500 Internal Server Error and on TMG/ISA you will see the event which mentions error 0x80090349 with certificate

  • Article

Recently I have come across issues related to the web publishing where all the websites which customer has published from TMG/ISA have gone down. You will see errors like **0x80090349 **
**
**

Externally if you try to access the website the browser will throw 500 Internal error and on TMG/ISA you will see the event which mentions error 0x80090349 with certificate.

This is majorly caused because the Digicert Root CA or Intermediate CA has been revoked or deactivated.

In such situation I have a handy troubleshooting steps which you could follow to resolve the issue:

  1. Open MMC snap in on TMG

  2. Add Computer certificate store

  3. Check the certificate which is provided by Digicert and go to its certification path TAB

  4. Click on the upper chain and verify if the certificate shows OK

  5. It may happen either intermediate cert or root CA will show “The certificate is deactivated”

  6. Now browse to Intermediate Certificate store or to Trusted Root Store depending on the certificate which got deactivated

  7. Check the certificate thumbprint. It will show the certificate is valid but deactivated.

  8. Now if its Root CA then download the cert from the following location: https://www.digicert.com/digicert-root-certificates.htm (Match the thumbprint before downloading)

  9. If it’s an intermediate cert then download it from above link and you will have to use the Digicert repair toolkit to fix the chain (Repair utility: https://www.digicert.com/util/ )

  10. Sometimes it may happen that repair utility will make the intermediate cert as root CA so you will have to add that cert in Root store.

  11. Once done then just refresh the certificate store and issue should resolve.

More information: 

http://www.digicert.com/util/repair-intermediate-ssl-certificate-errors-using-digicert-utility-for-microsoft-servers.htm 

https://www.digicert.com/ssl-support/windows-cross-signed-chain.htm 

Please note: This is an initial document to fix the issue. Digicert team has been aware of this situation and they will very soon publish an article on it.

Published by :

Nitin Zambre

MSFT

Thanks for the help to one of my colleague Kaustubh Dwivedi(MSFT)