Export/Import the SharePoint Root Authority Certificate using PowerShell

Installing SharePoint is mostly a repetitive process with lots of small tweaks and actions. One of those small actions you need to do after adding a server into a SharePoint farm, is adding the “SharePoint Root Authority” Certificate to the Trusted Root Certification Authorities store of the server. You would think this happens automatically during the configuration process. Well, no.

The result is that when you add a server to an existing farm, or you create a new farm, SharePoint will add 3 certificates to the “SharePoint” certificate store on the server.

SPRootAuthority1

All of these certificates will have a status: “The issuer of this certificate could not be found”.

SPRootAuthority2

Is this a big problem? Does it break SharePoint? Well, no. SharePoint will work happily without it, but users can experience delays when logging into a site, performing a search and even experience HTTP timeouts when doing these things.

The reason is that since the certificate chain is not complete, the CRL (Certificate Revocation List) check is done over the internet. If the CRL server cannot be contacted (let’s say, due to the isolation of the server from the internet), the operation will time out after 15 seconds and the rendering of the page will happen after those 15 seconds. At the same time, 2 events are logged in the eventlog, which can be found in the CAPI2 eventlog. You need to enable the CAPI2 event logging first to see them.

This behaviour is well documented in KB2625048. This article is for SharePoint 2010, but it’s also valid for SharePoint 2013 and it provides 2 workarounds.

To fix this, 2 actions are required:
– Export the SharePoint Root Authority certificate from SharePoint
– Import it into the local certificate store

These tasks are outlined in the KB article but because it involves point and click, wizard style… I created a small script for this task, just because I can! And I really hate doing these kind of things every time again. It costs time, it costs money, and it’s so much more fun creating scripts to make you more efficient in what you do.

<#
.SYNOPSIS
	Adds the "SharePoint Root Authority' certificate to the Trusted Root CA on the local SharePoint server.

.DESCRIPTION
	Adds the "SharePoint Root Authority' certificate to the Trusted Root CA on the local SharePoint server.

.NOTES
	File Name: Add-SharePointCertToStore.ps1
	Author   : Bart Kuppens
	Version  : 1.0
#>

# Load the SharePoint PowerShell snapin if needed
if ((Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null)
{
	Add-PSSnapin Microsoft.SharePoint.PowerShell
}

$RootCert = (Get-SPCertificateAuthority).RootCertificate

if ($RootCert -eq $null)
{
	Write-Output "Unable to get the SharePoint Root Certificate! Halting execution."
}
else
{
	[void][System.Reflection.Assembly]::LoadWithPartialName("System.Security")
	$store = get-item Cert:\LocalMachine\Root
	if ($store -ne $null)
	{
		$store.Open("ReadWrite")
		$store.Add($RootCert)
		$store.Close()
	}
}

By Bart

Bart is a certified SharePoint consultant / architect at CTG Belgium NV with a broad professional experience in IT, a background in software development with a specialisation in Microsoft products and technologies and a solid knowledge and experience in Microsoft SharePoint Products and Technologies. He started as a COBOL developer on a mainframe environment and grew into software development for Windows platforms. Participated in projects varying from migrations of existing applications to development of Web applications and Windows applications. Became fascinated by the SharePoint 2007 platform and strongly believed in the added business value of this platform. Is since then fully committed to SharePoint and focuses on SharePoint implementations, migrations, integrations, design and coaching. Stays on top of new developments within the SharePoint technology stack and related technologies.