SharePoint Certificate errors

January 9 2012 13 comments

This article introduces some tools and practices that I’ve seen useful for tackling SharePoint 2010 errors arising from SSL Certificates. The main reason for writing this article is the “The root of the certificate chain is not a trusted root authority” – error.

Let’s first take a look at a useful tool for solving certificate errors. Windows has built in a very good SSL certificate error log called CAPI2. This can be enabled under Application and Services Logs -> Microsoft -> CAPI2 by left clicking “Operational” and pressing “Enable Log”.
Two most common errors in CAPI2 log seems to be errors in Certification Revocation Lists (CRL) and untrusted root certificate chains. Let’s take a look at how one could solve these problems.

Certificate revocation list errors
To make sure that the SSL certificates are valid windows checks for CRL. By default it will try to access this list for 15 seconds. If the list cannot be accessed the process is continued normally.
In SharePoint CRL problems may occur for example as long loading times (especially if the page is not used frequently), broken functionalities, etc.
CRL access errors can be solved by a few quite easy steps:
1. In CAPI2 open error event in Details / XML view and find what CRL (Certificate Revocation List) URL the server is trying to access.CRL error
2. You basically have two options for solving this:

  1. a. Enable access to the CRL address. If you can connect to the Internet via a proxy, you can first configure proxy settings in Internet settings panel and then run:
    netsh winhttp import proxy ie
  2. b. Disable certificate revocation list check (not recommended) How to Disable CRL Checking

Untrusted root authority or broken certificate chain error in SharePoint
1.Let’s first make sure that you have the proper error.

  1. a. Open Management console and add certificate snap in.
  2. b. Expand Certificates -> SharePoint -> Certificates and open one of the certificates included in that folder.
  3. c. On the Certification Path -tab should look like as in the following figure.

2. OK, so let’s fix this problem. The problem by the way is that these certificates are issued by a certificate authority which is not trusted.

  1. a. First we must export the root certificate from SharePoint by using the following PowerShell commands:
    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    $rootCert.Export("Cert") | Set-Content C:\FarmRoot.cer -Encoding byte
  2. b. Then import the SharePoint root certificate to trusted root authorities

3. If all went well the certificates under SharePoint certificate store should look like in the following figure.

Allthought we have focused on SharePoint 2010 in this blog post these tools and practices can alse been applied for many other software running on Windows platform.

Popularity: 5% [?]

13 comments to “SharePoint Certificate errors”

  1. Juha Koivula says:

    Hola from Chile, I had a certificate problem with a client’s SharePoint environment a while ago. The site stopped responding and SharePoint was throwing “certificate expired” errors in Windows log. In this case the solution was (embarrassingly) simple: the server had the date and time set wrong – nobody admits having changed it -, and it caused the certificate to be invalid. It was a simple solution but it took me a while to solve it because nothing in the logs indicated that it was a date/time issue. :)

  2. Marko Rosberg says:

    This proves that it’s very important to have a up to date list that includes informtion about: the certificates that your company own, expiration dates and servers on which these certificates are installed to.

  3. It's good news. says:

    Goood! Regards

  4. I drop a leave a response whenever I appreciate
    a post on a website or if I have something to valuable to contribute to the conversation. Usually it is caused by the passion communicated in the
    post I read. And after this article SharePoint Certificate errors | SharePoint Blues.
    I was moved enough to drop a thought ;-) I actually do have some questions for you if you don’t
    mind. Could it be only me or do some of these remarks come across as if they are left by brain dead
    people? :-P And, if you are posting on additional sites, I’d like
    to follow you. Would you make a list the complete urls of your
    community sites like your linkedin profile, Facebook page or twitter feed?

    my blog post … florida medical marijuana

  5. Its like you read my mind! You appear to know a lot about this,
    like you wrote the book in it or something.

    I think that you could do with some pics to drive the
    message home a bit, but instead of that, this is magnificent blog.
    An excellent read. I will definitely be back.

    Also visit my web site … coarse fishing equipment

  6. For hottest information you have to visit the
    web and on web I found this site as a best web site for hottest updates.

  7. You ought to be a part of a contest for one of the best sites
    on the internet. I will highly recommend
    this site!

  8. Hi there it’s me, I am also visiting this web site
    on a regular basis, this website is genuinely good and the users are
    genuinely sharing nice thoughts.

  9. I feel this is among the so much important information for me.
    And i’m glad reading your article. But wanna commentary on few
    basic things, The website taste is great, the articles is really great :
    D. Good job, cheers

  10. This is a really good tip especially to those new to the
    blogosphere. Short but very accurate info… Many thanks for sharing this one.

    A must read post!

  11. UNWTO secretary-general Taleb Rifai said: ??International tourism is set to end 2014 with record numbers.Tourism numbers have shown almost continued growth over the past six decades ?C from 25 million in 1950 to 278 million in 1980, This is standard throughout the insurance industry. I phoned the debt collector, But if he bumps into it,According to an eyewitness,100Car hire: ?France also,And a new EU proposal emerged to increase the size of health warnings from 50 per cent to 75 per cent of packaging – although this has been watered down with an increase in size to 65 per cent now being touted. That works.

  12. com he has backed down. which was the original UK publisher of To Kill A Mockingbird. Street circuits are fun. who are led by Rosberg,Neither my father nor I ever thought of questioning this meaningless diagnosis. she went under and allowed it to take over.We’ve been following the progress of the Wales football team in camp. . who looked ravishing in her bridal dress and sensationally expensive Jimmy Choos. but my wife and I came to an unspoken agreement when we went to the altar 34 years ago: when it came to decision-making.

  13. it is celebratory but far from soppy.5. but as the weeks and months passed they realised this time it was for real. buckwheat and beetroot risotto.Others will have different rules about when you can retire or what protection is available to your dependents.It??d be worth asking all your pension providers to give you an up to date statement if you haven??t one already and a copy of their scheme booklet outlining how their scheme works and what benefits are payableAll will be able to tell you how much can be transferred to another plan This isn??t a decision you have to take now In most cases you will be allowed up to one year before your normal retirement date to transfer if this is what you plan to doThere can be lots of things to take account of when considering transferring a pension For help and guidance ring the Pensions Advisory Service helpline on 0300 123 1047Danny Cox independent financial adviser at Hargreaves Lansdown adds: Consolidating old pensions is very common and makes managing them much easier and in some cases cheaper depending upon the type of pensionTransfers can be very straightforward What is important is to check the value of any guarantees you might be giving up and the costs of transferringIf you join a new employer consider transferring your pensions to your new company scheme The scheme administrators will be able to help you with thisThe alternative is a private pension scheme such as a low cost SIPP These provide the best combination of low cost investment choice online access and ease of managementA financial adviser will probably charge between one and two per cent of the value of your pensions to advise you on a transfer ie 500 for every 25000 of valueAssessment of a final salary pension transfer will be more expensive around 1000 but this is worth paying if you are unsure Always seek the advice of an independent financial adviser I would appreciate the help of your experts.’I was appalled and asked them why they did this to the surviving cats,’The vast majority of these animals are stolen pets or illegally imported from other countries as with these cats.’Fellow Tory Nadine Dorries said it was an ‘arrogant,‘What matters most is that children are getting the best quality education they can.I once had a riding teacher whose motto,Helen.

Leave a Reply