Office 2016 and Certificates

New Contributor II

Hi all,

We're trying to roll out Office 2016, and we've been having a certificate issue when setting up Outlook 2016 for the first time. When it tries to connect, it's asking to trust a cert that has nothing to do with our exchange server. Has anyone else experienced this? How did you resolve the issue?


Contributor III

It's pretty common from what i've heard....

We have that issue here, because our old email server and/or ADFS uses a certificate with a hostname mismatch....
In our case, I added a section in my postinstall script that injects the certificate into the System Keychain and sets it as trusted.

Valued Contributor III

We have that too. Right now we just have users trust it manually, but I plan to install it and trust it via a config profile or something similar.

New Contributor II

Thanks @alexjdale and @kstrick

Looks like we may need to do something similar. It's just unfortunate, I wonder why this happens on 2016 and not on 2011.

Honored Contributor II

I see the same issue with my Office 365 Exchange accounts because Outlook is first checking, which has no certificate associated with it. I have no certificate for my top level domain.

My understanding is this has something to do with Outlook now using Apple's CFNetwork Framework instead of its own (as Outlook 2011 did). Not sure how or why, but that's what I was told.

Complain to your Microsoft Technical Account Manager. I've complained to my contacts at Microsoft but they don't see to share my concern.

Contributor III

what is the text when it asks to trust the cert?

@kstrick if you can share, what did you add in postinstall script to set the cert as trusted?

Contributor III

@SeanA , if you had a certificate called "SOME_CERTIFICATE.cer" located in the folder "/tmp",
the code would look like this (assuming you had a hosname mismatch like i do)

/usr/bin/security -v add-trusted-cert -r trustAsRoot -e hostnameMismatch -d -k /Library/Keychains/System.keychain /tmp/SOME_CERTIFICATE.cer

If you were to do this command on it's own, you would need a 'sudo' before it, but since I use it in a package post install script, it has elevated privileges

Honored Contributor III
Honored Contributor III

@kstrick & @SeanA why not deploy the cert via a profile?

Contributor III

@bentoms why not indeed? I guess i could do that too.

New Contributor II

From an official KB from Microsoft with a fix:


This issue occurs in Outlook 2016 for Mac version 15.9 and later versions when Outlook performs an Autodiscover operation and tries to connect to a service endpoint whose expected name is not present on the server's Secure Sockets Layer (SSL) certificate.

Resolution (excluded pushing certificate method, a workaround instead of a solution)

Reissue a certificate that includes the domain name as the Subject Alternative Name. This enables you to resolve the issue for all Outlook for Mac clients without having to trust the certificate from each client individually.