Event ID 8321 logged multiple times in the SharePoint 2013 Application server’s Event Log, with the message “A certificate validation operation took 1500.8983 milliseconds and has exceeded the execution time threshold. If this continues to occur, it may represent a configuration issue. Please see http://go.microsoft.com/fwlink/?LinkId=246987 for more details.”and SharePoint pages were loading very slow!
Typically, this error occurs on SharePoint servers which are running with no internet connectivity where SharePoint Root Authority was not added to Trusted Root Certification Authorities store (which is the default behavior!) .
Install SharePoint Root Authority certificate to the Trusted Root Certification Authorities store. Here is how to fix this error step by step.
Step 1: Export the SharePoint Root Authority certificate using PowerShell
Open SharePoint Management Shell and execute these PowerShell scripts.
$RootCertFile="C:\SPRootCert.cer" $SPRootCert = (Get-SPCertificateAuthority).RootCertificate $SProotCert.Export("Cer") | Set-Content $RootCertFile -Encoding Byte
This script produces a certificate at “C:\SPRootCert.cer” file. The next step is to import this certificate into trusted root certificate store.
Step 2: Import the SharePoint Root Authority certificate into the Trusted Root Certificate store.
$RootCertFile="C:\SPRootCert.cer" Import-Certificate -FilePath $RootCertFile -CertStoreLocation Cert:\LocalMachine\Root
You can verify if the SharePoint root authority certificate is imported to trusted root certificate store by going to:
- Start >> Run >> MMC >> File >> Add/Remove Snap-in
- Click on Certificate >> Add >> Select computer account and click next >> select local computer and click finish.
- Expend Certificate >> Trusted Root Certification Authorities >> Certificate
- You should see “SharePoint Root Authority” there!
Repeat these two steps in all SharePoint servers of the farm.
Microsoft KB addressing this issue: https://support.microsoft.com/en-us/help/2625048/site-slowness-because-of-sharepoint-sts-certificate-crl-checking