Anything for sysadmins!


Token Signing Certificate: The Root Certificate is invalid

When you try to add a trust relationship in SharePoint 2010 using the Central Administration you might get an error.

The root certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.

I was certain that the certificate was correct and should be accepted. I managed to import the certificate through PowerShell.

  1. Import the certificate into the Windows Certificate Store. Specifically the Personal store
  2. Start a SharePoint 2010 Management Shell session
  3. Locate the certificate in the Personal folder of the Windows Certificate Store and copy the Thumbprint
    dir cert:\CurrentUser\My


  4. Run the following commands:
     $Cert = Get-Item("cert:\CurrentUser\My\" + "<thumbprint>".Replace(" ", "").ToUpper())
    New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $Cert

The certificate should now be imported and the trust should be visible in the Central Administration.

Be Sociable, Share!

Posted by Mischa Oudhof

Comments (0) Trackbacks (0)
  1. Thank you so much – you saved my life 🙂 Tried hours and hours and with your help my Exchange overlay calendars now work 🙂

  2. Hi,

    Great Post there!
    I was able to import certificates using the above method.But for the specific certificate which I want to import (SSL Certificate) it is giving an error saying: “New-SPTrustedRootAuthority : The specified certificate must not have a private key”.
    Any help will be much appreciated.

    Many Thanks.

  3. Hi Mischa,

    How do I make sure that the private key is exportable?

    Many Thanks,

Leave a comment

No trackbacks yet.