Environment
- App Control Agent: All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
How to use Windows CAPI2 logging to verify Partial Chain Errors
Resolution
- Enable CAPI2 Logging: Event Viewer > Applications and Services > Microsoft > Windows > CAPI2 > right click Operational > select "Enable Log".
- In a command prompt, trigger the Agent's validation task that queries Crypto API by running the following:
"C:\Program Files (x86)\Bit9\Parity Agent\DasCLI.exe" validatecerts
- Once the command completes, in the Event Viewer > right click Operational > select "Disable Log".
Note: If a copy was requested by Support, right click Operational > Save All Events As... > relevant location > Display information for these languages > English - Search for Partial Chain Error events by adding filters:
Event level: Error
Event ID: 11
Task Category: Build Chain
- Open the partial chain event for the specific certificate and scroll to the "Certificate Chain" section, for example:
- Certificate
[ fileRef] 0325BD505EDA96302DC22F4FA01E4C28BE2834C5.cer
[ subjectName] TIMESTAMP-SHA256-2019-10-15
...
- CertificateChain
- ErrorStatus
[ value] 1010040
[ CERT_TRUST_REVOCATION_STATUS_UNKNOWN] true
[ CERT_TRUST_IS_OFFLINE_REVOCATION] true
[ CERT_TRUST_IS_PARTIAL_CHAIN] true
Additional Notes
It is recommended to coordinate this logging with extra logging at the network/firewall/proxy level to determine what changes may be necessary to allow this communication.
Related Content