Error message when you try to take an external list offline after you uninstall and then reinstall SharePoint Server 2010: "Failed to obtain signing certificate"

This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario:
  • You run a Web application on a site that is running Microsoft SharePoint Server 2010.
  • You take a Microsoft SharePoint Server 2010 external list offline.
  • You uninstall SharePoint Server 2010.
  • You reinstall SharePoint Server 2010.
  • You run a different Web application on a site that is running SharePoint Server 2010.
  • You try to take a SharePoint Server 2010 external list offline.
In this scenario, the external list cannot be taken offline. Additionally, you receive the following error message:
Failed to obtain signing certificate.
When you install SharePoint 2010, a security group is created that is named WSS_WPG. This security group represents the Application Pool accounts. When you take an external list offline for the first time, SharePoint 2010 creates a certificate and a signing key, and then grants access to the WSS_WPG group. The certificate is used to sign the package with the client components of the external list.

When you uninstall SharePoint 2010, the WSS_WPG group is removed but the certificate remains. When you reinstall SharePoint, the WSS_WPG group is created again with a new security identifier (SID) that differs from the identifier from the previous installation. However, the certificate's permissions still reference the old SID. Therefore, the next time that an external list is taken offline, the certificate already exists and SharePoint 2010 tries to reuse the certificate. Because it is secured by a security group that no longer exists, the permission check fails and the external list package cannot be signed.
To resolve this issue, use one of the following methods.

Note In the following methods, the name of the key container is the application pool account name for SharePoint 2010. For example, if the current application pool account is "Contoso\pkmacct," the name of the key container is "Contoso\pkmacct."

Method 1

Use the Aspnet_regiis.exe registration tool to grant the current WSS_WPG group access to the key.

For example, to grant the current WSS_WPG group access to the key, run the following command at an elevated command prompt:
aspnet_regiis -pa "Contoso\pkmacct" WSS_WPG
For more information about the Aspnet_regiis.exe registration tool, visit the following Microsoft Developer Network (MSDN) Web site:

Method 2

Remove the key file.

Note The key is saved in a file whose unique name is a string that is derived from the MD5 hash of the key container name concatenated with the MachineGuid registry value. This registry value is stored in the following subkey in the registry:
This file is stored in the following location.

Windows Server 2008

You must use a tool or run a script to determine the unique name of the key container.

For example, to determine the unique name of the key container, you can run the following PowerShell script:
$keycontainername = key_container_name$params = New-Object System.Security.Cryptography.CspParameters$params.KeyContainerName = $keycontainername$params.KeyNumber = 2$params.Flags = [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore$csp = New-Object System.Security.Cryptography.RSACryptoServiceProvider -argumentlist $paramsWrite-Host "Container File Name:" $csp.CspKeyContainerInfo.UniqueKeyContainerName
Note The key_container_name placeholder is the name of the key container that you want to remove. In this example, replace the key_container_name placeholder with Contoso\pkmacct.
content database

Article ID: 981224 - Last Review: 12/12/2015 03:40:28 - Revision: 4.0

Microsoft SharePoint Server 2010

  • kbnosurvey kbarchive kbtshoot kberrmsg kbexpertiseinter kbsurveynew kbprb KB981224