Fix Errors by Downloading and Installing the Certificate Authority Root

If any of your SSL tests failed, and you use Microsoft Certificate Services, you may need to install the certificate authority root on your servers by using the following procedure.

 Note   If you use another certificate authority (CA), use the steps supplied by the certificate authority provider.

1. In your Web browser, enter the URL of the CA server.
2. On the Welcome page, click Download a CA certificate, certificate chain, or CRL.
3. On the Download a CA Certificate, Certificate Chain, or CRL page, do the following:
   1. In the CA certificate list, select the certificate that begins with "Current."
   2. In Encoding method section, ensure that DER is selected.
   3. Click Download CA certificate chain.
   4. In the File Download dialog box, click Save.
   5. In the Save As dialog box, specify a location for the file, and then click Save.
   6. Click Close to close the Download Complete dialog box.

       Note   The file type that you downloaded should be a .p7b file.

4. Close your Web browser.
5. On the taskbar, click Start, and then click Run.
6. In the Open box, type MMC, and then click OK.
7. On the console File menu, click Add/Remove Snap-in.
8. In the Add/Remove Snap-in dialog box, on the Standalone tab, click Add.
9. In the Add Standalone Snap-in dialog box, in the Available Standalone Snap-ins list, click Certificates, and then click Add.
10. In the Certificates snap-in dialog box, click Computer account, and then click Next.
11. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
12. Click Close to close the Add Standalone Snap-in dialog box.
13. Click OK to close the Add/Remove Snap-in dialog box.
14. Expand the Certificates (Local Computer) node.
15. Expand the Trusted Root Certification Authorities node.
16. Right-click Certificates, point to All Tasks, and then click Import.
17. On the Welcome to the Certificate Import Wizard page, click Next.
18. On the File to Import page, do the following:
    1. Click Browse, and navigate to the location of the certificate file that you saved.
    2. In the File name box, type *.p7b, and then press ENTER.
    3. Select the file with the .P7B extension, and then click Open.
    4. Click Next.
19. On the Certificate Store page, do the following:
    1. Click Place all certificates in the following store.
    2. In the Certificate store box, specify Trusted Root Certification Authorities.
    3. Click Next.
20. On the Completing the Certificate Import Wizard page, click Finish.
21. Click OK to close the successful import message box.

Common Name Does Not Resolve

If the common name does not resolve, restart the front-end Web servers and the index management servers.

If restarting the servers does not fix the problem, ping the common name. If the ping does not resolve to an IP address and states that the host cannot be found, contact your domain administrator. To ping the common name, do the following:

1. Open a command prompt.
2. Type ping common_name, and then press ENTER.

Certificate Is Not Trusted

This error appears if you installed the .cer or .pfx file. If you receive this error, you must add the certificate authority root. See "Fix Errors by Downloading and Installing the Certificate Authority Root" in this section.

Inheritance Overrides Not Accepted

If you did not accept the inheritance overrides in Step 7 of this paper, you must remove the certificate, remove the requirement for SSL, and then start again. To do this:

1. Open Internet Information Services (IIS) Manager.
2. In the console tree, expand the computer name node.
3. Expand the Web Sites node, right-click Default Web Site, and then click Properties.
4. On the Web Site tab, in the Web site identification section, click Advanced.
5. In the Advanced Web Site Identification dialog box, in the Multiple SSL identities for this Web site section, click each IP address and click Remove until no IP addresses are listed.
6. Click OK to close the Advanced Web Site Identification dialog box.
7. On the Directory Security tab, in the Secure communications section, click Server Certificate.
8. On the Welcome to the Web Server Certificate Wizard page, click Next.
9. On the Modify the Current Certificate Assignment page, click Remove the current certificate, and then click Next.
10. On the Remove a Certificate page, click Next.
11. On the Completing the Web Server Certificate Wizard page, click Finish.
12. On the Directory Security tab, in the Secure communications section, click Edit.
13. In the Secure Communications dialog box, clear the Require secure channel (SSL) check box, and then click OK.
14. Click OK to close the Default Web Site Properties dialog box.
15. Go to "Step 1: Ensure that You Can Access the Home Page of the Portal Site" in this paper and start again.

If following this procedure does not resolve the problem, refer to your IIS documentation. Solutions may include deleting the virtual server and re-extending the portal site to the new virtual server.

Home Page of the Portal Site Does Not Appear

If the home page of the portal site does not appear, you should test that SSL is enabled correctly on the primary front-end Web server and on each network load-balanced front-end Web server. If you are using shared services, run this test on the computer that hosts the parent portal site for shared services.

On the primary front-end Web server and on each remaining network load-balanced front-end Web server, do the following:

1. Create a file called Default.htm with the following text:

   <h1>Test SSL on front-end Web server server_number.</h1>

   The server number will change for each server. For example, if you have three front-end Web servers in addition to the primary front-end Web server, you would create a file with

   <h1>Test SSL on front-end Web server 1.</h1> for the first server,

   <h1>Test SSL on front-end Web server 2.</h1> for the second server, and so on.

2. Move this file to the wwwroot folder. By default, the folder is on the operating system drive at Inetpub\wwwroot.
3. Open Internet Information Services (IIS) Manager.
4. In the console tree, expand the computer name node.
5. Expand the Web Sites node.
6. Right-click Default Web Site, point to New, and then click Virtual Directory.
7. On the Welcome to the Virtual Directory Creation Wizard page, click Next.
8. On the Virtual Directory Alias page, in the Alias box, type test as the name for the virtual directory, and then click Next.
9. On the Web Site Content Directory page, in the Path box, specify the path to the wwwroot directory, and then click Next.

   By default, this directory is on the operating system drive at Inetpub\wwwroot.

10. On the Virtual Directory Access Permissions page, click Next. Do not change the default values that are selected.
11. On the You have successfully completed the Virtual Directory Creation Wizard page, click Finish.
12. On the SharePoint Portal Server Central Administration for Server_Name page, under Links to related administration home pages, click Windows SharePoint Services.
13. On the Windows SharePoint Services Central Administration page, in the Virtual Server Configuration section, click Configure virtual server settings.
14. On the Virtual Server List page, click Default Web Site.
15. On the Virtual Server Settings page, in the Virtual Server Management section, click Define managed paths.
16. On the Define Managed Paths page, in the Add a New Path section, do the following:
    1. In the Path box, type /test.
    2. In Type, click Excluded path.
    3. Click OK.
17. Open a new browser window, and type https://server_name/test/default.htm.

    You might see the following warnings:

    • "You are about to view pages over a secure connection." To continue, click OK.
    • "Revocation information for the security certificate for this site is not available." This warning means that your server is unable to connect to the certificate server to verify that the certificate you just obtained has not been revoked. To continue, click Yes.
    • An authentication prompt. Enter your user name and password, and then click OK.

    Your test page should appear.

Portal Site or Test Page Fails to Display on One or More Front-End Web Servers

If the home page of the portal site or test page does not appear, check the event log for an error with an Event Source of Schannel, an Event ID of 36869, and a description stating,

"The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."

If this event ID exists, perform the steps from the section "Inheritance Overrides Not Accepted," earlier in this paper. Then, follow the instructions in this paper starting with step 9, "Export the Server Certificate for Use on the Primary Front-End Web Server." The error was most likely due to the use of an alternate method for exporting the server certificate, and the private key was not included.

If this event ID does not exist, check your network connections and network connectivity, or restart your server.