Previous Next

• 08-20-2008, 2:05 PM

  rfeng Joined on 08-20-2008, 2:00 PM Posts 2

  How to read the SSL Diag certmon.log? Reply Contact I'm using SSL Diag 1.1 to troubleshoot client cert problems.  By using Client Cert Monitor I was able to pin it down to the following log entry:  Name="VerifyCertificate"  CertVerifyCertificateChainPolicy="0x1"  CertGetCertificateChain_dwFlags="0x40000000"  CERT_CHAIN_PARA.dwUrlRetrievalTimeout="0 ms"  CERT_CHAIN_PARA.fCheckRevocationFreshnessTime="FALSE"  CERT_CHAIN_PARA.dwRevocationFreshnessTime="0 sec"  CERT_CHAIN_POLICY_STATUS.dwError="0x800b010f"  CERT_CHAIN_POLICY_STATUS.lChainIndex="0"  CERT_CHAIN_POLICY_STATUS.lElementIndex="1" In the client's browser it just said error 403.16, mal-formed cert or something.  According to http://msdn.microsoft.com/en-us/library/aa377188.aspx CERT_CHAIN_POLICY_STATUS.dwError contains more information on exactly what causes the invalidity, but that page gives the error code in text, and certmon.log has it in hex.  Does anyone know how to interpret the hex code?

• 08-20-2008, 4:04 PM

  In reply to

  mukhtard Joined on 07-07-2008, 9:13 PM Redmond, WA Posts 165	Re: How to read the SSL Diag certmon.log? Reply Contact 0x800b010f is CERT_E_CN_NO_MATCH. Check http://msdn.microsoft.com/en-us/library/bb648706(VS.85).aspx for cause and resolution. Thanks, Mukhtar Desai IIS Performance Team

• 08-20-2008, 4:22 PM

  In reply to

  rfeng Joined on 08-20-2008, 2:00 PM Posts 2

  Re: How to read the SSL Diag certmon.log? Reply Contact Thanks for the info but I think WinHTTP just happens to be using the same error code as CertVerifyCertificateChainPolicy. The explanation given by WinHTTP: "the common name (CN) of the server certificate does not match the hostname part of the device address" doesn't make sense because my problem happens when processing the client certificate. I don't understand why they wrote the tool to give out error codes but fail to provide documentation on what they mean...