SharePoint Certificate errors

January 9 2012 6 comments

This article introduces some tools and practices that I’ve seen useful for tackling SharePoint 2010 errors arising from SSL Certificates. The main reason for writing this article is the “The root of the certificate chain is not a trusted root authority” – error.

Let’s first take a look at a useful tool for solving certificate errors. Windows has built in a very good SSL certificate error log called CAPI2. This can be enabled under Application and Services Logs -> Microsoft -> CAPI2 by left clicking “Operational” and pressing “Enable Log”.
CAPI2 Log
Two most common errors in CAPI2 log seems to be errors in Certification Revocation Lists (CRL) and untrusted root certificate chains. Let’s take a look at how one could solve these problems.

Certificate revocation list errors
To make sure that the SSL certificates are valid windows checks for CRL. By default it will try to access this list for 15 seconds. If the list cannot be accessed the process is continued normally.
In SharePoint CRL problems may occur for example as long loading times (especially if the page is not used frequently), broken functionalities, etc.
CRL access errors can be solved by a few quite easy steps:
1. In CAPI2 open error event in Details / XML view and find what CRL (Certificate Revocation List) URL the server is trying to access.CRL error
2. You basically have two options for solving this:

  1. a. Enable access to the CRL address. If you can connect to the Internet via a proxy, you can first configure proxy settings in Internet settings panel and then run:
    netsh winhttp import proxy ie
  2. b. Disable certificate revocation list check (not recommended) How to Disable CRL Checking

Untrusted root authority or broken certificate chain error in SharePoint
1.Let’s first make sure that you have the proper error.

  1. a. Open Management console and add certificate snap in.
  2. b. Expand Certificates -> SharePoint -> Certificates and open one of the certificates included in that folder.
  3. c. On the Certification Path -tab should look like as in the following figure.

2. OK, so let’s fix this problem. The problem by the way is that these certificates are issued by a certificate authority which is not trusted.

  1. a. First we must export the root certificate from SharePoint by using the following PowerShell commands:
    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    $rootCert.Export("Cert") | Set-Content C:\FarmRoot.cer -Encoding byte
  2. b. Then import the SharePoint root certificate to trusted root authorities

3. If all went well the certificates under SharePoint certificate store should look like in the following figure.

Allthought we have focused on SharePoint 2010 in this blog post these tools and practices can alse been applied for many other software running on Windows platform.

Popularity: 2% [?]

6 comments to “SharePoint Certificate errors”

  1. Juha Koivula says:

    Hola from Chile, I had a certificate problem with a client’s SharePoint environment a while ago. The site stopped responding and SharePoint was throwing “certificate expired” errors in Windows log. In this case the solution was (embarrassingly) simple: the server had the date and time set wrong – nobody admits having changed it -, and it caused the certificate to be invalid. It was a simple solution but it took me a while to solve it because nothing in the logs indicated that it was a date/time issue. :)

  2. Marko Rosberg says:

    This proves that it’s very important to have a up to date list that includes informtion about: the certificates that your company own, expiration dates and servers on which these certificates are installed to.

  3. It's good news. says:

    Goood! Regards

  4. I drop a leave a response whenever I appreciate
    a post on a website or if I have something to valuable to contribute to the conversation. Usually it is caused by the passion communicated in the
    post I read. And after this article SharePoint Certificate errors | SharePoint Blues.
    I was moved enough to drop a thought ;-) I actually do have some questions for you if you don’t
    mind. Could it be only me or do some of these remarks come across as if they are left by brain dead
    people? :-P And, if you are posting on additional sites, I’d like
    to follow you. Would you make a list the complete urls of your
    community sites like your linkedin profile, Facebook page or twitter feed?

    my blog post … florida medical marijuana

  5. Its like you read my mind! You appear to know a lot about this,
    like you wrote the book in it or something.

    I think that you could do with some pics to drive the
    message home a bit, but instead of that, this is magnificent blog.
    An excellent read. I will definitely be back.

    Also visit my web site … coarse fishing equipment

  6. For hottest information you have to visit the
    web and on web I found this site as a best web site for hottest updates.

Leave a Reply