|Summary:||Steps to update an SSL certificate for Microsoft Dynamics 365 / Dynamics CRM|
|Article Type:||Information / Troubleshooting / Support|
|Related Product(s):||This article relates to the following products:
Microsoft Dynamics 365 / Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.
Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.
This article describes the process to update the certificate for Microsoft Dynamics CRM
Installing the new certificate
You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.
Instructions on how to import a certificate can be obtained from your certificate provider.
Note: Problems may occur if you do not remove the old certificate.
Add permission to the certificate
It is necessary to grant specific permissions to the certificate to allow service accounts access.
The following steps show how to add permissions to the certificate.
- Open the Certificate Console on the server.
- Check out the Microsoft Wiki for help
- Navigate to (Local Computer) > Personal > Certificates
- Right-click the new certificate. Go to All Tasks > Manage Private Keys
- Add following permissions
- AD FS Server: CRMAppPool Account = “Read”
- AD FS Server: ADFSAppPool Account = “Full”
- CRM Server: CRMAppPool Account = “Read”
Update IIS (Internet Information Services) to use the new certificate
On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.
The following steps show how to bind the new certificate using IIS 8.
- Log on to the Microsoft Dynamics CRM Server.
- Open IIS.
- Locate the Microsoft Dynamics CRM website.
- Right click the website and click Edit Bindings.
- Select HTTPS and click Edit….
- Select the new certificate and click OK to save the settings.
- Close all open windows.
Reconfigure Claims-Based Authentication
The Microsoft Dynamics CRM application will need to be updated to use the new certificate.
The following steps show how to reconfigure claims-based authentication.
- Open Deployment Manager
- Click Configure Claims-Based Authentication to open the wizard
- Click Next on the Welcome page
- Click Next on the Token Service page
- Select the new certificate on the Select Certificate page
- Click Next to complete the configuration
Update AD FS (Active Directory Federation Services)
In AD FS, the Service Communication certificate will need to be updated.
The following steps show how to update the Service Communication certificate in AD FS 2.0.
- Open AD FS 2.0
- Navigate to AD FS 2.0 > Service > Certificates
- Click Set Service Communications Certificate
- Select the certificate and click OK
To finish the process, all affected services will need to be restarted.
The following steps should be completed once the certificate has been updated. It may also be necessary to follow these steps if problems occur during any of the previous tasks.
- Perform an IISRESET on each server
- Restart the AD FS service on AD FS server
- Update Relying Party metadata
- Open AD FS 2.0
- Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts
- Right-click each relying party and select Update from Federation Metadata
- Click Update