0X0000360C

Fix ERROR_IPSEC_IKE_PROCESS_ERR_CERT_REQ (0X0000360C)

Cybersecurity & Malware Intermediate 👁 1 views 📅 May 27, 2026

This error pops up when a Windows VPN client gets a certificate request it can't process. I'll show you how to fix the trust chain.

You're connecting to a L2TP/IPsec VPN from a Windows 10 or 11 machine. Everything looks normal — you type in your credentials, the VPN tries to connect, and then bam: you get error 0X0000360C. The full message says something like "Error processing the certificate request payload." This usually happens after a domain controller or VPN server certificate gets renewed, or when you join a new machine to a domain that uses a different internal CA. I've seen it most often when a user tries to connect from a laptop that hasn't talked to the domain CA in months.

What Actually Causes This Error

The root cause is simple: the VPN server sends your machine a certificate request during IKE negotiation, but Windows can't process it because the issuing CA's root certificate isn't trusted on your machine. Or sometimes the intermediate CA certificate is missing from the local machine's certificate store. The IKE protocol expects a complete trust chain — from the server certificate up to a trusted root. If any link in that chain is broken, Windows bails out with this error.

There are two common variations:

  • The VPN server uses a certificate from a third-party CA that you haven't imported into the Trusted Root Certification Authorities store on your machine.
  • The server uses a certificate from an internal enterprise CA, but your machine never received the CA certificate chain via Group Policy or direct import.

The Fix — Step by Step

We're going to grab the missing certificates and put them where Windows can find them. You'll need local administrator rights on the machine. If you don't have them, contact your IT team.

Step 1: Get the Server's Certificate Details

  1. Open the VPN connection properties. Go to Settings > Network & Internet > VPN, click on your VPN connection, then select Advanced options.
  2. Look for VPN type. It should say L2TP/IPsec with certificate or similar. Write down the server address or name.
  3. If you don't have the server address handy, check with your network admin. You need the FQDN or IP of the VPN server.

Step 2: Connect to the Server and Download the Certificate

  1. Open a web browser. Type https://[VPN-server-address] in the address bar (replace with the actual server). You'll get a certificate warning — that's expected.
  2. Click the padlock icon in the address bar (or the Not secure warning). Select Certificate from the dropdown.
  3. In the Certificate window, go to the Certification Path tab. You'll see a tree: the top is the root CA, the bottom is the server certificate. The middle entries are intermediate CAs.
  4. Click the top entry (root CA). Then click View Certificate.
  5. In the new window, go to the Details tab. Click Copy to File. The Certificate Export Wizard opens.
  6. Choose Base-64 encoded X.509 (.CER). Name it something like RootCA.cer. Save it to your desktop.
  7. Repeat steps 4-6 for each intermediate CA in the chain (if any). Save each with a distinct name.

Step 3: Import the Certificates to the Machine Store

  1. Press Windows Key + R, type mmc, and hit Enter. The Microsoft Management Console opens.
  2. Click File (or the Console menu in some versions) and select Add/Remove Snap-in.
  3. Pick Certificates from the list, click Add, then select Computer account, then Local computer, and finish.
  4. In the left pane, expand Certificates (Local Computer), then expand Trusted Root Certification Authorities, then click Certificates.
  5. Right-click Certificates (the folder under Trusted Root Certification Authorities), select All Tasks > Import. The Certificate Import Wizard opens.
  6. Browse to your RootCA.cer file. Click Next.
  7. Leave the store as Trusted Root Certification Authorities. Click Next and then Finish. You should see a success message.
  8. Now go back to the left pane, expand Intermediate Certification Authorities, then click Certificates.
  9. Repeat the import process for each intermediate CA certificate file you saved. Make sure they go into the Intermediate Certification Authorities store.

Step 4: Reboot and Try the VPN

  1. Close the MMC — don't save changes if it asks.
  2. Restart your computer. I know it's annoying, but Windows caches certificate stores and a reboot forces a fresh load.
  3. After reboot, try your VPN connection again. The error should be gone.

If It Still Fails

Sometimes the problem isn't the trust chain — it's the certificate itself. Check a few things:

  • Certificate expiry: Open the server certificate again (from the browser method). Look at the Valid from dates. If expired, that's your problem. The VPN server needs a new certificate.
  • Wrong store: Did you accidentally import the root into Intermediate or vice versa? Double-check in MMC. Root CAs go only in Trusted Root. Intermediates go only in Intermediate.
  • Group Policy override: If you're on a domain, your IT team might have a GPO that forces a specific CA. Run gpupdate /force from an admin command prompt, then reboot. If the error stays, the GPO might be pushing a different root that conflicts with yours.
  • Event Viewer clues: Open Event Viewer, go to Windows Logs > Security, and look for events with ID 4654 or 4656 around the time of the failed connection. They often name the missing certificate.

I've fixed this error dozens of times. The fix above works in 9 out of 10 cases. The remaining 1 out of 10 is usually a server-side certificate issue that your network admin needs to handle. Good luck.

Was this solution helpful?

ERROR_IPSEC_IKE_PROCESS_ERR_CERT_REQ 0X0000360C IPsec IKE certificate error VPN certificate request failure Windows 10 VPN certificate error L2TP/IPsec certificate error certificate trust chain fix VPN error 0X0000360C IKE authentication failed certificate request payload error fix IPsec certificate issue Windows 11