This article introduces some tools and practices that I’ve seen useful for tackling SharePoint 2010 errors arising from SSL Certificates. The main reason for writing this article is the “The root of the certificate chain is not a trusted root authority” – error.

Let’s first take a look at a useful tool for solving certificate errors. Windows has built in a very good SSL certificate error log called CAPI2. This can be enabled under Application and Services Logs -> Microsoft -> CAPI2 by left clicking “Operational” and pressing “Enable Log”.

Two most common errors in CAPI2 log seems to be errors in Certification Revocation Lists (CRL) and untrusted root certificate chains. Let’s take a look at how one could solve these problems.

Certificate revocation list errors
To make sure that the SSL certificates are valid windows checks for CRL. By default it will try to access this list for 15 seconds. If the list cannot be accessed the process is continued normally.
In SharePoint CRL problems may occur for example as long loading times (especially if the page is not used frequently), broken functionalities, etc.
CRL access errors can be solved by a few quite easy steps:
1. In CAPI2 open error event in Details / XML view and find what CRL (Certificate Revocation List) URL the server is trying to access.
2. You basically have two options for solving this:

1. a. Enable access to the CRL address. If you can connect to the Internet via a proxy, you can first configure proxy settings in Internet settings panel and then run:
   netsh winhttp import proxy ie
2. b. Disable certificate revocation list check (not recommended) How to Disable CRL Checking

Untrusted root authority or broken certificate chain error in SharePoint
1.Let’s first make sure that you have the proper error.

1. a. Open Management console and add certificate snap in.
2. b. Expand Certificates -> SharePoint -> Certificates and open one of the certificates included in that folder.
3. c. On the Certification Path -tab should look like as in the following figure.
   

2. OK, so let’s fix this problem. The problem by the way is that these certificates are issued by a certificate authority which is not trusted.

1. a. First we must export the root certificate from SharePoint by using the following PowerShell commands:
   $rootCert = (Get-SPCertificateAuthority).RootCertificate
   $rootCert.Export("Cert") | Set-Content C:\FarmRoot.cer -Encoding byte
2. b. Then import the SharePoint root certificate to trusted root authorities
   

3. If all went well the certificates under SharePoint certificate store should look like in the following figure.

Allthought we have focused on SharePoint 2010 in this blog post these tools and practices can alse been applied for many other software running on Windows platform.

Popularity: 9% [?]