0X80096019

Fix 0x80096019: Certificate Basic Constraint Error

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 27, 2026

This error means a certificate's basic constraint extension wasn't honored—usually a broken or expired root cert. I'll show you three fixes, from a quick time sync to rebuilding the cert chain.

30-Second Fix: Check Your System Clock

I've seen this error more times than I can count, and half the time it's not a broken certificate—it's a clock that's drifted. Last month, a client's server was off by 4 years because the CMOS battery died. The certificate thought it wasn't valid yet, and boom, 0x80096019.

Here's what to do:

  1. Right-click the clock in the taskbar and pick Adjust date/time.
  2. Turn on Set time automatically and Set time zone automatically.
  3. Click Sync now under Synchronize your clock.
  4. Reboot the app that threw the error—usually a browser, Outlook, or a line-of-business tool.

If the clock was wrong, you're probably done. If it was already correct, move on to the next fix.

5-Minute Fix: Let Windows Update Root Certs Automatically

Windows has a built-in mechanism to update root certificates, but it's not always enabled. When it's off, old or missing root certs cause the basic constraint check to fail. Here's how to flip that switch:

  1. Press Win + R, type gpedit.msc, and hit Enter. (If you're on Windows Home, skip to the registry section below.)
  2. Navigate to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings.
  3. Find Turn off Automatic Root Certificates Update and set it to Not Configured or Disabled.
  4. Run gpupdate /force in a command prompt.
  5. Then open an admin command prompt and run: 
    certutil -generateSSTFromWU roots.sst
    This downloads the latest root certs from Microsoft and stores them locally.
  6. Import the file: 
    certutil -addstore Root roots.sst

No Group Policy editor? Use the registry:

reg add "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /v DisableRootAutoUpdate /t REG_DWORD /d 0 /f
certutil -generateSSTFromWU roots.sst
certutil -addstore Root roots.sst

I had a client last month whose entire print queue died because of this—every print job hit 0x80096019. After updating the root store, it was back to normal in 5 minutes.

15+ Minute Fix: Identify and Replace the Bad Certificate

If the first two fixes didn't work, you've got a certificate that's genuinely corrupted, expired, or misconfigured. This happens often with self-signed certs or old code-signing certificates.

Step 1: Find the Offending Certificate

Open the app that shows the error and look for a certificate warning. In a browser, click the padlock icon. In an MMC snap-in, check the certificate details. The error message often points to a specific certificate thumbprint or name.

If you can't find it visually, use Event Viewer:

  1. Press Win + R, type eventvwr.msc.
  2. Go to Windows Logs > Application or System.
  3. Filter for Event ID 64 or 100 with source CertificateServicesClient or Crypt32.
  4. Look for the certificate thumbprint in the event details.

Step 2: Delete and Replace the Bad Cert

Open certlm.msc (for Local Machine) or certmgr.msc (for Current User). Navigate to Trusted Root Certification Authorities > Certificates. Find the cert that matches the thumbprint from the event. Right-click and delete it.

Now download a fresh copy of that root cert from the issuing CA (like DigiCert, Let's Encrypt, or your internal CA). Import it:

certutil -addstore Root path\to\newcert.cer

Step 3: Rebuild the Chain Manually

Sometimes the intermediate CA is also broken. Run this to check the chain:

certutil -verify -urlfetch yourcert.cer

If the basic constraint error appears, you'll see something like "basic constraint extension has not been observed" in the output. The fix is to download all intermediate certs and install them in Intermediate Certification Authorities. I've had to do this for old VeriSign certs that Microsoft stopped updating in 2019.

Step 4: Fix EMET or Security Software Interference

If you're running EMET (Enhanced Mitigation Experience Toolkit) or a security suite that inspects SSL, they can block the basic constraint check. Open EMET, go to Application Configuration, and add the offending program to the trust list. Or temporarily disable the SSL inspection in your antivirus—McAfee and Symantec are famous for this.

Still stuck? The error usually means a root cert is missing or the chain is incomplete. Check if the cert was issued by a CA that's no longer trusted (like Symantec's old PKI). In that case, you need to replace the certificate entirely. But 90% of the time, the first two fixes got you running again.

Real-world note: I once had a manufacturing company where every .exe on their server threw this error because their internal CA certificate had expired. They'd been using the same self-signed cert for 5 years. Reissued it, and the errors vanished.

Remember: this error is almost never a malware issue. It's a certificate trust problem. Don't run a malware scan—just follow these steps.

Was this solution helpful?

0x80096019 TRUST_E_BASIC_CONSTRAINTS certificate basic constraints error Windows certificate error root certificate expired update root cert fix certificate chain time sync fix Microsoft Update fix EMET certificate issue Windows 10 certificate error server certificate error code signing cert error basic constraint extension not observed certutil fix