When installing On-Premises version of Dynamics 365 for Finance and Operations, we need a set of certificates to secure our Service Fabric cluster and applications we will be deploying. Self-signed certificates can be used in the TEST environments, but it is recommended to get the certificates from a Certificate Authority or generate them using your own Active Directory Certificate Services. In my previous blog post, I listed the steps needed to create Certificate Templates and here I will describe how we can use these templates to generate a set of certificates that can be used in our D365FFO deployment.

Please keep in mind that there are different ways of generating certificates, I only describe one of them here that worked well for me.

The first step to generate a certificate is to create an INF file with the certificate characteristics that we want to use. You will notice that some of the fields were already set in the Certificate Templates and will be used here again – I did have some problems with data being overridden by the Template info and just decided to provide it in both places, but there might be a better way to do it. As in my previous post, I will only be mentioning the most important fields that we need to use. Depending on what you need, you might want to use some other fields as well or set values different to those presented here.

1. We start with the wildcard certificate that I will call “D365Star” here. This certificate will use the D365FFOGeneralTemplate and its INF file should look like below:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN=*.d365ffo.onprem.dyn.local"
FriendlyName = "D365FFOStar"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=ax.d365ffo.onprem.dyn.local&dns=sf.d365ffo.onprem.dyn.local&dns=*.d365ffo.onprem.dyn.local"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate

As you can see, the “szOID_SUBJECT_ALT_NAME2” string can be used to pass all the DNS names that we need in the Subject Alternate Name field on the certificate. If we save this file as D365Star.inf, we can use the following commands (in cmd on your AD CS machine) to generate the certificate:

    • To create the request:
certreq -new D365TESTStar.inf D365TESTStar.req
    • To submit the request:
certreq -submit D365TESTStar.req D365TESTStar.cer
    • To accept and import to Local Machine / Personal store (depending on your settings, you might need to issue the certificate in your CA first and create a CER file from it):
certreq -accept -machine D365TESTStar.cer

Once the certificate is in the Local Machine / Personal, you export it, together with the Private Key by using:

certutil -f -protectto "<AD Group that should have access to private key>" -privatekey -exportpfx My <Thumbprint of your certificate> "C:\ExportCert \D365TESTStar.pfx"

2. Second certificate that is worth looking at here is the Encipherment one. This is the only certificate that is using different Certificate Template and settings in the INF file. Its INF should look like below: 

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN=DataEncipherment"
FriendlyName = "D365FFODataEncipherment"
KeySpec = AT_KEYEXCHANGE
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
ProviderType = 1
RequestType = PKCS10
KeyUsage = CERT_DATA_ENCIPHERMENT_KEY_USAGE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.80.1

[RequestAttributes]
CertificateTemplate = D365FFOEnciphermentTemplate

The process of generating the certificate is the same as we used in the previous point.

These were the two different types of certificates that we need to generate. For all the other certificates the INF file like the “D365Star” from the first point above can be reused (with changed DNS names, CN, etc.). Below please find sample INF files for all the other certificates.

Session Authentication:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = SessionAuthentication"
FriendlyName = "D365FFOSessionAuthentication"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=SessionAuthentication"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate


Reporting Service:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = ReportingService"
FriendlyName = "D365FFOReportingService"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=ReportingService"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate

OnPrem Local Agent:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = OnPremLocalAgent"
FriendlyName = "D365FFOOnPremLocalAgent"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=OnPremLocalAgent"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate

Financial Reporting:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = FinancialReporting"
FriendlyName = "D365FFOFinancialReporting"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=FinancialReporting"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate


Data Signing:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = DataSigning"
FriendlyName = "D365FFODataSigning"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=DataSigning"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate


Data Encryption:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = DataEncryption"
FriendlyName = "D365FFODataEncryption"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=DataEncryption"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate


Client:

[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN = client.d365ffo.onprem.dyn.local"
FriendlyName = "D365FFOClient"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = PKCS10
KeyUsage = 0xa0

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=client.d365ffo.onprem.dyn.local"

[RequestAttributes]
CertificateTemplate = D365FFOGeneralTemplate