none
PartialChain: A certificate chain could not be built to a trusted root authority

    Question

  • I am attempting to use the RSS Viewer webpart on one of my sites.

    We have a web monitoring tool in place that inspects https traffic to sites that aren't whitelisted by generating certificates on the fly those certificates are trusted because they are chained to our corporate trusted root authority.

    If I use an RSS feed from a whitelisted site (no certificate interception) it works fine.

    If I use an RSS feed from a non-whitelisted site (certificate interception with corporate root cert) it doesn't work and I see a PartialChain: A certificate chain could not be built to a trusted root authority" in the ULS logs.

    Our corporate root ceriticate is trusted on all our SharePoint servers, and if I use IE11 to browse to the RSS feed site from those servers, the certificate shows as trusted.

    What could be different in the way SharePoint is attempting to validate the certificate that could cause it to fail when using the RSS Viewer webpart vs browsing from the server with Internet Explorer?


    Friday, April 07, 2017 12:20 AM

All replies

  • Hi ShrPntAdmin247,

    By default, SharePoint Root Authority certificate is not added to the Trusted Root Certificate Authorities store of the SharePoint servers.

    Please install the SharePoint Root Authority certificate in the Trusted Root Certificate Authorities store.

    1. Export the SharePoint Root Authority certificate as a physical (.cer) file. Start the SharePoint 2010 Management Shell as an Administrator, and then run the following Windows PowerShell commands:

    $rootCert = (Get-SPCertificateAuthority).RootCertificate
    
    $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte


    Note This will export the internal root certificate (.cer file) for SharePoint to Drive C. You can copy and use this file on all servers in the farm for importing without having to run the PowerShell commands again.

    2. Import the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store. To add the SharePoint Root Authority certificate to the Trusted Root Certification Authorities store, follow these steps:

    Note "Administrators" is the minimum required group membership to complete these steps.

    (1) Tap or click Start, type mmc in Start search, and then press Enter.

    (2) On the File menu, click Add/Remove Snap-in.

    (3) Under Available snap-ins, click Certificates, and then click Add.

    (4) Under This snap-in will always manage certificates for, select Computer account, and then click Next.

    (5) Select Local computer, and then click Finish.

    (6) If you have no more snap-ins to add to the console, click OK.

    (7) In the console tree, double-click Certificates.

    (8) Right-click the Trusted Root Certification Authorities store.

    (9) Click All Tasks, click Import to import the certificate, and then follow the steps in the Certificate Import Wizard.

    Best Regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Saturday, April 08, 2017 2:55 AM
    Moderator