Monday, May 12, 2014

Could not establish trust relationship for the SSL/TLS secure channel–multi server environment with self-signed certificate for SharePoint 2013 workflow manager

Let’s assume that we have a multi server SharePoint 2013 farm and we need to setup workflow manager in one of them. Following is a sample scenario


If we need the workflow management site over HTTPS we need to configure a SSL certificate. The easiest option would be to configure a self-signed certificate. But it may not work as the certificate is issued by the same server (app server) which is not registered as a valid certificate authority.


When the workflow management site is accessed internally by the WFE Server it throws following error as the certificate is not trusted.

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at Microsoft.Workflow.Common.AsyncResult.End

So how can we resolve the error?

The solution is to use a domain certificate instead of self-signed certificate. To do that we need to ensure “Active Directory Certificate Services” role is deployed in one server within the domain.

If “Active Directory Certificate Services” is available we can use following steps to request a domain certificate

1. In App Server go to Microsoft Management Console and add snap-in for Certificates


2. Select computer account



3. Navigate to Personal > Certificates


4. Click Request new certificate


5. Use this certificate for workflow manager configuration


0s0-Pa said...

Oh man, our programmers working on our eDiscovery technology have been having similar problems!

samdany10 said...

How to use new certification to configure workflow manager which is already configured?

Larry Tenison said...

ok, I can create a new cert -- easy. But then, what do I do with it? You say "use this for WF Manager configuration", what does that mean? For SSL? For trust? Where/how?


Unknown said...
This comment has been removed by the author.
Petter Marry said...
This comment has been removed by the author.
Robert McCain said...

If you think your spouse is cheating, and you need to hire a real hacker to remotely monitor / hack their phone, recover your stolen bitcoin / any other cryptocurrency, or hack a database and clear bad records with guaranteed privacy, contact or whatsapp: +1 3478577580, they are efficient and confidential.