Token Signing Certificate: The Root Certificate is invalid

28Jun/118

Token Signing Certificate: The Root Certificate is invalid

When you try to add a trust relationship in SharePoint 2010 using the Central Administration you might get an error.

The root certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.

I was certain that the certificate was correct and should be accepted. I managed to import the certificate through PowerShell.

Import the certificate into the Windows Certificate Store. Specifically the Personal store
Start a SharePoint 2010 Management Shell session
Locate the certificate in the Personal folder of the Windows Certificate Store and copy the Thumbprint
```
dir cert:\CurrentUser\My
```

Run the following commands:

 $Cert = Get-Item("cert:\CurrentUser\My\" + "&lt;thumbprint&gt;".Replace(" ", "").ToUpper())
New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $Cert

The certificate should now be imported and the trust should be visible in the Central Administration.

Be Sociable, Share!

Enjoy this article?

Consider subscribing to our rss feed!

Posted by Mischa Oudhof

Filed under: ADFS, Microsoft, SharePoint Leave a comment

Comments (8) Trackbacks (0) ( subscribe to comments on this post )

Wolfhard
June 29th, 2011 - 03:54

Thank you so much – you saved my life 🙂 Tried hours and hours and with your help my Exchange overlay calendars now work 🙂

( REPLY )
- Mischa Oudhof
  June 29th, 2011 - 11:45
  
  You’re welcome!
  
  ( REPLY )
Rick_rs
July 24th, 2011 - 19:42

Hi,

Great Post there!
I was able to import certificates using the above method.But for the specific certificate which I want to import (SSL Certificate) it is giving an error saying: “New-SPTrustedRootAuthority : The specified certificate must not have a private key”.
Any help will be much appreciated.

Many Thanks.

( REPLY )
- Mischa Oudhof
  July 25th, 2011 - 08:21
  
  When you create the key you’ll have to make sure that the private key will be exportable. Seems like yours is not exportable.
  
  ( REPLY )
Rick_rs
July 26th, 2011 - 18:25

Hi Mischa,

How do I make sure that the private key is exportable?

Many Thanks,
Rik

( REPLY )
- Mischa Oudhof
  July 27th, 2011 - 11:11
  
  I just read your previous comment again, and I totaly misread it the first time, my apologies. The error says that you should npt export it with private key, so you have to export the certificate without the private key.
  
  Here’s a small how to for Windows Server 2003, but it’s mostly the same for all Windows versions.
  http://technet.microsoft.com/en-us/library/cc779668(WS.10).aspx
  
  Lemme know if you need more help on this.
  
  ( REPLY )
Cookie
October 11th, 2011 - 00:19

Thanks for this tip!

( REPLY )
- Mischa Oudhof
  October 11th, 2011 - 07:53
  
  No problem! Your blog looks quite good as well, valuable information!
  
  ( REPLY )

Sysadminsblog.com Anything for sysadmins!