Fix CERT_E_PATHLENCONST (0X800B0104) Certificate Error

What's happening and why

You're seeing this error because Windows can't validate a certificate chain. The specific trigger: the certificate path has more intermediate Certificate Authorities (CAs) than the root CA's pathLenConstraint allows. That's a security setting that limits how deep a chain of trust can go. Real-world example: you try to connect to a corporate VPN or a legacy HTTPS site, and the browser or app throws 0X800B0104.

The most common cause? Outdated root certificates on your machine. Second most common: a security tool (antivirus, firewall, VPN client) intercepting SSL traffic and mangling the chain. Third: a misconfigured internal CA at your company. Here's how to fix it, from quick to thorough.

Fix 1: Update Windows root certificates (30 seconds)

This is the first thing I try on every machine with this error. Windows stores a list of trusted root CAs. If that list is stale, a certificate chain that would otherwise be valid gets flagged.

1. Open Windows Update: press Windows+I, then go to Update & Security (Windows 10) or Windows Update (Windows 11).
2. Click Check for updates. Let it scan and install any pending updates. This includes root certificate updates that Microsoft pushes automatically.
3. If updates show, install them. Reboot your PC.

What you'll see after: If the error was caused by a missing root CA update, the error goes away immediately after reboot. Test by reconnecting to the site or app that gave you the error.

My take: I've seen this fix work on maybe 40% of calls. It's free, fast, and harmless. Do it first.

Fix 2: Disable SSL interception in security software (5 minutes)

Antivirus programs like Norton, McAfee, Bitdefender, and even some corporate VPN clients inject their own certificate into your system's trust store. They do this to scan encrypted traffic. But they sometimes mess up the path length constraint by adding an extra CA that your root CA never authorized.

1. Open your antivirus or security suite. Look for settings related to SSL scanning, HTTPS scanning, or encrypted connections.
2. Toggle that feature off. Save the change.
3. Also check if you have a VPN client that intercepts SSL (like some corporate VPNs). Temporarily disconnect from the VPN.
4. Reboot your computer.

What you'll see after: If the error disappears, you've found the culprit. Now you have a choice: leave SSL scanning off (which reduces your antivirus's ability to inspect encrypted traffic), or add an exception for the specific site or app that was failing. Most security suites let you whitelist a URL. Add the exact domain that triggered the error.

My take: I strongly recommend keeping SSL scanning on for general browsing—it catches malware hidden in HTTPS traffic. But for a specific broken site, whitelisting is the practical fix.

Fix 3: Manually check and update the certificate chain (15+ minutes)

If the first two fixes didn't work, the problem is likely a bad intermediate certificate in the chain. This can happen when a server admin installed a certificate incorrectly, or when an internal CA at your company issued a certificate that violates the path length constraint. You'll need to examine the chain manually.

Step 3.1: Export the failing certificate

1. Go to the site or app that shows the error. If it's a website, open it in a browser (Edge or Chrome work).
2. Click the padlock icon in the address bar, then click Connection is secure (or Not secure).
3. Click Certificate. A new window opens showing the certificate details.
4. Go to the Certification Path tab. You'll see a tree: Root CA at the top, maybe one or more Intermediate CAs below, and the end certificate at the bottom.

Step 3.2: Check the path length constraint

1. Double-click the Root CA certificate in the tree. This opens its details.
2. Go to the Details tab. Scroll down to Basic Constraints. Highlight it and click Edit or just read the value. Look for Path Length Constraint. It might say None or a number like 1 or 0.
3. Now count the number of Intermediate CAs in the chain (the ones between Root and end certificate). If the count exceeds the Path Length Constraint number, that's your violation.

Step 3.3: Fix a bad chain

If the chain is too deep, you can't fix it on your side—the server admin needs to reinstall the certificate properly. But there's one exception: if the root CA is outdated or missing from your local machine, Windows might build a longer chain than intended.

1. Open certlm.msc (press Windows+R, type certlm.msc, hit Enter). This opens the Local Machine certificate store.
2. Go to Trusted Root Certification Authorities > Certificates. Find the root CA from step 3.2. If it's not there, that's a problem. If it's expired (check the Expiration Date column), that can also cause this error.
3. If the root CA is missing or expired, you need to update it. Download the latest root certificate from the CA's official website. Right-click on Trusted Root Certification Authorities, choose All Tasks > Import, and follow the wizard to add the new root certificate.

My take: Most home users won't need to go this deep. If you're here, you're likely dealing with a misconfigured internal system at work. Call your IT department and tell them exactly what you found—specifically the path length constraint number and the number of intermediates. They'll know what to do.

When to give up and escalate

If none of these fixes work, the error is almost certainly on the server side. The server admin installed a certificate chain that violates the constraints baked into the root CA. No amount of tweaking your PC will fix that. Forward them this Microsoft documentation link: Certificate Verification. Tell them to check their intermediate certificates against the path length constraint of their root CA.

One last thing: if you're using a self-signed certificate for testing, you can bypass this error temporarily by adding the site to your browser's trusted sites or by installing the self-signed root certificate into the Trusted Root store. But for production systems, that's a band-aid, not a fix.