I am setting up UAT environment for on prem. For the deployment, one runs many scripts and these scripts create self signed certificates and then the thumbprints are you used later on.
I was just wondering what would I do for production? We definitely can not use self signed as they expire after a year.
So where do I get certificates from? and how do i deal with them as currently certificates do the job.
Any help will be highly appreciated.
I found out below article from Sohaib, it gives the details about how to increase expiry date but I still have a question. What if I use Self signed certificates for production environment, what will be the problem?
Microsoft has recommended few names of certificate providers for production system. You can buy from certificate providers for your production instances. The purchased certificates thumbnails can be added in configuration file of prod, so rather than recreating those it will use the existing (purchased ones)
For UAT or sandBox, by default it generates for 1 year, i don't like that personally 1 year time and then it will prompt me for expiry after one year. For my UAT or sandboxes, i usually increase the timing from 1 year to my preferred time.
Sohaib ! What about the production? What is wrong with using self signed cert on prod?
Simple it is not recommended from Microsoft for prod.
Otherwise technically, it would not stop you from doing installation. even with your self signed certificates it should allow you to do installation of prod.
I have seen prod installations with self-signed certificates, in some countries.
I am not a decision maker here :) so, it is the decision of individual organization, how they want to proceed with installation of prod. May be some organization can be super rich to buy certs for UAT also. so its kind of personal decision. If you want to hear Microsoft Recommendation, they would say buy those from a authentic cert provider.
I've asked the question to our FastTrack liaison, and his answer:
Doesn't answer the question. For PROD I will need to provide the client with a robust and verified procedure for renewing them.
Have you been able to find out procedure to update thumbprints of expired certificates ?
H Jelle de Haas/ kashif ,
Did you get any update/guidance from Microsoft on renewal process of Certificates?.
Did you find out a way to update thumbprints of expired certificates ?
Thanks & Regards,
Question, I have installed D365 Operations on premise environment using self-signed certificates and they're about to expire. Can you suggest some methods we can use to extend or probably change the certificates installed in the environment? Also I have seen changing certificate thumbprint id using web.config, wif.config and wif.service.config on Local development Environment. Is it possible to use the same method in Production Environment? Thank you.
I don't think, as of today, you can do this so easily by just updating values in web.config
Reconfiguration of the environment seems a workable option. For cloud based environments, you can rotate certificates, but I haven't seen such support for on-prem.
This is the reason why I extend the expiry date of self-signed certificates, before deploying the environment. If you will have a look at SF explorer, you would find the certificate values under details of the deployed application. Those values are written, when LCS Agent deploys the applications (AXSF etc)
It seems we have to redeploy it again. Because MS guys said that, thats the only option because there are no such thing in on premise environment reconfiguring the certificates installed. I hope they'll issue a feature for reconfiguring the environment for on premise. Thank you Sohaib.
IMHO, we should use AD CS in your local AD and create long validity.
Business Applications communities