Windows User-ID Agent is unable to validate the certificate used in XML API requests

• XML API requests to the Windows User-ID agent fail.
• One of the following errors is seen in the User-ID agent logs.

:[Error  478]: Certificate store cannot be accessed, unable to verify peer certificate

OR

:[Error  392]: Issuer not found in the trust store

• User ID Agent
• Windows Server
• XML API

• When receiving XML API requests, the Windows based User-ID agent needs to validate the client certificate using the system's certificate stores.
• Client certificate validation can fail if the User-ID service account does not have full control of the registry connection point.
• The User-ID agent also checks the 'Trusted Root Certification Authorities' store for the CA certificates, but it does not check the 'Intermediate Certification Authorities' store. 
• When using a client certificate which has one or more Intermediate Certificates in the chain, client certificate validation can fail if those intermediate CA's are in the 'Intermediate Certification Authorities' store.

1. Ensure that the User-ID service account has full control of the following registry location:

• • 32-bit systems: HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
  • 64-bit systems: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates

2. If the client certificate chain contains intermediate certificates, install those certificates in the 'Trusted Root certification Authorities' store instead of the 'Intermediate Certification Authorities' store.
3. If the intermediate certificates are already in the 'Intermediate Certification Authorities', you can additionally install them in the 'Trusted Root Certification Authorities' store at the same time.