SBX - Search With Button

SBX - Forum Post Title

Certificates in D365 on prem environment

Microsoft Dynamics AX Forum

Hafiz Usama asked a question on 17 May 2018 2:19 AM
My Badges

Question Status

Verified

Hi,

I am setting up UAT environment for on prem. For the deployment, one runs many scripts and these scripts create self signed certificates and then the thumbprints are you used later on.

I was just wondering what would I do for production? We definitely can not use self signed as they expire after a year. 

So where do I get certificates from? and how do i deal with them as currently certificates do the job.

Any help will be highly appreciated.

Reply
Hafiz Usama responded on 17 May 2018 2:49 AM
My Badges
Verified Answer

I found out below article from Sohaib, it gives the details about how to increase expiry date but I still have a question. What if I use Self signed certificates for production environment, what will be the problem?

community.dynamics.com/.../configuring-certificates-for-d365-on-perm-installation

Reply
Sohaib Cheema responded on 17 May 2018 2:51 AM
My Badges

Microsoft has recommended few names of certificate providers for production system. You can buy from certificate providers for your production instances. The purchased certificates thumbnails can be added in configuration file of prod, so rather than recreating those it will use the existing (purchased ones)

For UAT or sandBox, by default it generates for 1 year, i don't like that personally 1 year time and then it will prompt me for expiry after one year. For my UAT or sandboxes, i usually increase the timing from 1 year to my preferred time.    

Reply
Hafiz Usama responded on 17 May 2018 3:07 AM
My Badges

Sohaib ! What about the production? What is wrong with using self signed cert on prod?

Reply
Sohaib Cheema responded on 17 May 2018 3:13 AM
My Badges
Verified Answer

Simple it is not recommended from Microsoft for prod.

Otherwise technically, it would not stop you from doing installation. even with your self signed certificates it should allow you to  do installation of prod.

I have seen prod installations with self-signed certificates, in some countries.

I am not a decision maker here :) so, it is the decision of individual organization, how they want to proceed with installation of prod. May be some organization can be super rich to buy certs for UAT also. so its kind of personal decision. If you want to hear Microsoft Recommendation, they would say buy those from a authentic cert provider.  

Reply
Jelle de Haas responded on 18 May 2018 4:23 AM

I've asked the question to our FastTrack liaison, and his answer:

  • For Self-signed certificates, we are working on publishing some guidance on the renewal process. Remind me about this in a month or so, and I will check with the product team again.
  • For Certificates you purchase from a certification authority, you can renew them by contacting the certification authority.

Doesn't answer the question. For PROD I will need to provide the client with a robust and verified procedure for renewing them.

Reply
kashifvirgoo responded on 13 Aug 2018 1:54 AM

Hi,

Have you been able to find out procedure to update thumbprints of expired certificates ?

Reply
Ansar Basha responded on 17 Sep 2018 4:18 AM
My Badges

H Jelle de Haas/ kashif , 

Did you get any update/guidance from Microsoft on renewal process of Certificates?.

Did you find out a way to update thumbprints of expired certificates ?

Thanks & Regards,

Ansar Basha.S

Reply
Carlo Coroza responded on 18 Oct 2018 2:05 AM
My Badges

Hi Sohaib,

Question, I have installed D365 Operations on premise environment using self-signed certificates and they're about to expire. Can you suggest some methods we can use to extend or probably change the certificates installed in the environment? Also I have seen changing certificate thumbprint id using web.config, wif.config and wif.service.config on Local development Environment. Is it possible to use the same method in Production Environment? Thank you.

Reply
Sohaib Cheema responded on 18 Oct 2018 9:27 AM
My Badges

Hi

Carlo Coroza,

I don't think, as of today, you can do this so easily by just updating values in web.config

Reconfiguration of the environment seems a workable option. For cloud based environments, you can rotate certificates, but I haven't seen such support for on-prem.  

This is the reason why I extend the expiry date of self-signed certificates, before deploying the environment. If you will have a look at SF explorer, you would find the certificate values under details of the deployed application. Those values are written, when LCS Agent deploys the applications (AXSF etc)

Reply
Carlo Coroza responded on 18 Oct 2018 10:19 AM
My Badges
Suggested Answer

Hi Sohaib,

It seems we have to redeploy it again. Because MS guys said that, thats the only option because there are no such thing in on premise environment  reconfiguring the certificates installed. I hope they'll issue a feature for reconfiguring the environment for on premise. Thank you Sohaib.

Reply
Hafiz Usama responded on 17 May 2018 2:49 AM
My Badges
Verified Answer

I found out below article from Sohaib, it gives the details about how to increase expiry date but I still have a question. What if I use Self signed certificates for production environment, what will be the problem?

community.dynamics.com/.../configuring-certificates-for-d365-on-perm-installation

Reply
Sohaib Cheema responded on 17 May 2018 3:13 AM
My Badges
Verified Answer

Simple it is not recommended from Microsoft for prod.

Otherwise technically, it would not stop you from doing installation. even with your self signed certificates it should allow you to  do installation of prod.

I have seen prod installations with self-signed certificates, in some countries.

I am not a decision maker here :) so, it is the decision of individual organization, how they want to proceed with installation of prod. May be some organization can be super rich to buy certs for UAT also. so its kind of personal decision. If you want to hear Microsoft Recommendation, they would say buy those from a authentic cert provider.  

Reply
Carlo Coroza responded on 18 Oct 2018 10:19 AM
My Badges
Suggested Answer

Hi Sohaib,

It seems we have to redeploy it again. Because MS guys said that, thats the only option because there are no such thing in on premise environment  reconfiguring the certificates installed. I hope they'll issue a feature for reconfiguring the environment for on premise. Thank you Sohaib.

Reply

SBX - Two Col Forum

SBX - Migrated JS