ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows certificate management dashboard showing SSL/TLS certificate validation in a security operations center
Event ID 5378ErrorSCHANNELWindows

Windows Event ID 5378 – SCHANNEL: TLS/SSL Certificate Chain Validation Error

Event ID 5378 indicates SCHANNEL encountered a certificate chain validation error during TLS/SSL handshake, typically due to untrusted root certificates or incomplete certificate chains.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5378SCHANNEL 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 5378 represents a critical security event generated by the SCHANNEL security support provider when certificate chain validation fails during TLS/SSL connection establishment. SCHANNEL performs rigorous certificate validation according to RFC 5280 standards, checking certificate signatures, validity periods, revocation status, and trust chains back to a trusted root certificate authority.

The validation process involves multiple steps: certificate signature verification, date validity checks, certificate purpose validation, and most importantly, building a complete trust chain from the server certificate through intermediate certificates to a trusted root CA in the Windows certificate store. When any step fails, SCHANNEL generates Event ID 5378 and provides specific error codes indicating the failure reason.

This event is particularly significant in enterprise environments where certificate-based authentication is mandatory for compliance. Applications relying on SCHANNEL for secure communications will fail to establish connections when this error occurs, potentially impacting web services, email systems, database connections, and API integrations. The event details include the certificate thumbprint, allowing administrators to identify the specific certificate causing issues.

Understanding this event is crucial for maintaining secure communications infrastructure, as certificate validation errors can indicate security attacks, misconfigurations, or expired certificates that require immediate attention.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Untrusted root certificate authority not present in Windows certificate store
  • Missing intermediate certificates in the certificate chain
  • Expired or not-yet-valid certificates in the chain
  • Certificate revocation list (CRL) or OCSP validation failures
  • Self-signed certificates without proper trust configuration
  • Certificate chain length exceeding Windows limits
  • Malformed or corrupted certificate data
  • Time synchronization issues causing date validation failures
  • Certificate purpose mismatch (server authentication vs client authentication)
  • Weak cryptographic algorithms not supported by current security policies
Resolution Methods

Troubleshooting Steps

01

Examine Event Details and Certificate Information

Start by examining the complete event details to identify the specific certificate and error code:

  1. Open Event ViewerWindows LogsSystem
  2. Filter for Event ID 5378 using the filter option
  3. Double-click the most recent 5378 event to view details
  4. Note the certificate thumbprint and error description in the event data
  5. Use PowerShell to retrieve detailed certificate information:
# Get certificate details by thumbprint
$thumbprint = "PASTE_THUMBPRINT_HERE"
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $thumbprint} | Format-List *

# Check all certificate stores for the certificate
Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.Thumbprint -eq $thumbprint}

Review the certificate's validity period, issuer information, and intended purposes. This initial analysis helps determine whether the issue is certificate expiration, missing trust, or chain problems.

02

Verify Certificate Chain and Trust Store

Validate the complete certificate chain and ensure all required certificates are present:

  1. Use PowerShell to test certificate chain building:
# Test certificate chain for a specific server
$serverName = "your-server.domain.com"
$port = 443

# Create TCP connection and retrieve certificate
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($serverName, $port)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream())
$sslStream.AuthenticateAsClient($serverName)
$cert = $sslStream.RemoteCertificate
$sslStream.Close()
$tcpClient.Close()

# Display certificate chain
$cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert)
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert2)
$chain.ChainElements | ForEach-Object { $_.Certificate | Format-List Subject, Issuer, NotAfter }
  1. Check trusted root certificate authorities:
# List trusted root CAs
Get-ChildItem -Path Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter

# Check for specific root CA
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*YourCA*"}
  1. Verify intermediate certificates are installed:
# Check intermediate certificate store
Get-ChildItem -Path Cert:\LocalMachine\CA | Format-Table Subject, Issuer, NotAfter
03

Install Missing Certificates and Update Trust Store

Install missing root or intermediate certificates to complete the trust chain:

  1. Download the required root certificate from your certificate authority
  2. Install root certificate using PowerShell:
# Install root certificate
$certPath = "C:\path\to\rootca.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()

Write-Host "Root certificate installed successfully"
  1. Install intermediate certificates:
# Install intermediate certificate
$intermediatePath = "C:\path\to\intermediate.cer"
$intermediateCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($intermediatePath)
$intermediateStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("CA", "LocalMachine")
$intermediateStore.Open("ReadWrite")
$intermediateStore.Add($intermediateCert)
$intermediateStore.Close()
  1. Update certificate revocation lists:
# Force CRL update
certlm.msc
# Navigate to Intermediate Certification Authorities → Certificates
# Right-click certificate → All Tasks → Update Certificate Revocation List
  1. Test the connection after certificate installation to verify the fix
04

Configure Certificate Validation Policies and Registry Settings

Modify certificate validation behavior through registry settings and group policy:

  1. Configure certificate validation registry settings:
# Disable certificate revocation checking (temporary troubleshooting only)
$regPath = "HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config"
New-ItemProperty -Path $regPath -Name "MaxUrlRetrievalTimeoutMilliseconds" -Value 15000 -PropertyType DWord -Force
New-ItemProperty -Path $regPath -Name "MaxUrlRetrievalByteCount" -Value 100000000 -PropertyType DWord -Force
  1. Configure SCHANNEL logging for detailed troubleshooting:
# Enable SCHANNEL event logging
$schannelPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL"
New-ItemProperty -Path $schannelPath -Name "EventLogging" -Value 7 -PropertyType DWord -Force
  1. Set certificate chain policy through registry:
# Configure certificate chain policy
$chainPath = "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config"
if (!(Test-Path $chainPath)) { New-Item -Path $chainPath -Force }
New-ItemProperty -Path $chainPath -Name "MaxUrlRetrievalTimeoutMilliseconds" -Value 30000 -PropertyType DWord -Force
  1. Restart affected services to apply changes:
# Restart HTTP service and dependent services
Restart-Service -Name "HTTP" -Force
Restart-Service -Name "W3SVC" -Force -ErrorAction SilentlyContinue
Warning: Modifying certificate validation settings can impact security. Only disable revocation checking temporarily for troubleshooting.
05

Advanced Certificate Chain Analysis and Network Troubleshooting

Perform comprehensive certificate chain analysis and network-level troubleshooting:

  1. Use OpenSSL tools for detailed certificate analysis:
# Download and analyze certificate chain using PowerShell
$serverName = "problematic-server.com"
$port = 443

# Create detailed certificate chain report
$webRequest = [Net.WebRequest]::Create("https://$serverName")
try {
    $webRequest.GetResponse()
} catch {
    $exception = $_.Exception
    if ($exception.InnerException -is [System.Security.Authentication.AuthenticationException]) {
        Write-Host "Certificate validation failed: $($exception.InnerException.Message)"
    }
}
  1. Analyze certificate revocation list accessibility:
# Test CRL and OCSP endpoint accessibility
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*your-cert*"}
$cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "CRL Distribution Points"} | ForEach-Object {
    $_.Format($true)
}

# Test OCSP responder
$cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Authority Information Access"} | ForEach-Object {
    $_.Format($true)
}
  1. Monitor certificate validation in real-time:
# Monitor SCHANNEL events in real-time
Get-WinEvent -FilterHashtable @{LogName='System'; Id=5378} -MaxEvents 10 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

# Set up continuous monitoring
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='System' AND EventCode=5378" -Action {
    $event = $Event.SourceEventArgs.NewEvent
    Write-Host "Certificate validation error detected at $($event.TimeGenerated)"
    Write-Host "Message: $($event.Message)"
}
  1. Create comprehensive certificate validation report:
# Generate certificate validation report
$report = @()
Get-ChildItem -Path Cert:\LocalMachine\My | ForEach-Object {
    $cert = $_
    $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
    $isValid = $chain.Build($cert)
    
    $report += [PSCustomObject]@{
        Subject = $cert.Subject
        Thumbprint = $cert.Thumbprint
        NotAfter = $cert.NotAfter
        IsValid = $isValid
        ChainStatus = ($chain.ChainStatus | ForEach-Object { $_.Status }) -join ", "
    }
}
$report | Export-Csv -Path "C:\temp\certificate-validation-report.csv" -NoTypeInformation

Overview

Event ID 5378 fires when the Windows SCHANNEL (Secure Channel) provider encounters a certificate chain validation error during TLS/SSL handshake negotiations. This event appears in the System log when Windows cannot establish trust for a remote server's certificate chain, either because the root certificate authority is not trusted, intermediate certificates are missing, or the certificate chain is malformed.

SCHANNEL is Windows' native TLS/SSL implementation that handles secure communications for applications including IIS, Exchange, SQL Server, and any application using WinHTTP or WinINet APIs. When certificate validation fails, SCHANNEL logs this event and typically terminates the connection attempt.

This event commonly occurs in enterprise environments where internal certificate authorities are used, during certificate renewals, or when connecting to external services with certificate configuration issues. The event provides crucial debugging information including the certificate thumbprint and validation error details.

Frequently Asked Questions

What does Windows Event ID 5378 mean and when does it occur?+
Event ID 5378 indicates that the Windows SCHANNEL security provider encountered a certificate chain validation error during TLS/SSL handshake. This occurs when Windows cannot establish trust for a remote server's certificate, typically due to missing root certificates, incomplete certificate chains, expired certificates, or revocation check failures. The event fires whenever applications using SCHANNEL (like IIS, Exchange, or any app using WinHTTP) attempt to establish secure connections but fail certificate validation.
How do I identify which certificate is causing Event ID 5378 errors?+
The Event ID 5378 details contain the certificate thumbprint that failed validation. Open Event Viewer, navigate to System log, find the 5378 event, and examine the event data for the thumbprint. Use PowerShell command 'Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.Thumbprint -eq "THUMBPRINT"}' to locate the certificate. The event description also includes the server name and specific validation error, helping identify the problematic certificate and connection.
Can Event ID 5378 errors be caused by network connectivity issues?+
Yes, network connectivity can cause Event ID 5378 errors, particularly when certificate revocation list (CRL) or OCSP responder endpoints are unreachable. If Windows cannot access CRL distribution points or OCSP servers to verify certificate revocation status, the validation fails. Firewall restrictions, proxy configurations, or DNS resolution issues preventing access to certificate authority endpoints will trigger this event. Check network connectivity to CRL and OCSP URLs listed in the certificate's Authority Information Access extension.
How do I fix Event ID 5378 when using internal certificate authorities?+
For internal CAs, install the root certificate authority certificate in the Trusted Root Certification Authorities store on all affected systems. Use PowerShell: '$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("rootca.cer"); $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine"); $store.Open("ReadWrite"); $store.Add($cert); $store.Close()'. Also ensure intermediate certificates are installed in the Intermediate Certification Authorities store. Deploy certificates via Group Policy for enterprise environments.
What registry settings can help troubleshoot persistent Event ID 5378 errors?+
Key registry settings for troubleshooting include enabling detailed SCHANNEL logging by setting HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging to 7. Increase certificate retrieval timeouts at HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config with MaxUrlRetrievalTimeoutMilliseconds (30000) and MaxUrlRetrievalByteCount (100000000). For testing only, you can temporarily disable revocation checking, but this reduces security and should not be used in production environments.
Documentation

References (2)

1
Microsoft Learn - SCHANNEL Event LoggingOfficial Microsoft documentation covering SCHANNEL security support provider configuration and troubleshootinghttps://learn.microsoft.com/en-us/windows-server/security/tls/schannel-security-support-provider-technical-reference
2
Certificate Chain Validation ProcessTechnical reference for Windows certificate chain validation process and error handlinghttps://learn.microsoft.com/en-us/windows/win32/seccrypto/certificate-chain-validation
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5378#schannel-errors#certificate-validation

Related Windows Events

Network security monitoring dashboard showing SSL/TLS certificate validation and security status
Event 36888
Schannel
Windows EventError

Windows Event ID 36888 – Schannel: TLS/SSL Handshake Failure with Certificate Validation Error

Event ID 36888 indicates a TLS/SSL handshake failure in the Schannel security provider, typically caused by certificate validation errors, protocol mismatches, or cipher suite incompatibilities during secure connection attempts.

March 1912 min
Network security monitoring dashboard showing TLS handshake analysis and Windows Schannel event logs
Event 36874
Schannel
Windows EventError

Windows Event ID 36874 – Schannel: TLS Connection Handshake Failure

Event ID 36874 indicates a TLS handshake failure in the Schannel security provider, typically occurring when secure connections cannot be established due to protocol mismatches, certificate issues, or cipher suite incompatibilities.

March 1912 min
Windows security dashboard showing TLS certificate management and Schannel event monitoring
Event 36887
Schannel
Windows EventError

Windows Event ID 36887 – Schannel: TLS Connection Error or Certificate Validation Failure

Event ID 36887 indicates TLS/SSL connection failures or certificate validation errors in the Schannel security provider, commonly affecting HTTPS connections and secure communications.

March 1712 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...