Verify TLS certificates, private keys, and permitted peers#
When to use this procedure#
Use after TCP succeeds but TLS, DTLS, SETP, RELP, or secure syslog fails.
Applies to#
This procedure applies to EventReporter.
Prerequisites#
Use an account that can read the product configuration and Windows diagnostic state.
Replace angle-bracket placeholders with values from the affected system.
Safety#
Run diagnostic checks before changing configuration.
Remove passwords, private keys, license data, and other secrets from evidence.
Configuration path#
Configuration Client > the service, rule, or action named on the Event ID page.
Procedure#
Record CA PEM, certificate PEM, key PEM, peer identity, and authentication mode.
Expected result: The affected object and its effective settings are identified.
If it fails: Return to the complete Event Log detail and configuration export before changing settings.
Run the native Windows checks below from the affected product host.
certutil -dump '<CERTIFICATE_PATH>' certutil -verify '<CERTIFICATE_PATH>'
Expected result: The certificate is valid for its purpose, chains to the intended trust anchor, and matches the configured peer policy.
If it fails: Replace invalid files, provide the matching unencrypted PEM key, or correct trust and peer settings; do not disable validation permanently.
Perform one uniquely identifiable product test through the same service, rule, or action.
Expected result: The intended destination records the test exactly once.
If it fails: Collect the first new product event and bounded debug output; do not change unrelated settings.
Verify the result#
Repeat the affected operation, confirm its positive output, and verify that queues, collection positions, or remote delivery continue normally.
Evidence to collect#
The complete Event Log entry and neighboring product events with timestamps.
The command output, relevant configuration export, and bounded debug log from the same interval.