[NFBCS] Certificate cannot be verified.

Brian Buhrow buhrow at nfbcal.org
Tue May 2 15:49:01 UTC 2023 

	hello tracy and everyone.  Tracy, you first need to determine, exactly, the cause of your
error.  to help with this, here is a short explanation of how these certificates work.  I
apologize to those of you who know this stuff intimately for any simplifications and/or
omissions I make in the below paragraph.

	In order for certificates to serve as tokens of authentication, their origins must be
verified.  This is achieved by using  what's called a chain of trust.  For example, if you
receive a certificate that says it was issued by Bob's Certificates, the system checking the
validity and authenticity of that certificate must be able to trust that it knows who Bob's
Certificates are.  To do this, it extracts the issuer of that certificate from the certificate
itself.  Next, it checks a cache of certificates which were installed when the system was
installed or when it received its latest update.  If there is a certificate in that cache which
matches the name of the issuer given in the certificate from Bob's Certificates, and that
certificate is not expired, then the process is repeated until the "root certificate" is
reached.  the root certificate is a "magic" certificate which, in theory, never expires and
which is pointed to by all the second level providers of certificates.  

	If, in the process of traversing the chain of certificates from the leaf node certificate
to the root certificate, an invalid certificate is encountered, either because it's expired or
because there is a missing provider between the root certificate and the leaf node certificate,
you'll get a certificate  error.  Given the error message you received, "Target principal name
is incorrect", I'm guessing the issuer of the certificate your mail provider is using is
unknown to Outlook in that it cannot traverse the chain of certificates from the one it got
when you connected to your e-mail to the root certificate it has in its cache.  To figure out
exactly what to do about this, the first thing to do is to view the certificate details for the
certificate Outlook is complaining about.  Then, post those details here.  Once we can see
them, we should be able to give you some options for correcting the problem.  


-thanks
-Brian

More information about the NFBCS mailing list