Easy CRL troubleshooting is just one click away in Windows Vista! Read on to learn how to enable crypto API2 (CAPI2) logging. For Windows XP and Windows Server 2003 you still have to use CAPIMON to find out what's going wrong with CRL checking.

1. Log on with local administrator permissions to the computer where the certificate verification failure occurs.
2. Click the Start menu. On the Administrative Tools menu, click Event Viewer.
3. In the left pane, expand the Application Logs container, expand Microsoft, expand Windows, and then expand the CAPI2 container. Select the Operational container.
4. On the Action menu, click Properties.
5. In the General tab, select the Enable logging check box, adjust the maximum log size and log maintenance according to your needs, and then click OK.

With CAPI2 logging turned on, all chain validation operations are logged in the event log: Application logs - Microsoft - Windows - CAPI2.

To find out what goes wrong with chain validation do the following:

1.  Open the event log on the computer where the chain validation fails and make sure CAPI2 logging is enabled.
2. In Event Viewer, expand the following container structure in the left pane: Application logs - Microsoft - Windows - CAPI2 - Operational
3. In the right pane, select a log entry.
4. In the bottom window, click the Details tab, and then select the Friendly View.
5. You will clearly see which process has performed a CAPI2 operation and what the actual status code was.