"FAIL Certificate is not trusted: does not chain to a trusted anchor" Error

If you have authenticated to the phiMail server but receive an error about a recipient address, either that account is not yet configured properly or one party's trust policy is likely the issue. This error message does not indicate a configuration issue or other problem with an EMR Direct account.

phiMail will only exchange Direct messages with other trusted Direct addresses. This is by design, and is in compliance with the Direct protocol. A limited number of Direct messages from an untrusted but otherwise compliant sender will be received by phiMail Web only, and may be accessed within the "Untrusted" folder, but Direct messages cannot be transmitted to untrusted senders using phiMail until trust is enabled.

Most EMR Direct accounts elect to trust the DirectTrust network. So, in general, the error "does not chain to a trusted anchor" indicates that the recipient address is not part of the DirectTrust network. If this message is received in production for an account with which you wish to exchange, contact EMR Direct to enable trust with the untrusted party(ies).

This error also occurs when an attempt is made to send a Direct message from a sandbox test address to a production Direct address, or vice-versa. There are at least two separate networks for Direct, and the EMR Direct phiMail Sandbox environment is separate from the production environment, for security reasons. In other words, you will not be able to send messages between your sandbox address and a production address or vice-versa. Many other DirectTrust HISPs also offer non-production systems for testing that may be trusted by the EMR Direct sandbox, if you are interested in cross testing in the sandbox with a different system. Please refer to section 3 of the phiMail API documentation for additional details.

To test a production Direct address, either send a message to your own production Direct address, to our interop-testing@direct.phimailbox.com address, or to another production address that you can look up in the phiMail Direct directory. To test a sandbox address, either send a message to your own test address, another address within the DirectTrust Interop Testing bundle, or to an ETT address.





Did this article answer your question? If not, please contact us.