Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Dynamics 365 general forum / How to manage certific...
Dynamics 365 general forum
Suggested answer

How to manage certificates when connecting to external API using mutual ssl?

(0) ShareShare
ReportReport
Posted on by JaredP 5

Hey team,

Looking for a way to securely connect from a D365 plugin to an API external to D365 (e.g. an APIM endpoint in the same tenant; or a truly external third party's service) using certificate-based authentication.

In our case, we need it to be synchronous, so we've chosen a plugin over power automate.

We're able to connect using a certificate with HttpClient, however we have to pass in the very sensitive certificate details (including private key + password) via the plugin registration step's "Secure config" field. While workable in the short term, it is less than ideal as it exposes sensitive data to more people than strictly necessary.

At time of writing, the "Secure environment variable" feature is still in preview and isn't supported from plugins (yet). Once GA, this will let us grab the details from Azure KeyVault using a connection reference setup once in each environemnt, which would be awesome.

Hoping someone's come across a better way to inject sensitive info into plugins in the interim?

Dynamics 365 Customer Engagement.

Categories:
Security
Customization / Solutions / SDK and API
  • Suggested answer
    JaredP Profile Picture
    JaredP 5 on at
    RE: How to manage certificates when connecting to external API using mutual ssl?

    Thanks for your thoughts Kosenurm, however those options really just push the problem back one step.

    e.g. while getting the value from Keyvault keeps the certificate secure, we then have to pass in connection details for Keyvault itself. An added problem is that if the Keyvault credentials are compromised, it then risks exposing not only the certificate, but anything else in the keyvault.

    For the short term, we'll be retrieving the values from a custom dataverse "configuration" table (key value pairs). Only system administrators have access to the table, so it is almost as secure as using the secure config value in the plugin step, with the added benefit of being easier to manage when deploying (higher environments are managed by different teams).

    We'll revisit when the Secure Environment Variable becomes GA (we've logged it as technical debt in the backlog).

  • Suggested answer
    Kosenurm Profile Picture
    Kosenurm 85 on at
    RE: How to manage certificates when connecting to external API using mutual ssl?

    One possible solution to securely connect from a D365 plugin to an external API using certificate-based authentication is to use Azure Key Vault to store the sensitive certificate details, including the private key and password, and retrieve them securely during runtime.

    Once the "Secure environment variable" feature becomes generally available and supported from plugins, it can be used to retrieve the details from Azure Key Vault using a connection reference set up once in each environment.

    In the meantime, another option could be to encrypt the sensitive information using a symmetric encryption algorithm and store the encrypted value in the "Secure config" field, and then decrypt it during runtime in the plugin code using a shared secret key or password. However, this method requires the secure storage and management of the shared secret key or password.

Helpful resources

Quick Links

Replay now available! Dynamics 365 Community Call (CRM Edition)

Catch up on the first D365 Community Call held on 7/10

Community Spotlight of the Month

Kudos to Saurav Dhyani!

Congratulations to the June Top 10 community leaders!

These stars go above and beyond . . .

more Community News

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 288,584 Super User

#2
Martin Dráb Profile Picture

Martin Dráb 225,864 Super User

#3
nmaenpaa Profile Picture

nmaenpaa 101,148

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans