When installing On-Premises version of Dynamics 365 for Finance and Operations (D365FFO), we need a set of certificates to secure our Service Fabric cluster and applications we will be deploying. Self-signed certificates can be used in the TEST environments, but it is recommended to get the certificates from a Certificate Authority or generate them using your own Active Directory Certificate Services.
In this blog post, I will describe how to create the Certificate Templates in your AD that can later be used when generating all needed certificates for D365FFO On-Premises installation.
I assume you already have the Certificate Services installed, so to access it, you can use Certification Authority option from Server Manager -> Tools menu:
Another option, is to open Management Console (mmc) and add Certification Authority or, even better, Certificate Templates snap-in:
If you only opened Certification Authority, then you need to right-click on Certificate Templates and use Manage option. This should open the Certificate Template Console:
There are two Certificate Templates that we need for D365FFO installation as there are two sets of properties that will be needed for the different certificates we need to generate. When creating the certificates, I will only focus on the parameters important for D365FFO installation, but there might be also other that are not mentioned here, but you might want or need to use depending on your company security policy.
1. D365FFOGeneralTemplate – this is the template, that will be used for most of our certificates and its purpose will be set to “Signature and encryption”.
- To create it, we start by right-click on the Domain Controller certificate template and use “Duplicate Template” option.
- On the first screen, we need to select the compatibility options. This is something you need to decide based on the Operating Systems you are using. I will just leave the default options (note that this is limiting the parameters available on the template, so you might want to go for higher versions here), as below:
- In the General Tab, you can enter the name of the template, for this one we will use “D365FFOGeneralTemplate” and select Validity and Renewal period
- In Request Handling Tab, we leave the default the Purpose field with a default value of “Signature and encryption” and we check the “Allow private key to be exported”
- In Cryptography Tab, we need to select the provider that can be used, for this template we only need “Microsoft Enhanced RSA and AES Cryptographic Provider”
- In Subject Name Tab, we select the “Select in the request” option
- We can leave all the other Tabs with default values for now and click Apply/OK to create the template. As mentioned earlier, you might need to configure some additional parameters depending on your company security policy.
2. D365FFOEnciphermentTemplate - this is the template, that will be used for our Encipherment Certificate and its purpose will be set to “Encryption”
- To create it, we start by right-click on previously created “D365FFOGeneralTemplate” and use “Duplicate Template” option
- In General Tab, we change the name to “D365FFOEnciphermentTemplate”
- In Request Handling Tab, we change the Purpose to “Encryption”
- In Cryptography Tab, we select “Microsoft Enhanced Cryptographic Provider v1.0” as the only allowed Provider
- In Extensions Tab, we need to Edit “Application Policies”, remove both “Client Authentication” and “Server Authentication” and instead just add “Document Encryption”
- Still in the Extensions Tab, we need to change the Edit “Key Usage” and check the “Allow encryption of user data” option
- We can leave all the other Tabs with default values for now and click Apply/OK to create the template.
With these steps we created the following templates:
Now we need to make them available for use by going to Certification Authority, right-click on Certificate Templates -> New and using Certificate Template to Issue option:
In the next step the certificates we just created can be selected and confirmed and once this is done, they are available for use.
We can use these to generate all the certificates needed for D365FFO On-Premises deployment. In the next blog I will provide information on how to proceed with this.
*This post is locked for comments