SharePoint 2010 and Cert Trust – Could not establish trust relationship for the SSL/TLS secure channel

This one has come up enough that I figured I’d try and help folks get to the quick resolution of it. It presents itself in a number of scenarios but it also seems clear that folks aren’t sure what certs they should be trusting so I’m going to try to simplify the fix…

The Issue

As mentioned, this comes up in several places, including InfoPath web forms trust and digital certificates, Performance Point, etc. and in the ULS, it typically shows up with errors such as these…

  • Could not establish trust relationship for the SSL/TLS secure channel
  • PerformancePoint Services could not connect to the specified data source. Verify that either the current user or Unattended Service Account has read permissions to the data source, depending on your security configuration. Also verify that all required connection information is provided and correct. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
  • An operation failed because the following certificate has validation errors:nnSubject Name
  • The root of the certificate chain is not a trusted root authority

It has also been discussed at length here.

The Fix

Okay, I guess I’m skipping the explanation here, but it can be a problem in a number of scenarios, typically because a less than stellar digital certificate is being used to secure your site site with HTTPS (SSL). I.e. the most trusted (or most backroom hand-shaked Winking smile) certs have weaseled their way into the appropriate trusted root and intermediate stores in your certificates setup. But if you are like me and just want a cert for encryption with a 3rd party trusted root authority, you are probably getting your certs cheaper than some. Anyways, I digress…

The fix is, get the root cert for the site you are securing with HTTPS/SSL and put it in your SharePoint Trust store in Central Admin. And that is done like this…

Figure out what cert you need…

Visit your HTTPS/SSL site. For example, https://go.somewhere.com, and then view the certificate for your site.

SNAGHTMLc07bef9

Then view the certification path and click on the root certificate provider. Choose View Certificate, then go to the details tab and choose “copy to file” to start the certificate export to file process. Make note of the Certificate Provider name (in my case, “GeoTrust Global CA”) as you’ll probably want to call the cert that in Central Admin later.

SNAGHTMLc096372

Now export that file

SNAGHTMLc0b2846

Export as a .cer file

SNAGHTMLc0b71b5

Save it somewhere you can find easily Winking smile

SNAGHTMLc0ba67a

Open Central Admin and install your cert

Click on Security

SNAGHTMLc0c8e97

Select Manage Trust under General Security

SNAGHTMLc0cdae2

Choose New…

SNAGHTMLc0d0175

Give your cert trust a name (I go with the name of the cert provider, as noted above) and browse to the file you exported

SNAGHTMLc0db5b6

Verify the results

image

Finally, while I haven’t bothered to see if it is necessary, I perform an IISRESET at this point as it is always a good time to give SharePoint a little kick in the ass.

Hope this helps someone.

24 responses to “SharePoint 2010 and Cert Trust – Could not establish trust relationship for the SSL/TLS secure channel

  1. Excellent  Swallbridge! You just cleared how exactly web site owners or operators can choose their suitable SSL certificate for their web site security and their users security.

    Thank you so much again for sharing useful information about SSL certificate!

  2. TLS and SSL encrypt the segments of network connections above the Transport … Since most protocols can be used either with or without TLS (or SSL).

  3. thx for this; did the trick. Now if only SharePoint allowed you to connect to resource calendars with the web part….

  4. Your write up and the screen shots are great. Our developers have stuffed:
    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateCertificate);
    Into so much SharePoint code and it certainly was not necessary.

    Thanks for sharing this

  5. thanks for the info. I was unable to connect to web service(HTTPS) from share point 2010 web part. The error is “Web Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”. Your method fixed the problem. thanks.

  6. Having a repeat of the issue after a couple weeks following the fix you provided. Going back into central admin the trust relationship we establish is still there and hasn’t been changed but the issue comes up again following the steps.

  7. Thanks. These steps worked for me. I just wanted to note that in my case, I had 2 certs that needed to be imported to the SharePoint certificate store – One was the root CA certificate, and the second was the Intermediate CA cert.

  8. I think we need to perform these steps after the SP2010 SP2. I tried with earlier version of SP2010 but we don’t require this.
    Can you confirm if we need same steps for SP2013 as well?

  9. Thank you Itgadmin.

    Can you please share what difference these SP2013 farms have so we need to add certificates?

    I have multiple SP2013 environments but they works without adding certificates. But still want to understand the difference.

    Appreciate if you can share.

  10. Thanks a lot for the detailed steps and snapshots. This solved my issue.
    Just for your note, iis reset is not needed 🙂
    Thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *