SharePoint 2013: Could not establish trust relationship for the SSL/TLS secure channel with authority

I did a recent build of SharePoint 2013 on WIndows Server 2012 R2. This environment was an upgrade from SharePoint 2010 via database attach.

After the upgrade a web part consuming an business data (DBC) external content type which referenced a secure store ID was not working.

The trace error log showed:-

The Secure Store Service application Secure Store Service is not accessible. The full exception text is: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘servername:32844’

Unexpected exception from endpoint address : https://servername:32844/e5d80e2a24264be380389e0c643d6dfc/SecureStoreService.svc/https

Logging unknown/unexpected client side exception: SecurityNegotiationException. This will cause this application server to be removed from the load balancer queue. Exception: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘servername:32844’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.     at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)

The main web application is http and after some investigation I found references to other removing SSL from the SharePoint Web Services IIS site. However I have never seen that done before or had to do it myself so this option does not look correct.

From the trace logs I suspected that something was wrong with the SSL certificates. I opened up the certificate store for the computer via MMC. I found the 3 SharePoint certificates under the SharePoint container however the ‘SharePoint root authority’ certificate was missing from the ‘Trusted Root Certificate Authorities’ container. I was able to compare this server with another SharePoint server to highlight the differences.

Also opening up the ‘SharePoint Security Token Service’ certificate showed that it was missing a parent in the Certification Path.

Solution

The solution was to export the ‘local’ farm root certificate via PowerShell

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cert”) | Set-Content d:\SharepointRoot.cer -Encoding byte

Then start-up MMC, connect to local computer.

Browse to ‘Trusted Root Certification Authorities / Certificates’

Then import the certificate.

After that our web part worked straightaway.

I believe that the root cause was some permission and GPO issues when we installed SharePoint. That the server was too locked down and the installer was unable to import the root certificate.