Foreign Root CA certificates could be imported but are invalid / error message shown

which happens to foreign/own certificates so signing/validation is not possible.

Frauenhofer Institute offers a global (free for private usage) identity service for Germany below and needs to import their CA certificate to applications.

Actually they offers only import to IE, Chrome, Firefox and it would be nice to get also a procedure for emClient (I use it over OX service).

The German error is:
Es ist ein Fehler bei der Zertifikatsüberprüfung aufgetreten: “Eine Zertifikatskette zu einer vertrauenswürdigen Stammzertifizierungsstelle konnte nicht aufgebaut werden.”

which seems to be a well known from NET/Windows Update error 0x800b010a
And I find now way to make the certificate “trusted” one



Hello, I have been trying to transfer certificates from to the EM client for a few days.
The following problem has arisen.

Volksverschluesselung creates 3x certificates, 2x CA and 1x key in a * .p12 file. One of these certificates is intended for signing and another one for encrypting what the third one is, I have not yet fully understood.

However, the EM Client does not support separate certificates for signing and encrypting a mail. Each certificate has both tasks for the EM client.

Since the EM client now always loads the latest certificate from the file, it unfortunately loads the Enrc certificate, which is created a few seconds after Auth and Sign.

Exactly this certificate is not intended for signing, this only works if the mail has been encrypted. If the mail is only signed, the recipient cannot verify this. This is different with the Auth file, where the recipient can use the Volksverschluesselungs Root CA to automatically check the authenticity of the signature at

If the EM client were to allow a separate signing certificate and encryption certificate, this problem would be eliminated.

Such a function would also make sense for other applications, since many companies use a central certificate for encryption and employees receive their own certificate for signing.
So that many companies have no way to use EM Client.