![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
179 questions
Hello
Thanks for posting in Microsoft Community.
Event ID 36885: "A fatal error occurred while creating a TLS client connection"
Event ID 36885 is related to a TLS (Transport Layer Security) error, and specifically, it indicates that there was an issue with establishing a secure connection due to certificate problems. It can occur when there are too many certificates in the trusted root certificate store, causing issues in the verification process.
Why is this happening?
Too many Trusted Root Certificates: The system relies on the list of trusted root certificates to verify the authenticity of SSL/TLS connections. Having too many certificates in the store can lead to performance degradation, errors in certificate validation, and even memory issues, particularly in environments where the server has many services (like SQL Server, File Server, Print Server, etc.) that rely on TLS connections.
Expired or Duplicate Certificates: Over time, the certificate store can accumulate old, expired, or duplicate certificates, contributing to the error.
Is it common to have 355 Trusted Root Certificates?
While the number of certificates can vary depending on the server’s role, it's not common to have such a high number of trusted root certificates. In most environments, a more manageable number of trusted certificates is usually expected. For example, Windows typically has between 100 and 200 trusted root certificates by default, but this number can increase due to additional software, third-party certificates, or organizations adding their own trusted roots.
However, 355 certificates is an unusually high number and may indicate that the server has accumulated unnecessary or outdated certificates. These could be the result of:
Legacy software
Poor certificate management practices
Automatic updates from multiple third-party providers
Should you shorten the list of Trusted Root Certificates?
Yes, it's a good idea to shorten the list of trusted root certificates, but with caution. Removing trusted root certificates manually can have unintended side effects, so you'll need to be selective. Here's what you can do:
Steps to Resolve Event ID 36885
Review the Certificate Store:
Open Manage Computer Certificates by typing certmgr.msc in the Run dialog (press Win + R).
Navigate to Trusted Root Certification Authorities > Certificates.
Look for expired or duplicate certificates that aren't necessary for your server’s roles. If you're unsure about whether to delete a certificate, research its source first. You can also export a certificate to verify its purpose before removing it.
Check for Unnecessary Certificates:
Remove duplicate certificates or certificates that are no longer in use. Be careful about Microsoft or root CA certificates that are still actively used by your system and applications.
If you're unsure whether to remove a certificate, it's better to leave it than to remove it and cause potential issues with TLS connections.
Automate Certificate Cleanup (Optional):
You can use tools like PowerShell to clean up certificates. For example, the following PowerShell script can help identify and remove expired certificates:
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.NotAfter -lt (Get-Date) } | Remove-Item
Check for Third-Party Software Adding Certificates:
Some software (especially security software or VPN clients) can add root certificates. Check if there is any third-party software installed that might be adding unnecessary certificates.
Consider updating or reinstalling these applications if they are adding excessive certificates.
I hope the above information is helpful to you.
Best regards
Runjie Zhai