Fix: A Fatal Error Occurred while Creating a TLS Client Credential

Kevin ArrowsPublished on January 30, 2024
Kevin is a certified Network Engineer

TLS stands for Transport Layer Security. Its primary function is to serve as a security layer between clients and servers, ensuring both authenticity and data encryption. During the TLS handshake process, the server presents an SSL/TLS certificate to the client to confirm its identity. This certificate, typically issued by a Certificate Authority (CA) trusted by the client device, establishes trust well before any actual connection attempt.

Subsequently, the certificate’s validity is verified by the client using internet security protocols incorporated within the client’s TLS software.

However, there are instances where the client may fail to decrypt messages sent by the server, leading to an error. The error message indicates that the client is encountering difficulties in generating secure credentials for a TLS connection. The full error message one might encounter is:

‘A fatal error occurred while creating a TLS client credential. The internal error state is 10013.’

This error may stem from various sources, such as incorrectly configured system settings, outdated encryption algorithms, or issues pertaining to the certificate itself. The internal error state 10013 usually signifies a systemic problem, often related to the Windows SChannel provider’s inability to utilize the private key corresponding to the certificate to establish a secure connection.

To more accurately pinpoint and address this problem, one should ensure the following:

  • The server’s SSL certificate is correctly installed, currently valid, and has not expired.
  • The client’s system trusts the server’s certificate, with a fully established trust chain present.
  • The cryptographic service provider linked to the server’s certificate is installed correctly and operational on the server.
  • Any recent changes to the system that may have impacted the SChannel provider or the certificate configurations should be reviewed.

It is recommended to scrutinize server and client configurations for compatibility, confirming that both employ secure protocols. If following the suggested troubleshooting steps—such as enabling TLS 1.2 and TLS 1.3, along with verifying the correct certificates are in place—fails to resolve the issue, it may be necessary to examine the event logs or seek help from IT professionals with expertise in network security and system administration.

To remedy this situation, simply enable all available TLS protocols in the Internet Options settings for both the client and server sides.

  1. Open Control Panel and navigate to Internet Options.
  2. Locate the Advanced tab and scroll down to the Security section.
  3. Select “Use TLS 1.0“,”Use TLS 1.1“,”Use TLS 1.2“, and “Use TLS 1.3 (experimental)“.
  4. Click Apply followed by OK.

Alternatively, TLS protocols can be enabled using the command line.

  1. Right-click on the Windows icon and select PowerShell (Admin).
  2. Copy and paste the following scripts, and then run them:

    For client-side connections, enable TLS 1.0, 1.1, and 1.2:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'Enabled' -Value '1' -Type DWord
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Name 'Enabled' -Value '1' -Type DWord
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -Type DWord

    For server-side connections, enable TLS 1.0, 1.1, and 1.2:

    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value '1' -Type DWord
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value '1' -Type DWord
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -Type DWord
  3. Finally, restart your computer and verify whether Error Event ID 36871 continues to occur.

In some cases, the client might not be compatible with the server it is attempting to connect with, leading to the error. To eliminate this possibility, check the server’s compatibility by ensuring it supports TLS 1.2. If compatibility is lacking, contact the server’s administrator for further details.

Kevin ArrowsPublished on January 30, 2024
Kevin is a certified Network Engineer
ABOUT THE AUTHOR
Photo of Kevin Arrows

Kevin Arrows


Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.