Summary: Steps to update an SSL certificate for Microsoft Dynamics 365 / Dynamics CRM
Article Type: Information / Troubleshooting / Support
Related Product(s): This article relates to the following products:

  • Microsoft Dynamics CRM
  • Microsoft Dynamics 365
Related Articles:


Microsoft Dynamics 365 / Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.

Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.

This article describes the process to update the certificate for Microsoft Dynamics CRM

Installing the new certificate

You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.


Instructions on how to import a certificate can be obtained from your certificate provider.

Note: Problems may occur if you do not remove the old certificate.

Add permission to the certificate

It is necessary to grant specific permissions to the certificate to allow service accounts access.

Manage Private Keys

The following steps show how to add permissions to the certificate.

  1. Open the Certificate Console on the server.
  2. Check out the Microsoft Wiki for help
  3. Navigate to (Local Computer) > Personal > Certificates
  4. Right-click the new certificate. Go to All Tasks > Manage Private Keys
  5. Add following permissions
    • AD FS Server: CRMAppPool Account = “Read”
    • AD FS Server: ADFSAppPool Account = “Full”
    • CRM Server: CRMAppPool Account = “Read”

Update IIS (Internet Information Services) to use the new certificate

On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.

IIS Select Certificate

The following steps show how to bind the new certificate using IIS 8.

  1. Log on to the Microsoft Dynamics CRM Server.
  2. Open IIS.
  3. Locate the Microsoft Dynamics CRM website.
  4. Right click the website and click Edit Bindings.
  5. Select HTTPS and click Edit….
  6. Select the new certificate and click OK to save the settings.
  7. Close all open windows.

Reconfigure Claims-Based Authentication

The Microsoft Dynamics CRM application will need to be updated to use the new certificate.

Claims Setting

The following steps show how to reconfigure claims-based authentication.

  1. Open Deployment Manager
  2. Click Configure Claims-Based Authentication to open the wizard
  3. Click Next on the Welcome page
  4. Click Next on the Token Service page
  5. Select the new certificate on the Select Certificate page
  6. Click Next to complete the configuration

Update AD FS (Active Directory Federation Services)

In AD FS, the Service Communication certificate will need to be updated.

ADFS Certificate

The following steps show how to update the Service Communication certificate in AD FS 2.0.

  1. Open AD FS 2.0
  2. Navigate to AD FS 2.0 > Service > Certificates
  3. Click Set Service Communications Certificate
  4. Select the certificate and click OK

Final Tasks

To finish the process, all affected services will need to be restarted.


The following steps should be completed once the certificate has been updated.  It may also be necessary to follow these steps if problems occur during any of the previous tasks.

  • Perform an IISRESET on each server
  • Restart the AD FS service on AD FS server
  • Update Relying Party metadata
    1. Open AD FS 2.0
    2. Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts
    3. Right-click each relying party and select Update from Federation Metadata
    4. Click Update
Related Information: