How to re-create the local Trusted Root Authority


In Microsoft SharePoint Foundation/Server 2010 or Microsoft SharePoint Foundation/Server 2013, you see the following error getting logged in the Application Event Log:

Log Name: Application  
Source: Microsoft-SharePoint Products-SharePoint Foundation  
Event ID: 8311  
Task Category: Topology  
Level: Error   
Description: An operation failed because the following certificate has validation errors:  
\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer   
Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint:   
7884622F8B800E7AFAAFD3DDF98BE8AC96D4F952\n\nErrors:\n\n The root of the certificate chain   
is not a trusted root authority.   

Additionally, other areas such as search, claims authentication also do not function correctly.


This problem occurs when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website

Note Specifically, the local trust is located in Central Administration > Security > Manage Trust.


In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands:

$rootCert = (Get-SPCertificateAuthority).RootCertificate   
New-SPTrustedRootAuthority -Name  "localNew" -Certificate  $rootCert   

After running the above commands, perform an IISReset on all servers in the farm.

More information

Still need help? Go to SharePoint Community.