Friday, March 22, 2013

Register-SPWorkflowService error: The root of the certificate chain is not a trusted root authority

Got the error below when registering workflow 2013 service for SharePoint 2013 site collection

Register-SPWorkflowService : The root of the certificate chain is not a trusted root authority.
At line:1 char:1
+ Register-SPWorkflowService -SPSite "http://pdsha03"
-Wo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Share...WorkflowService:
   RegisterSPWorkflowService) [Register-SPWorkflowService], ConfigurationException
    + FullyQualifiedErrorId : Microsoft.SharePoint.WorkflowServices.PowerShell.RegisterSPWorkflowService

Quite easy to fix.

Check the IIS and make sure the workflow server name is correct.

[Update 2013-3-24]

Quite possible we need to install domain certificate for Workflow management site.


  1. There are quite a few more troubleshooting steps you can take here, depending on your WFM topology. If you are using multiple Workflow Manager hosts, you will need to add a signed certificate to the local Trusted Root Authority of all machines in the farm. That same certificate must also be in the local Personal certificate store of all WFM hosts. To ensure that WFM will recognize the certificate, use the import wizard in IIS.

    1. Thanks, Jason. You are right.

      If there are multiple workflow manager hosts, we need to configure NLB for them, is that correct?

    2. Yep! For my environment, we created a host name and assigned a VIP to it for provisioning NLB and DNS rules. I then provided that host name to the server security team to give me a server cert with both the short and long names (e.g. "qawfm", "")added in the SAN list. Note: it was important for me to also have the server name listed in this fashion. Even when providing the host name of the site in configuration, I was receiving errors that contained "servername:12290". If the certificate you receive isn't .pfx, you will not be able to complete setup. Should your security team only be able to provide .cer, create a dummy IIS site, upload the .cer certificate through the "complete certificate request" option, then export the certificate, give it a key, and allow that key to be exported.

      That is pretty garbled so I apologize for that. If there are any questions for clarification or additional information, I would be more than happy to answer what I can.

    3. Thanks Jason, that's clear to me.

      Someday, it may save me quite a lot of trouble shooting. :-)