Troubleshooting Certificates in Lync with CAPI2 logging

Certificate issues in Lync 2010 can sometimes be complex to troubleshoot.  In my experience, sometimes the Lync Server Event logs are not always helpful enough to solve the issue. Enter the CAPI2 log (which is not enabled by default).

First Enable the log:  

Let the CAPI2 events collect:

Now investigate:

Other certificate troubleshooting can involve the following:

Enabling the root certificate for all purposes:

Verifying Enhanced Key Usage (depending on Server role check here):

Validating Lync Server access to root Certificate Revocation lists. This can be easily done by copying the CRL Distribution Point Url into a web browser and being prompted for a download :