28Jun/118
Token Signing Certificate: The Root Certificate is invalid
When you try to add a trust relationship in SharePoint 2010 using the Central Administration you might get an error.
The root certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.
I was certain that the certificate was correct and should be accepted. I managed to import the certificate through PowerShell.
- Import the certificate into the Windows Certificate Store. Specifically the Personal store
- Start a SharePoint 2010 Management Shell session
- Locate the certificate in the Personal folder of the Windows Certificate Store and copy the Thumbprint
dir cert:\CurrentUser\My
- Run the following commands:
$Cert = Get-Item("cert:\CurrentUser\My\" + "<thumbprint>".Replace(" ", "").ToUpper()) New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $Cert
The certificate should now be imported and the trust should be visible in the Central Administration.
June 29th, 2011 - 03:54
Thank you so much – you saved my life 🙂 Tried hours and hours and with your help my Exchange overlay calendars now work 🙂
June 29th, 2011 - 11:45
You’re welcome!
July 24th, 2011 - 19:42
Hi,
Great Post there!
I was able to import certificates using the above method.But for the specific certificate which I want to import (SSL Certificate) it is giving an error saying: “New-SPTrustedRootAuthority : The specified certificate must not have a private key”.
Any help will be much appreciated.
Many Thanks.
July 25th, 2011 - 08:21
When you create the key you’ll have to make sure that the private key will be exportable. Seems like yours is not exportable.
July 26th, 2011 - 18:25
Hi Mischa,
How do I make sure that the private key is exportable?
Many Thanks,
Rik
July 27th, 2011 - 11:11
I just read your previous comment again, and I totaly misread it the first time, my apologies. The error says that you should npt export it with private key, so you have to export the certificate without the private key.
Here’s a small how to for Windows Server 2003, but it’s mostly the same for all Windows versions.
http://technet.microsoft.com/en-us/library/cc779668(WS.10).aspx
Lemme know if you need more help on this.
October 11th, 2011 - 00:19
Thanks for this tip!
October 11th, 2011 - 07:53
No problem! Your blog looks quite good as well, valuable information!