Clients receive 403.16 when logging on to a Web server over an SSL connection

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

The VeriSign Global Server ID Intermediate Root certification authority (128-bit SSL) expired on January 7, 2004. Servers running IIS that have not been updated with the new Global Server ID Intermediate Root certification authority may encounter problems when clients try to establish SSL sessions by using the Secure Hypertext Transfer Protocol after January 7, 2004. Clients may see the following error message:

403.16 -- Client certificate is untrusted or invalid.

The client certificate has expired or is not yet valid.

Note

Servers that use VeriSign 40-bit Secure Server ID certificates are not affected by this expiration.

Procedures

To resolve this issue, take the following steps:

  1. Determine the version of the Intermediate Root CA that is currently active on your Web server. For more information, see Determining the Intermediate Root CA Version on a Web Server.

  2. If necessary, obtain the current Intermediate CA certificate from the VeriSign Web site. On the VeriSign Web site, search for the Microsoft IIS 5.0 heading, and then click Get Intermediate CA Here (If Required) in Step 1.

  3. Follow the instructions at the VeriSign Web site to perform the following tasks:

    1. Remove the expired Intermediate Root CA from your Web server.

    2. Install the current Intermediate Root CA on your Web server.

    3. Reboot your Web server and test the SSL connection.