The 800B0109 error was caused by an intermediate cert not pushed to the cert store (though it was to browsers).
Getting 80092012 now, which appears to be a CRL issue.
The end cert does not contain CRL or OSCP info at all. Chrome/Firefox/Edge do not complain.
WinSCP version: 5.13.3
1. Windows 10 Version 1803 (OS Build 17134.137)
2. Windows Server 2016 Version 1607 (OS Build 14393.2339)
"Certificate not trusted.
Error: 800B0109, Chain index: 0, Element index: -1
Server certificate verification failed: issuer is not trusted"
Both machines are behind a corporate proxy. The proxy terminates SSL to inspect traffic and issues on the fly a local cert for the machine to proxy connection. The issuer's root cert is pushed by policy to the machines and all other programs have no issue.
Does WinSCP not use the Windows Certificate Store and keeps its own list of trusted root certs?
Or perhaps has a hardcoded check for a particulate certificate it expects to receive?