Sean Wallbridge
This one has come up enough that I figured I’d try and help folks get to the quick resolution of it. It presents itself in a number of scenarios but it also seems clear that folks aren’t sure what certs they should be trusting so I’m going to try to simplify the fix…
The Issue
As mentioned, this comes up in several places, including InfoPath web forms trust and digital certificates, Performance Point, etc. and in the ULS, it typically shows up with errors such as these…
- Could not establish trust relationship for the SSL/TLS secure channel
- PerformancePoint Services could not connect to the specified data source. Verify that either the current user or Unattended Service Account has read permissions to the data source, depending on your security configuration. Also verify that all required connection information is provided and correct. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
- An operation failed because the following certificate has validation errors:nnSubject Name
- The root of the certificate chain is not a trusted root authority
It has also been discussed at length here.
The Fix
Okay, I guess I’m skipping the explanation here, but it can be a problem in a number of scenarios, typically because a less than stellar digital certificate is being used to secure your site site with HTTPS (SSL). I.e. the most trusted (or most backroom hand-shaked 
) certs have weaseled their way into the appropriate trusted root and intermediate stores in your certificates setup. But if you are like me and just want a cert for encryption with a 3rd party trusted root authority, you are probably getting your certs cheaper than some. Anyways, I digress…
The fix is, get the root cert for the site you are securing with HTTPS/SSL and put it in your SharePoint Trust store in Central Admin. And that is done like this…
Figure out what cert you need…
Visit your HTTPS/SSL site. For example, https://go.somewhere.com, and then view the certificate for your site.
Then view the certification path and click on the root certificate provider. Choose View Certificate, then go to the details tab and choose “copy to file” to start the certificate export to file process. Make note of the Certificate Provider name (in my case, “GeoTrust Global CA”) as you’ll probably want to call the cert that in Central Admin later.
Now export that file
Export as a .cer file
Save it somewhere you can find easily
Open Central Admin and install your cert
Click on Security
Select Manage Trust under General Security
Choose New…
Give your cert trust a name (I go with the name of the cert provider, as noted above) and browse to the file you exported
Verify the results
Finally, while I haven’t bothered to see if it is necessary, I perform an IISRESET at this point as it is always a good time to give SharePoint a little kick in the ass.
Hope this helps someone.
Excellent Swallbridge! You just cleared how exactly web site owners or operators can choose their suitable SSL certificate for their web site security and their users security.
Thank you so much again for sharing useful information about SSL certificate!
TLS and SSL encrypt the segments of network connections above the Transport … Since most protocols can be used either with or without TLS (or SSL).
Good to know about it. Thanks for the info.
thx for this; did the trick. Now if only SharePoint allowed you to connect to resource calendars with the web part….
Your write up and the screen shots are great. Our developers have stuffed:
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateCertificate);
Into so much SharePoint code and it certainly was not necessary.
Thanks for sharing this
Glad it helped
This worked for me! Thank you so much for this solution.
This describes exactly what is required to get the MetOffice data service from Azure Marketplace working in a web part (see https://spweather.codeplex.com). Shame I only found your post afterwards – when I knew what I was looking for!). Many thanks for sharing.
Helped me to get the webservice call from an infopath running.
Perfect write up!
Thanks a lot!
This worked fine for me! Great work
thanks for the info. I was unable to connect to web service(HTTPS) from share point 2010 web part. The error is “Web Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”. Your method fixed the problem. thanks.
You sir are a smart guy. Keep it up. Mucho Awesome and stuff.
Great post, saved my day after hours of research for PerformancePoint Services issues. And no, it did not need iisreset 🙂
Having a repeat of the issue after a couple weeks following the fix you provided. Going back into central admin the trust relationship we establish is still there and hasn’t been changed but the issue comes up again following the steps.
Thank you much for this article. I hit my head against a wall all afternoon, then I ran across your article and had my issue fixed in 5 minutes.
Thanks again.
Great, it resolved my issue.. thanks!
Thanks. These steps worked for me. I just wanted to note that in my case, I had 2 certs that needed to be imported to the SharePoint certificate store – One was the root CA certificate, and the second was the Intermediate CA cert.
thanks a lot for knowledge sharing, it does works.
thanks a lot for clear information with pictures.
I think we need to perform these steps after the SP2010 SP2. I tried with earlier version of SP2010 but we don’t require this.
Can you confirm if we need same steps for SP2013 as well?
I have had need to do this in some 2013 farms as well.
Thank you Itgadmin.
Can you please share what difference these SP2013 farms have so we need to add certificates?
I have multiple SP2013 environments but they works without adding certificates. But still want to understand the difference.
Appreciate if you can share.
Thanks a lot for the detailed steps and snapshots. This solved my issue.
Just for your note, iis reset is not needed 🙂
Thanks again
Thanks. This really helped me and saved my day.