SAN entries to see if live.com is listed there and generates an error.

    In terms of what you can do, for some certificate errors installing it onto the local system can work around them, eg where the certificate can't be verified because it's self-signed etc, but I suspect in this case that wouldn't help since while local it still wouldn't match.

    Monday, September 16, 2013 7:47 PM
  • Keith,

    Thank you for your reply.  I exported the cert and ran a verify on it.  Here is the output.  In an answer to you question: Yes there is a live.com entry under subjectaltname (SubjectAltName: DNS Name=*.hotmail.com, DNS Name=*.live.com, DNS Name=*.outlook.com, DNS Name=hotmail.com).

    Issuer:

        CN=GlobalSign Organization Validation CA - G2

        O=GlobalSign nv-sa

        C=BE

    Subject:

        CN=*.hotmail.com

        O=Microsoft Corporation

        L=Redmond

        S=Washington

        C=US

    Cert Serial Number: 1121e5d2f8eb30bef32a61a5bf8d982fbe6f

     

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)

    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)

    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)

    HCCE_LOCAL_MACHINE

    CERT_CHAIN_POLICY_BASE

    -------- CERT_CHAIN_CONTEXT --------

    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    ChainContext.dwRevocationFreshnessTime: 66 Days, 9 Hours, 44 Minutes, 3 Seconds

     

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    SimpleChain.dwRevocationFreshnessTime: 66 Days, 9 Hours, 44 Minutes, 3 Seconds

     

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0

      Issuer: CN=GlobalSign Organization Validation CA - G2, O=GlobalSign nv-sa, C=B

    E

      NotBefore: 4/24/2013 2:35 PM

      NotAfter: 4/24/2016 2:35 PM

      Subject: CN=*.hotmail.com, O=Microsoft Corporation, L=Redmond, S=Washington, C

    =US

      Serial: 1121e5d2f8eb30bef32a61a5bf8d982fbe6f

      SubjectAltName: DNS Name=*.hotmail.com, DNS Name=*.live.com, DNS Name=*.outloo

    k.com, DNS Name=hotmail.com

      d4 fa f9 be 9d d7 2a 54 70 4c be 68 8c ff 53 27 5d ea 83 14

      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)

      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

        CRL (null):

        Issuer: SERIALNUMBER=20130613000100, CN=GlobalSign Organization Validation C

    A - G2 OCSP responder - 2, O=GlobalSign nv-sa, C=BE

        fc 4c 5c 1d 64 5e 1f a9 3e 65 1e 4f a6 55 42 c3 81 5f 5f d5

      Issuance[0] = 2.23.140.1.2.2

      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

     

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0

      Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

      NotBefore: 4/13/2011 4:00 AM

      NotAfter: 4/13/2022 4:00 AM

      Subject: CN=GlobalSign Organization Validation CA - G2, O=GlobalSign nv-sa, C=

    BE

      Serial: 0400000000012f4ee1450c

      b9 ee 85 a1 0f d4 95 d9 94 ed 63 48 8a b7 4a 18 cb 8e 6b fa

      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)

      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

        CRL (null):

        Issuer: CN=GlobalSign OCSP for Root R1 - Branch 2, O=GlobalSign nv-sa, C=BE

        5b 92 84 4a ea 05 ee 84 fa 55 42 c0 5b 01 25 d4 74 3a a6 9c

      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

      Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing

      Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email

      Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping

      Application[5] = 1.3.6.1.5.5.7.3.9 OCSP Signing

      Application[6] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System

      Application[7] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination

      Application[8] = 1.3.6.1.5.5.7.3.7 IP security user

      Application[9] = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

     

    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0

      Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

      NotBefore: 9/1/1998 6:00 AM

      NotAfter: 1/28/2028 6:00 AM

      Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

      Serial: 040000000001154b5ac394

      b1 bc 96 8b d4 f4 9d 62 2a a8 9a 81 f2 15 01 52 a4 1d 82 9c

      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)

      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)

      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

      Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

      Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

      Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing

      Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email

      Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping

      Application[5] = 1.3.6.1.5.5.7.3.9 OCSP Signing

      Application[6] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System

      Application[7] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination

      Application[8] = 1.3.6.1.5.5.7.3.7 IP security user

      Application[9] = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

     

    Exclude leaf cert:

      65 de cb 4f 37 d9 cd d0 78 af ae 6f 67 cf 0b b0 1a 39 a3 5f

    Full chain:

      27 ca c0 c1 50 fd 6f 1c 5a b6 50 4e eb e4 72 8b 2d a9 3b 8c

    ------------------------------------

    Verified Issuance Policies:

        2.23.140.1.2.2

    Verified Application Policies:

        1.3.6.1.5.5.7.3.1 Server Authentication

        1.3.6.1.5.5.7.3.2 Client Authentication

    Cert is an End Entity certificate

    Leaf certificate revocation check passed

    CertUtil: -verify command completed successfully.

    Cert Crazy

    Friday, September 20, 2013 4:10 PM
  • I'd be tempted to suspect it's an Outlook 2007 issue not properly reading the SAN, though you'd think there'd be something online mentioning it if that was the case.

    One thing I did notice looking around is that earlier this year there were changes made to the Office 365 setup, and that caused issues for some Outlook 2007 installs. While I don't think they use the same platform, it's possible whatever changes they made to one was also made to the other.

    Suggested resolve for that issue is to ensure that Office 2007 has SP3 and all the latest updates installed on it, for instance you can see the requirements for using 2007 for 365 here http://office.microsoft.com/en-gb/office365-suite-help/software-requirements-for-office-365-for-business-HA102817357.aspx

    • Proposed as answer by Keith Langmead Sunday, September 22, 2013 5:57 PM
    Friday, September 20, 2013 6:36 PM
  • Keith, 

    Looks like upgrading the office service pack worked.  I'm unable to say definitively that office 2007 sp3 was trick because there were other office updates I installed at the same time.  But one of the updates worked.  I'm 99% sure it was office 2007 sp3.

    FYI the link you provided led me to office 2007 sp3 but I was unable to install that package directly from the downloaded file (it said the installed version required was not present).   I had to do it from the Windows Update panel.  Additionally I had to select an option on the Windows Update page to check for updates for 'other windows products'.  Doing this pulled in the office updates I was missing.

    Thank you for your assistance!

    no longer Cert Crazy.

    • Proposed as answer by Diamondi Saturday, October 12, 2013 5:15 AM
    Sunday, September 22, 2013 5:10 PM
  • Keith, 

    Looks like upgrading the office service pack worked.  I'm unable to say definitively that office 2007 sp3 was trick because there were other office updates I installed at the same time.  But one of the updates worked.  I'm 99% sure it was office 2007 sp3.

    FYI the link you provided led me to office 2007 sp3 but I was unable to install that package directly from the downloaded file (it said the installed version required was not present).   I had to do it from the Windows Update panel.  Additionally I had to select an option on the Windows Update page to check for updates for 'other windows products'.  Doing this pulled in the office updates I was missing.

    Thank you for your assistance!

    no longer Cert Crazy.

    You just described my solution exactly. I had a messy hardware upgrade last summer and the previously automatic outlook updates didn't happen after a new windows install :)
    Saturday, October 12, 2013 5:39 AM
  • Thanks!  We are working on the same issue here with a new Office 2007 installation and live.com account. The Office 2007 SP3 Fixed the certificate error.

    Thanks again

    To download office 2007 sp3 use link url below:

    http://www.microsoft.com/en-us/download/details.aspx?id=27838



    • Edited by Rtecky Monday, June 23, 2014 10:09 PM
    Monday, June 23, 2014 10:08 PM
  • I've been searching the web for an answer to this very problem, but with my local provider and using Outlook 2013 - POP/SMTP. There was nothing wrong with the names, but I found out that in the advanced settings of the account  for " Use the following type of encrypted connection" I had set "Auto". When set to "none" the problem disappeared!
    Wednesday, September 10, 2014 10:19 AM