A certificate chain could not be built to a trusted root authority.

This question is not answered

LSRetailPosis.TransactionServices.EstablishConnection: System.ServiceModel.Security.SecurityNegotiationException: The X.509 certificate CN=TSServerCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.
 ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=TSServerCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

 

Im using Self Signed Certificate at IIS, while accessing Inventory look up in Retail POS above is generated. Right now MS Dynamics 2012 R2 server and Retail POS client is installed on the same machine. I did try to import certificate in Trusted Root Certificate Authority but in vain.

All Replies
  • Have you read AX for Retail 2012 R2: Troubleshooting the Real-time Service by Shane Erstad?

    Shane details this scenario in the post and I have resolved the same issue using the method he describes.

    Problem: Call to the Real-time Service results in an error similar to (POS error log): System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=TSServerCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.


    SecurityToken

    Solution:  One of the more difficult tasks in configuring the Real-time Service is getting your Server Certificate set up correctly.  If you are creating a test environment it is very likely that you are using a test or self-signed certificate.  If this is the case, all clients attempting to connect to the Real-time Service (i.e. your POS machines) need to create a trust chain with that server.  This step is not needed if you are using a purchased certificate because the publisher of that certificate is already a trusted authority.

    If you find yourself in this situation, you can run the InstallCertificationAuthority Powershell script that is included with the Real-time Service installation.  You will need a .cer file (certification authority) and a .crl (revocation list) to run the script.

    Alternatively, you can install the certificate on the POS machine itself: 

    1. Export the certificate from the Certificates > Computer account (see http://technet.microsoft.com/en-us/library/cc779668(v=WS.10).aspx for details)
    2. Copy the resulting .cer and/or .pfx files to the POS machine.
    3. Double-click each of the files and follow the Certificate Import Wizard to install the certificate.

    Note:  Keep in mind that you should not use a self-signed certificate in a production environment.  When you purchase your certificate from a trusted authority the POS machines will automatically create a trusted connection to the Real-time Service without having to install certificates.