Get-SPSite Error – X.509 Certificate Error

I encountered an issue the other day in a testing environment where I couldn’t run Get-SPSite from PowerShell. I’ve seen stuff like this in the past when trying to call a site collection when a user isn’t a ShellAdmin or otherwise lacks permissions but that wasn’t the case here.

When trying to call a specific site I was getting the error –

“Get-SPSite : Cannot find an SPSite object with the Id or Url:”


But when trying just a generic Get-SPSite I was getting –


“Get-SPSite : ID4257: X.509 certificate ‘CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US’ validation failed by the token handler.”

In the event log I was seeing – Event ID 8311

“An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 669768FC7C91DF33439823EDDEF4AB64AF37CAF9\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority.”


And these errors were duplicated in the ULS logs. Some research led me to which describes a scenario where the root certificate for the Security Token Service is missing or incorrect and needs to be replaced. Truth be told the last time I had been working in this test environment I had been playing with some ADFS certificates and I believe now that I inadvertently overwrote or replaced my default STS certificate.

Sure enough when I ran Get-SPTrustedRootAuthority I could see the certs I had added for ADFS but not the default STS cert.

I was able to use PowerShell to create a new default certificate based on the post above and from this KB article @

Here are the commands I used –

$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name “localNew” -Certificate $rootCert

After running this I was able to see a new cert named “localNew” when running Get-SPTrustedRootAuthority, it also showed up in Central Administration under “Security -> Manage Trusts”.


About Mr_SHeister

Geek, Dad, SharePoint Administrator
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s