I was getting the following error from iSS when testing locally a web api that requires ssl client certificates: 403.16 The client certificate used for this request is not trusted by the Web server One way to troubleshoot is to use the certutil tool that comes with Windows. There is a verify switch that you can use to verify the public portion of the client certificate: certutil -f -urlfetch -verify "public client cert.cer" The tool will show any errors encountered when validating the cert, such as a failure to lookup the revocation list (CRL) of the issuer. You can also capture the details of the client certificate, like the subject name, issuer and serial number, by adding custom fields to your IIS log. Instructions are here and the fields are under "Server Variables". The specific issue I was having, however, is described in the answer to https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue . I had a Trusted Root cert
A blog about real-world software engineering and development problems and solutions.