Error exporting picture from UPA to Active Directory

While trying to export the picture from SharePoint My Sites to the Active Directory attribute ThumbnailPhoto my customer was getting the following error

Error 8311 in Application logs which contained data like the following

An operation failed because the following certificate has validation errors:\n\nSubject Name:, OU=App,\nIssuer Name: CN=Company Sub Root CA, OU=App,\nThumbprint: 26CA7D675C917658E7CB6A6A9E9F7AAAF09B109B\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..

**Identities have been changed to protect the innocent 🙂


The Root certificate for intermediate Root CA was not trusted within SharePoint.  We knew this by performing the following steps

  1. Navigating to
  2. Clicking on the lock to the right of the address bar
  3. Click the link View Certificates
  4. Select Certification Path
  5. Match 'Company Sub Root CA' from the error with an authority in the path


We had to follow these steps

  1. On SharePoint Server open an MMC Console
  2. Add the snap-in Certificates for the Computer Account
  3. Expand Certificates -> Intermediate Certification Authorities -> Certificates
  4. Select certificate that matches 'Company Sub Root CA' from the error
  5. Right click All Tasks -> Export
  6. Export to file C:\SubRoot.cer as 'DER encoded binary X.509(.CER)
  7. Then on the SharePoint server open SharePoint 2010 Management Shell
  8. Run the following commands

$Cert = Get-PfxCertificate <C:\SubRoot.cer>

New-SPTrustedRootAuthority <UniqueName> -Certificate $Cert


Exchange trust certificates between farms (SharePoint Foundation 2010)

Skip to main content