Thanks for the question.

I already tried using both CN and all SANs - but without an effect.

I also tried to import the cert first - this only succeeds when I import the cert via file - using the URL, it fails.

When you run the workflow to import the cert from URL, can you show the error log you receive as output?

Error-Log:

[2018-04-25 16:15:16.813] [E] Workflow execution stack:

***

item: 'Import a certificate from URL with certificate alias/item3', state: 'failed', business state: 'Error', exception: 'InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: Connection reset (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)'

workflow: 'Import a certificate from URL' (c5a874a2-e8e7-480d-bdde-d1a80b8a3011)

|  'input': name=url type=string value=https://URLWORKINGINIEANDFIREFOX

|  'input': name=ignoreWarnings type=boolean value=true

|  'no outputs'

|  'no attributes'

--workflow: 'Import a certificate from URL with certificate alias' (c61fad08-537d-4548-9280-8004a9b92cb3)

  |  'attribute': name=error type=string value=InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: Connection reset (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)

  |  'attribute': name=isNotTrusted type=boolean value=__NULL__

  |  'attribute': name=isCertificateExpired type=boolean value=__NULL__

  |  'attribute': name=isDomainWrong type=boolean value=__NULL__

  |  'attribute': name=isNotValid type=boolean value=__NULL__

  |  'attribute': name=errorText type=string value=__NULL__

  |  'attribute': name=certInfo type=string value=__NULL__

  |  'attribute': name=installCertificate type=boolean value=true

  |  'attribute': name=certificateHostName type=string value=__NULL__

  |  'input': name=url type=string value=https://URLWORKINGINIEANDFIREFOX

  |  'input': name=ignoreWarnings type=boolean value=true

  |  'input': name=certAlias type=string value=

  |  'no outputs'

*** End of execution stack.

So it's a connection reset error which usually means there's a communication problem from vRO to that node. Can vRO resolve that address? Do you have potential firewalls in the mix?

The windows-firewall is active on the Sharepoint-server, but set to allow-all.

There's only routing in between vRO and Sharepoint, no firewalls.

I can reach the Sharepoint-server using openssl, but the response looks strange to me (I don't no whether it is normal for sharepoint that there is "no peer certificate available"...

openssl s_client -connect SHAREPOINT-URL:443

write:errno=104

CONNECTED(00000003)

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 305 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1524669806

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

I don't know what's "normal" or not for Sharepoint, but what do you get when you put that URL in a browser? What does the cert say, and what does the browser complain about?

Both Firefox and IE show that the certificate is valid - no warnings at all...