Home » IIS » (Solved) 403.16 Forbidden: Client certificate is untrusted or invalid

(Solved) 403.16 Forbidden: Client certificate is untrusted or invalid

A browser displays 4xx error when there is a client side issue while accessing a website. Specifically, 403 error translates into “Forbidden“. If you dive deep in the issue (Failed Request Logs or IIS logs), you may see 16 as a sub-status code which refers to “Client certificate is untrusted or invalid” (Reference).

You will find out about how to solve 403.16 error in this post.

Solution for “403.16 Forbidden: Client certificate is untrusted or invalid” error

In my case, the issue was the missing root certificate in the IIS server. The issue was solved once we added it by following the steps below.

  • In IIS Web server, click Start, type “mmc.exe“, right-click mmc.exe, and then click “Run as administrator
  • Go to “File > Add/Remove Snap-in
  • In “Available snap-ins” list, click “Certificates“, and then click “Add“.
  • Select “Computer account” and click “Next”.
  • Click “Local computer“, click “Finish”, and “Close”. Then click “OK”.
  • Go to “Certificates > Trusted Root Certification Authorities > right-click Certificates > All Tasks > Import
  • In the “Certificate Import Wizard”, click “Next”
  • Type the location of the root certificate of the certification authority and click “Next”
  • Click “Next”, and “Finish”
Solution for 403.16 error

Note: Another root cause of the 403.16 issue might be the existence of non-self-signed certificates in “Trusted Root Certification Authorities” container (Reference 1Reference 2)

In order to centralize certificate management in your IIS web farm, check out CCS (Centralized Certificate Store) feature: What is Centralized Certificate Store (CCS) and how to use it?

Ned Sahin

Blogger for 20 years. Former Microsoft Engineer. Author of six books. I love creating helpful content and sharing with the world. Reach me out for any questions or feedback.
Categories IIS

Leave a Comment