First published on TECHNET on Nov 27, 2012
While trying to export the picture from SharePoint My Sites to the Active Directory attribute ThumbnailPhoto my customer was getting the following error
Error 8311 in Application logs which contained data like the following
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=mysite.domain.com, OU=App, O=domain.com\nIssuer Name: CN=Company Sub Root CA, OU=App, O=cigna.com\nThumbprint: 26CA7D675C917658E7CB6A6A9E9F7AAAF09B109B\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..
**Identities have been changed to protect the innocent :)
Issue
The Root certificate for intermediate Root CA was not trusted within SharePoint. We knew this by performing the following steps
- Navigating to https://mysite.domain.com
- Clicking on the lock to the right of the address bar
- Click the link View Certificates
- Select Certification Path
- Match 'Company Sub Root CA' from the error with an authority in the path
Solution
We had to follow these steps
- On SharePoint Server open an MMC Console
- Add the snap-in Certificates for the Computer Account
- Expand Certificates -> Intermediate Certification Authorities -> Certificates
- Select certificate that matches 'Company Sub Root CA' from the error
- Right click All Tasks -> Export
- Export to file C:\SubRoot.cer as 'DER encoded binary X.509(.CER)
- Then on the SharePoint server open SharePoint 2010 Management Shell
- Run the following commands
$Cert = Get-PfxCertificate <C:\SubRoot.cer>
New-SPTrustedRootAuthority <UniqueName> -Certificate $Cert
Articles
Exchange trust certificates between farms (SharePoint Foundation 2010)
http://technet.microsoft.com/en-us/library/ee806868.aspx
