Seven Steps to Correct The Error: “The Root of the Certificate Chain is not a Trusted Root Authority” in SharePoint and Project Server Workflows 2013

Posted By Posted by: EPM Partners on December 18, 2013

I was recently completing an installation of Workflow for Project Server and I received the following error:

“The root of the certificate chain is not a trusted root authority”

During this installation I received the error at two different points.The first whilst running the Register-SPWorkflowService command, however I could by-pass this by utilize the –force. This then surfaced at run time when running the workflow in Project Server or SharePoint. The workflow would fail with a similar error. 

With further investigation, I tried registering the workflow service to a http address as it seemed to be complaining about certificates. Upon doing this, the error disappeared. As best practice I suggest that this should be a register and run under https.  The error message received, pointed towards a problem with SSL certificates.

Secure Socket Layer (SSL) is an encrypted communication protocol which uses encryption certificates. Workflow Manager and SharePoint Server 2013 and therefore Project Server utilizes this to communicate in a secure manor using SSL. During the configuration of the Workflow manager, it creates certain certificates that are utilized for https communications. From my SharePoint 2010 knowledge, I knew there was a known issue that SharePoint out of the box only trusts its own ‘local’ signed certificate.

The first step I took was to import all the relevant certificates into SharePoint. I utilized the following PowerShell script that will add all the root certificates on the local machines into SharePoint:

foreach ($cert in (Get-ChildItem cert:\LocalMachine\Root)) { if (!$cert.HasPrivateKey) {New-SPTrustedRootAuthority -Name $cert.Thumbprint -Certificate $cert } }

However after this when I tried to connect to the workflow site from another server, it seemed that the certificate was not recognized.

The next step is to copy the SSL Certificate from the Workflow Server to the other servers “Trusted root certification authority”.  To complete this you need to follow the below steps:

  1. Navigate to the Workflow Server and open run or command prompt and type MMC and hit Enter. This will open Console1.
  2. In Console1 navigate to file in the ribbon menu and select “Add/Remove snap-in”
  3. Add “Certificates” to the right hand side and then click “OK”. You will prompted with the Certificates snap-in. I selected “Computer account”>Next>Local computer>Finish>OK.
  4. Look for the Workflow Certificate which contains:
    • Issue To: Workflow Server Name
    • Issue Authority: Workflow Server Name
  5. Export the certificate through wizard and then copy it to the other SharePoint Server. You can complete this by right clicking on the certificate selecting All Task >Export
  6. Import the certificate into the other SharePoint server via mmc under “Trusted root certification authority” location. You can complete this by right clicking on “Trusted root certification authority” and selecting All Tasks > Import.
  7. Now re-run the register command and you should no longer see the error.

Please note if you successfully ran the http register command you will need to ensure you utilize the –force command to over-right the existing configuration.


Was this information helpful?

To get more news, events and blogs from EPM Partners sign up to our mailing list today by Clicking Here.



Blog Posted In 

Leave a Reply

Your email address will not be published.