Could not establish trust relationship for SSL/TLS secure channel
This post is a contribution from Amy Luu, an engineer with the SharePoint Developer Support team.
You can get the following error when SharePoint communicates to an external service via HTTPS either within the same server or a different server.
Could not establish trust relationship for the SSL/TLS secure channel, or
Remote certificate is invalid according to the validation procedure, or
An operation failed because the following certificate has validation errors
Typically, the scenario will be that a custom component that resides in SharePoint 2010/2013 calls WCF service over HTTPS on the same or different server. The reason for this is that SharePoint implements its own certificate validation policy to override .NET certificate validation.
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
Hope this helps!
Comments
- Anonymous
July 01, 2014
Comment - Anonymous
February 20, 2015
Very helpful! thank you - Anonymous
October 20, 2015
I think we don't need these steps for SP2010 with earlier version than SP2. I started seeing this issue after SP2.
Can you confirm if we need same steps for SP2013 as well?