This one has come up enough that I figured I’d try and help folks get to the quick resolution of it. It presents itself in a number of scenarios but it also seems clear that folks aren’t sure what certs they should be trusting so I’m going to try to simplify the fix…
As mentioned, this comes up in several places, including InfoPath web forms trust and digital certificates, Performance Point, etc. and in the ULS, it typically shows up with errors such as these…
- Could not establish trust relationship for the SSL/TLS secure channel
- PerformancePoint Services could not connect to the specified data source. Verify that either the current user or Unattended Service Account has read permissions to the data source, depending on your security configuration. Also verify that all required connection information is provided and correct. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
- An operation failed because the following certificate has validation errors:nnSubject Name
- The root of the certificate chain is not a trusted root authority
It has also been discussed at length here.
Okay, I guess I’m skipping the explanation here, but it can be a problem in a number of scenarios, typically because a less than stellar digital certificate is being used to secure your site site with HTTPS (SSL). I.e. the most trusted (or most backroom hand-shaked ) certs have weaseled their way into the appropriate trusted root and intermediate stores in your certificates setup. But if you are like me and just want a cert for encryption with a 3rd party trusted root authority, you are probably getting your certs cheaper than some. Anyways, I digress…
The fix is, get the root cert for the site you are securing with HTTPS/SSL and put it in your SharePoint Trust store in Central Admin. And that is done like this…
Figure out what cert you need…
Visit your HTTPS/SSL site. For example, https://go.somewhere.com, and then view the certificate for your site.
Then view the certification path and click on the root certificate provider. Choose View Certificate, then go to the details tab and choose “copy to file” to start the certificate export to file process. Make note of the Certificate Provider name (in my case, “GeoTrust Global CA”) as you’ll probably want to call the cert that in Central Admin later.
Now export that file
Export as a .cer file
Save it somewhere you can find easily
Open Central Admin and install your cert
Click on Security
Select Manage Trust under General Security
Give your cert trust a name (I go with the name of the cert provider, as noted above) and browse to the file you exported
Verify the results
Finally, while I haven’t bothered to see if it is necessary, I perform an IISRESET at this point as it is always a good time to give SharePoint a little kick in the ass.
Hope this helps someone.