Outlook cannot pick proper signing and encrypting certificate

Andrei Shenets 6 Reputation points

Hi All,

I have both personal Outlook 365 subscription and Outlook 2019 from my company. I have two office 365 email accounts on different domains added to outlook. Both accounts have different signature certificates. One is signed with self signed CA certificate of my organization and one is from Global Sign.

This setup works for some time for signing/ecrypting emails but from time to time I caught following or similar errors when answered to encrypted emails:



Our internal IT-Support found that it is because outlook cannot pick proper certificate. I was suggested to set following registry flag to suppress check for certificate.



But that resulted to issue that outlook uses the same certificate for both account that is not correct for the second account. Moreover Outlook does not allow to change certificate that should be used and complains that certificate cannot be found.

When I removed the flag previous behavior was not restored and Outlook continues to complaint that it cannot find certificate.

Please help me to solve this certificate issue as our IT support cannot find a solution.

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,068 questions
{count} vote

3 answers

Sort by: Most helpful
  1. JeffYang-MSFT 6,241 Reputation points Microsoft Vendor

    Hi @Andrei Shenets ,

    Sorry for my delay, I'm going to share some of my updates about your issue here. I tried the same tests in my Outlook 2019 client, create a new Outlook profile, add two different email accounts along with different signature certificates. Tried sending encrypted emails tests, can send out normally without any issues. Tried replying to encrypted emails tests, both via manually choose certificates and automatically choose certificates can all work fine, have not been able to reproduced your issue yet.

    In order to further confirm your issue, I would suggest you to try creating and using a new Outlook profile via Control Panel > Mail > Show profile and only add one email account and certificate to check if both these email accounts and certificates can work fine independently.

    By the way, considering that you have tried the same tests in different Outlook versions, does this issue happen to all the users in your organization? Or only some specific users have this issue? If all the users in your organization do have the same issue, global settings like GPO and others might cause issues like this, maybe it is also worth to check.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Andrei Shenets 6 Reputation points

    Hi @JeffYang-MSFT ,

    Yes I am still able to reproduce the issue. I have tried creating of new profiles and it doesn't help.

    You might be able to reproduce it in following way:

    1. Create an email with Test title and Test body to someone who can receive encrypted emails from you
    2. Enable encryption and signing for the email
    3. Save the email and close popup window
    4. Open the email and try to send it.

    I am constantly getting the message:

    I guess it shows because of the same reason.

    I am able to reproduce the issue using steps above on other PCs but if you are not saving an email but just send then it works for other PCs. Some people doesn't have the issue at all.

  3. Kai Michael Poppe 0 Reputation points

    Has there been any advances on this topic for OP?

    For me, this issue still exists in Outlook for Microsoft 365 MSO (Version 2304 Build 16.0.16327.20200) 64 Bit, just not with two different accounts, but when trying to send a mail from a mail-address I have "Send-As" rights to.

    I'm completely in awe as to why Outlook will insist on activating the "Sign Message" Button when it knows it doesn't have a certificate for it? What are the trust center "profiles" even for if not to decide what addresses to use signing for?

    I will now have to discuss with our customer how on earth we are supposed to write a documentation for the average user to correctly use message signing. This is going to be fun :-/


    0 comments No comments