Add Let's Encrypt Certificates To Older Devices¶
Use this page when an older computer, phone, or mail client does not trust a Fused SSL certificate. This most often appears as a certificate warning in older software such as Outlook 2007.
Fused SSL certificates are normally issued through Let's Encrypt. Modern operating systems already trust the Let's Encrypt roots. Older systems may not, especially if Windows root certificate updates have not been installed.
Older mail clients are a security risk
Outlook 2007 and older Windows versions no longer receive normal security updates. Installing a missing root certificate may fix a trust warning, but it does not make the device or mail client current.
What Is Failing¶
SSL trust works like an ID check. The mail server presents a certificate, and the computer checks whether that certificate chains back to a trusted root authority.
If the device does not trust the root certificate, Outlook may show errors such as:
- The server's security certificate cannot be verified.
- The target principal name is incorrect.
- The certificate chain was issued by an authority that is not trusted.
- The server uses a security certificate that cannot be verified.
For Let's Encrypt certificates, the root usually involved is ISRG Root X1.
Let's Encrypt lists its current and historical roots and intermediates on its
Chains of Trust page.
Before Installing A Certificate¶
Check these first:
- Confirm the mail server hostname is correct.
- Confirm the computer's date and time are correct.
- Install available Windows updates.
- Restart Outlook and test again.
If the hostname is wrong, installing certificates will not fix the problem. For example, the mail app should use the hostname shown in the Fused email settings, not a random server name from an old setup.
Install ISRG Root X1 On Windows¶
Use these steps only on a device that must keep using the older mail client.
- Open the Let's Encrypt Chains of Trust page.
- Find
ISRG Root X1underRoot CAs. - Download the
pemordercertificate for the self-signedISRG Root X1certificate. - Save the file somewhere easy to find.
- Open the certificate file.
- Select
Install Certificate. - Choose
Local Machineif Windows offers that option. Administrator approval may be required. - Select
Place all certificates in the following store. - Choose
Trusted Root Certification Authorities. - Finish the import.
- Restart Outlook.
- Test sending and receiving mail again.
Use the root certificate, not a random site certificate
Do not install a certificate copied from a browser warning for one specific website unless Fused support has asked for it. The usual fix is to install the trusted root certificate from Let's Encrypt's official certificate page.
If Outlook 2007 Still Fails¶
If the warning continues after installing the root certificate, the issue may not be the root certificate.
Check:
- The incoming and outgoing hostnames match the Fused settings.
- The account uses the full email address as the username.
- SMTP authentication is enabled.
- The selected ports and SSL/TLS settings match the mail app.
- Windows supports the TLS version required by the mail server.
Outlook 2007 on very old Windows versions may not support the TLS behavior required by modern mail servers. In that case, the practical fix is to use a current mail client or a supported operating system.
Safer Options¶
For long-term use, prefer:
- Current Outlook through Microsoft 365.
- Thunderbird.
- Apple Mail on a supported macOS version.
- The built-in mail app on a supported iPhone, iPad, Android, or Windows device.
- Webmail from a modern browser.
Related Guides¶
-
Email settings
Confirm IMAP, SMTP, ports, and SSL settings.
-
Outlook
Review Outlook setup details.
-
SSL certificates
Review Fused SSL certificate behavior.