Technorati Tags: ,

I was recently upgrading a MOSS 2007 SSP database, the profile database) to a SharePoint 2010 profile database. The MOSS web applications, in particular the My Site hosting web application used SSL, a typical scenario for many customers. When I reached the step to update the photo store, I got a certificate error trying to run the Update_SPProfilePhotoStore cmdlet. I could access the My Site web application through a browser without getting a certificate error, and checking the certificate trust chain on the 2010 server showed the root certificate was properly installed. So why was I getting a certificate error?

 

Turns out, as has been pointed out in other blogs (http://blogs.technet.com/b/speschka/archive/2010/04/24/update-on-errors-for-root-certificate-not-trusted-with-sharepoint-2010-claims-authentication.aspx), SharePoint 2010 needs a copy of the SSL root certificate in its own internal certificate store, which is separate from the server’s machine certificate store. to fix the problem:

1. Using the Certificate MMC, export the MOSS 2007 SSL root authority certificate to a location where it can be accessed from the SharePoint 2010 farm. In this example that is c:\temp\CA-certnew.cer

2. Open the SharePoint 2010 Management Shell (Windows PowerShell) as an administrator. Enter the following Windows PowerShell command, changing the location parameter as necessary for your environment.
$rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\CA-certnew.cer")

3. Use the New-SPTrustedRootAuthority cmdlet to add the certificate object to the SharePoint Trusted Root store, changing parameter values for your environment.
New-SPTrustedRootAuthority -Name "home-DC1-DA" -Certificate $rootCert

image

Having completed these steps, the Update_SPProfilePhotoStore cmdlet now ran without error.