Skip to content

Error sending encrypted emails: Recipient’s certificate unknown

The following error message (usually) indicates that Outlook was unable to find a valid certificate for the recipients shown in the error message:

There could be several reasons for this:

  1. Bypassing the GAL when entering the recipient’s address
  2. The recipient does not currently have a valid certificate
  3. Outlook does not know the correct certificate
  4. Outlook ignores valid certificates from the GAL

1. Bypassing the GAL when entering the recipient’s address

If you enter the email address manually when composing a new email, the matching contact may not be looked up in the GAL and, as a result, no certificate will be retrieved for it.

To select the recipient addresses (for KIT recipients), always use the To/Cc buttons to access the address search:

Find the recipients using the search box and then assign them using the To/Cc/Bcc buttons:

2. The recipient does not currently have a valid certificate

Search for the recipient’s email address in the certificate search (don’t forget to log in!). If you can’t find anything, you won’t be able to send encrypted emails.

3. Outlook does not know the correct certificate

Outlook has access to KIT’s Global Address List (GAL). To enable access even when you are not connected to KIT Exchange, Outlook downloads an offline version of the GAL at regular intervals. To update the local copy of the GAL, open the Send/Receive tab and select Download Address Book… under Send/Receive Groups:

If necessary, select the correct address book, click OK, and wait until the process is complete.

4. Outlook ignores valid certificates from the GAL

If a contact exists for an email address in the local address book, this entry always takes precedence over the GAL. If an invalid certificate is stored there, this effectively prevents email encryption.

Open the address book view in Outlook. If you find a matching contact, you can simply delete it via the context menu:

If you want to investigate this further, edit the relevant contact and check the validity of the stored certificates (or the absence thereof):