Monday, May 12, 2014

Could not establish trust relationship for the SSL/TLS secure channel–multi server environment with self-signed certificate for SharePoint 2013 workflow manager

Let’s assume that we have a multi server SharePoint 2013 farm and we need to setup workflow manager in one of them. Following is a sample scenario


If we need the workflow management site over HTTPS we need to configure a SSL certificate. The easiest option would be to configure a self-signed certificate. But it may not work as the certificate is issued by the same server (app server) which is not registered as a valid certificate authority.


When the workflow management site is accessed internally by the WFE Server it throws following error as the certificate is not trusted.

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at Microsoft.Workflow.Common.AsyncResult.End

So how can we resolve the error?

The solution is to use a domain certificate instead of self-signed certificate. To do that we need to ensure “Active Directory Certificate Services” role is deployed in one server within the domain.

If “Active Directory Certificate Services” is available we can use following steps to request a domain certificate

1. In App Server go to Microsoft Management Console and add snap-in for Certificates


2. Select computer account



3. Navigate to Personal > Certificates


4. Click Request new certificate


5. Use this certificate for workflow manager configuration


0s0-Pa said...

Oh man, our programmers working on our eDiscovery technology have been having similar problems!

Sam Daniel said...

How to use new certification to configure workflow manager which is already configured?

Larry Tenison said...

ok, I can create a new cert -- easy. But then, what do I do with it? You say "use this for WF Manager configuration", what does that mean? For SSL? For trust? Where/how?


yalelet setegn said...
This comment has been removed by the author.
Petter Marry said...
This comment has been removed by the author.
Petter Marry said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Online Training from India. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.
JavaScript Online Training from India