fbpx

Company News

SharePoint 2010 and Cert Trust – Could not establish trust relationship for the SSL/TLS secure channel

March 13, 2012

This one has come up enough that I figured I’d try and help folks get to the quick resolution of it. It presents itself in a number of scenarios but it also seems clear that folks aren’t sure what certs they should be trusting so I’m going to try to simplify the fix…

The Issue

As mentioned, this comes up in several places, including InfoPath web forms trust and digital certificates, Performance Point, etc. and in the ULS, it typically shows up with errors such as these…

  • Could not establish trust relationship for the SSL/TLS secure channel
  • PerformancePoint Services could not connect to the specified data source. Verify that either the current user or Unattended Service Account has read permissions to the data source, depending on your security configuration. Also verify that all required connection information is provided and correct. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
  • An operation failed because the following certificate has validation errors:nnSubject Name
  • The root of the certificate chain is not a trusted root authority

It has also been discussed at length here.

The Fix

Okay, I guess I’m skipping the explanation here, but it can be a problem in a number of scenarios, typically because a less than stellar digital certificate is being used to secure your site site with HTTPS (SSL). I.e. the most trusted (or most backroom hand-shaked Winking smile) certs have weaseled their way into the appropriate trusted root and intermediate stores in your certificates setup. But if you are like me and just want a cert for encryption with a 3rd party trusted root authority, you are probably getting your certs cheaper than some. Anyways, I digress…

The fix is, get the root cert for the site you are securing with HTTPS/SSL and put it in your SharePoint Trust store in Central Admin. And that is done like this…

Figure out what cert you need…

Visit your HTTPS/SSL site. For example, https://go.somewhere.com, and then view the certificate for your site.

SNAGHTMLc07bef9

Then view the certification path and click on the root certificate provider. Choose View Certificate, then go to the details tab and choose “copy to file” to start the certificate export to file process. Make note of the Certificate Provider name (in my case, “GeoTrust Global CA”) as you’ll probably want to call the cert that in Central Admin later.

SNAGHTMLc096372

Now export that file

SNAGHTMLc0b2846

Export as a .cer file

SNAGHTMLc0b71b5

Save it somewhere you can find easily Winking smile

SNAGHTMLc0ba67a

Open Central Admin and install your cert

Click on Security

SNAGHTMLc0c8e97

Select Manage Trust under General Security

SNAGHTMLc0cdae2

Choose New…

SNAGHTMLc0d0175

Give your cert trust a name (I go with the name of the cert provider, as noted above) and browse to the file you exported

SNAGHTMLc0db5b6

Verify the results

image

Finally, while I haven’t bothered to see if it is necessary, I perform an IISRESET at this point as it is always a good time to give SharePoint a little kick in the ass.

Hope this helps someone.

24 Responses

  1. Excellent  Swallbridge! You just cleared how exactly web site owners or operators can choose their suitable SSL certificate for their web site security and their users security.

    Thank you so much again for sharing useful information about SSL certificate!

  2. Yiddish says:

    TLS and SSL encrypt the segments of network connections above the Transport … Since most protocols can be used either with or without TLS (or SSL).

  3. Sabrina Sai says:

    Good to know about it. Thanks for the info. 

  4. Dan says:

    thx for this; did the trick. Now if only SharePoint allowed you to connect to resource calendars with the web part….

  5. Dave says:

    Your write up and the screen shots are great. Our developers have stuffed:
    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateCertificate);
    Into so much SharePoint code and it certainly was not necessary.

    Thanks for sharing this

  6. Manny says:

    This worked for me! Thank you so much for this solution.

  7. David K says:

    This describes exactly what is required to get the MetOffice data service from Azure Marketplace working in a web part (see https://spweather.codeplex.com). Shame I only found your post afterwards – when I knew what I was looking for!). Many thanks for sharing.

  8. Stephan says:

    Helped me to get the webservice call from an infopath running.
    Perfect write up!

    Thanks a lot!

  9. Lennart says:

    This worked fine for me! Great work

  10. sri says:

    thanks for the info. I was unable to connect to web service(HTTPS) from share point 2010 web part. The error is “Web Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”. Your method fixed the problem. thanks.

  11. Joe says:

    You sir are a smart guy. Keep it up. Mucho Awesome and stuff.

  12. Dragan says:

    Great post, saved my day after hours of research for PerformancePoint Services issues. And no, it did not need iisreset 🙂

  13. Steven says:

    Having a repeat of the issue after a couple weeks following the fix you provided. Going back into central admin the trust relationship we establish is still there and hasn’t been changed but the issue comes up again following the steps.

  14. Thank you much for this article. I hit my head against a wall all afternoon, then I ran across your article and had my issue fixed in 5 minutes.

    Thanks again.

  15. Samy says:

    Great, it resolved my issue.. thanks!

  16. Mario Alvares says:

    Thanks. These steps worked for me. I just wanted to note that in my case, I had 2 certs that needed to be imported to the SharePoint certificate store – One was the root CA certificate, and the second was the Intermediate CA cert.

  17. Izzy says:

    thanks a lot for knowledge sharing, it does works.

  18. XYZ says:

    thanks a lot for clear information with pictures.

  19. Syed Shoaib Adil says:

    I think we need to perform these steps after the SP2010 SP2. I tried with earlier version of SP2010 but we don’t require this.
    Can you confirm if we need same steps for SP2013 as well?

  20. Indra says:

    Thank you Itgadmin.

    Can you please share what difference these SP2013 farms have so we need to add certificates?

    I have multiple SP2013 environments but they works without adding certificates. But still want to understand the difference.

    Appreciate if you can share.

  21. Iman Halawani says:

    Thanks a lot for the detailed steps and snapshots. This solved my issue.
    Just for your note, iis reset is not needed 🙂
    Thanks again

  22. Ishfaque says:

    Thanks. This really helped me and saved my day.

Leave a Reply

Sean Wallbridge

Sean Wallbridge-square-150x150

Beer Me!

Subscribe via Email

Categories

Powered by...

itgroove Corporate Profile
Connect With Us