Renewing or Replace a SSL Certificate in CRM

Renewing or Replace a SSL Certificate in CRM

1.  Remove (delete) the old cert using MMC on the CRM web servers & ADFS servers.  Verify removal of the cert by reviewing your  IIS https bindings.  We found that if we did not remove the old one first, application of the new one would not work.

2. Add the new cert to the ADFS server first.  Import new cert into MMC cert snapins console. Be sure your ‘AppPool user account’ has read permissions. You also need to be sure that the ‘ADFS service user account’ has full permissions to the cert.  Bind new cert to https in IIS.  From your cmd line, perform an IISreset.

3. Add the new cert to your CRM web application servers…all of them if there’s more than one.  Import new cert into MMC cert snapins console. Be sure your ‘AppPool user account’ has read permissions. Bind new cert to https in IIS.  From your cmd line, perform an IISreset.

4.  On your ADFS server, update the cert in ADFS Mgmt Console.  Under Service > certificates > Set service communications certificate to new cert.

5. Back again to your CRM web servers, fire up the ‘Configure Claims Wizard’, update to the new certificate, and apply.

6. On the ADFS server, in the ADFS Mgmt Console, under ‘Trust Relationships’, update relying trust federation metadata for all instances.

7.  Test CRM…this worked for us.

 

How to change the AD FS 2.0 service communications certificate after it expires

Applies to: Windows Server 2008 DatacenterWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 Enterprise More

PROBLEM

A user wants to know how to change the Active Directory Federation Services (AD FS) 2.0 service communications certificate after it expires or for other reasons.

SOLUTION

Replacing an existing AD FS 2.0 server service certificate is a multistep process.

=================================================================================

Step 1: Install the new certificate into the local computer certificate store

Install the new certificate into the local computer certificate store. To do this, follow these steps:

1.      Click Start, and then click Run.

2.      Type MMC.

3.      On the File menu, click Add/Remove Snap-in.

4.      In the Available snap-ins list, select Certificates, and then click Add. The Certificates Snap-in Wizard starts.

5.      Select Computer account, and then click Next.

6.      Select Local computer: (the computer this console is running on), and then click Finish.

7.      Click OK.

8.      Expand Console RootCertificates (Local Computer)PersonalCertificates.

9.      Right-click Certificates, click All Tasks, and then click Import.

Step 2: Add to the AD FS service account the permissions to access the private key of the new certificate

Add to the AD FS service account the permissions to access the private key of the new certificate. To do this, follow these steps:

1.      With the local computer certificate store still open, select the certificate that was just imported.

2.      Right-click the certificate, click All Tasks, and then click Manage Private Keys.

3.      Add the account that is running the ADFS Service, and then give the account at least read permissions.

Note If you do not have the option to manage private keys, you may have to run the following command:

certutil -repairstore my *

Step 3: Bind the new certificate to the AD FS website by using IIS Manager

Bind the new certificate to the AD FS website by using IIS Manager. To do this, follow these steps:

1.      Open the Internet Information Services (IIS) Manager snap-in.

2.      Browse to Default Web Site.

3.      Right-click Default Web Site, and then select Edit Bindings.

4.      Select HTTPS, and then click Edit.

5.      Select the correct certificate under the SSL certificate heading.

6.      Click OK, and then click Close.

Step 4: Configure the AD FS Server service to use the new certificate

Configure the AD FS Server service to use the new certificate. To do this, follow these steps:

1.      Open AD FS 2.0 Management.

2.      Browse to AD FS 2.0ServiceCertificates.

3.      Right-click Certificates, and then select Set Service Communications Certificate.

4.      Select the new certificate from the certificate selection UI.

5.      Click OK

Note You may see a dialog box that contains the following message: 

The certificate key length is less than 2048 bits. Certificates with key sizes less than 2048 bits might present a security risk and are not recommended. Do you want to continue?

After you read the message, click Yes. Another dialog box appears. It contains the following message:

Ensure that the private key for the chosen certificate is accessible to the service account for this Federation Service on each server in the farm.

This was already done in step 2. Click OK.

 

 

Introduction

Microsoft Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.

Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.

This article describes the process to update the certificate for Microsoft Dynamics CRM

Installing the new certificate

You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.

CertificateStore

Instructions on how to import a certificate can be obtained from your certificate provider.

·        Symantec (Verisign, Thawte, GeoTrust)

·        Comodo SSL

·        GlobalSign

·        Go Daddy

·        DigiCert

Note: Problems may occur if you do not remove the old certificate.

Add permission to the certificate

It is necessary to grant specific permissions to the certificate to allow service accounts access.

Manage Private Keys

The following steps show how to add permissions to the certificate.

  1. Open the Certificate Console on the server.
  2. Check out the Microsoft Wiki for help
  3. Navigate to (Local Computer) > Personal > Certificates
  4. Right click the new certificate. Go to All Tasks > Manage Private Keys
  5. Add following permissions

·        AD FS Server: CRMAppPool Account = “Read”

·        AD FS Server: ADFSAppPool Account = “Full”

·        CRM Server: CRMAppPool Account = “Read”

·        In our case we were using the NETWORK SERVICE account and need to add the Read permissions
 Screenshot 2016 07 07 23 39 44

Update IIS (Internet Information Services) to use the new certificate

On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.

IIS Select Certificate

The following steps show how to bind the new certificate using IIS 8.

  1. Log on to the Microsoft Dynamics CRM Server.
  2. Open IIS.
  3. Locate the Microsoft Dynamics CRM website.
  4. Right click the website and click Edit Bindings.
  5. Select HTTPS and click Edit….
  6. Select the new certificate and click OK to save the settings.
  7. Close all open windows.

Reconfigure Claims-Based Authentication

The Microsoft Dynamics CRM application will need to be updated to use the new certificate.

Claims Setting

The following steps show how to reconfigure claims-based authentication.

  1. Open Deployment Manager
  2. Click Configure Claims-Based Authentication to open the wizard
  3. Click Next on the Welcome page
  4. Click Next on the Token Service page
  5. Select the new certificate on the Select Certificate page
  6. Click Next to complete the configuration

Update AD FS (Active Directory Federation Services)

In AD FS, the Service Communication certificate will need to be updated.

ADFS Certificate

The following steps show how to update the Service Communication certificate in AD FS 2.0.

  1. Open AD FS 2.0
  2. Navigate to AD FS 2.0 > Service > Certificates
  3. Click Set Service Communications Certificate
  4. Select the certificate and click OK

Update Relying Party Trusts

The Relying Party Trusts in the AD FS Management needs to be checked that the Relying Party Trusts are not showing an ! next to the listed Claims Relying Party Trust and the IFD Relying Party.

If they are, or even just to be safe. Click on each separately and the “Update from Federation Meta Data”

Screenshot 2016 07 07 23 43 26

Once these have both been updated you can move onto the last task.

Final Tasks

To finish the process, all affected services will need to be restarted.

IISRESET

The following steps should be completed once the certificate has been updated.  It may also be necessary to follow these steps if problems occur during any of the previous tasks.

·        Perform an IISRESET on each server

·        Restart the AD FS service on AD FS server

·        Update Relying Party metadata

1.      Open AD FS 2.0

2.      Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts

3.      Right click each relying party and select Update from Federation Metadata

4.      Click Update

 

Tags:

Comments are closed

Latest Comments

No comments to show.