Mac Mail Sierra Certificate Problem

I'm using a late-2016 MacBook Pro, with Retina display and the horrible touch bar.

For *months* I've had a recurring error checking my work email account: "Mail can not verify server identity."

I've tried numerous fixes posted online. Including:

Deleting the mail account and adding it back.

Trying to delete the expired certificate. All attempts to delete it led to a UNIX( error, whatever that is. Switching back and forth between TLS/SSL and *not* TLS/SSL (and yes, I used the right port settings). And...I don't even remember all the other things I tried.

Tonight (China time) I found a solution. There are probably others, but I've ****** away so much time being stubborn about this that I have zero interest in looking further.

I don't know if this is a general solution - it's kind of a kluge - but here's what I did:

Followed the "official" Apple recommendations at: https://support.apple.com/en-in/guide/mail/ssl-connect-outgoing-mail-server-mlhlp1072/mac Your mail is probably already configured by following this process. Which didn't solve my problem. I had gotten this far already.

Went to Mail/Setting/(account name)/Server Settings.

Turned off "Automatically manage connection settings".

Made sure I had the right port numbers for using TLS/SSL.

(Some variation of this may work without TLS/SSL toggled on. See comment below.)

The following the part that I had to make up:

Within Keychain Access, I used "Certificate Assistant" to create my own TLS certificate.

You can't find the Certificate Assistant without choosing "System" in the upper left field . When you do this, a pull-down menu appears at the top of the page. Under Keychain Access, you can now launch Certificate Assistant. This is the annoying part. I followed some path that allowed me to create my own TLS certificate. I can't remember what it was. It was simple, but I was running on instinct and can't remember anything about the details. I've gone back and found that one can generate a security certificate that is not specifically a TLS certificate. This might be important if you turn TLS/SSL authentication off.

Back in mail, I went to "Advanced POP Settings." I set the TLS certificate identity to my TLS certificate. Then I toggled "Allow insecure authentication", in the same window.

Server identification problem disappeared. I can read my ****ing email again.

Please bear in mind that I did all this by ****ing around for many hours, and following my instincts.

There may be many reasons why this solution is very bad in terms of security.

I expect there are many "upgrades" to this solution. To make life easier for most users: If you have an upgrade/solution based on UNIX command lines? Please don't post it. Solutions based on UNIX code instantly exclude 99%+ of the user community, and are effectively useless. (Pet peeve of mine....)

It would be especially useful if someone provides guidance for navigating Certificate Assistant. I don't have the time or patience . (Or authoritative knowledge of any kind!)