Skip to main content
Dynamics 365 general forum
Suggested answer

How to manage certificates when connecting to external API using mutual ssl?

editSubscribe (0) ShareShare
ReportReport
Posted on by 5

Hey team,

Looking for a way to securely connect from a D365 plugin to an API external to D365 (e.g. an APIM endpoint in the same tenant; or a truly external third party's service) using certificate-based authentication.

In our case, we need it to be synchronous, so we've chosen a plugin over power automate.

We're able to connect using a certificate with HttpClient, however we have to pass in the very sensitive certificate details (including private key + password) via the plugin registration step's "Secure config" field. While workable in the short term, it is less than ideal as it exposes sensitive data to more people than strictly necessary.

At time of writing, the "Secure environment variable" feature is still in preview and isn't supported from plugins (yet). Once GA, this will let us grab the details from Azure KeyVault using a connection reference setup once in each environemnt, which would be awesome.

Hoping someone's come across a better way to inject sensitive info into plugins in the interim?

Dynamics 365 Customer Engagement.

Attachments
  • Suggested answer
    JaredP Profile Picture
    JaredP 5 on at
    RE: How to manage certificates when connecting to external API using mutual ssl?

    Thanks for your thoughts Kosenurm, however those options really just push the problem back one step.

    e.g. while getting the value from Keyvault keeps the certificate secure, we then have to pass in connection details for Keyvault itself. An added problem is that if the Keyvault credentials are compromised, it then risks exposing not only the certificate, but anything else in the keyvault.

    For the short term, we'll be retrieving the values from a custom dataverse "configuration" table (key value pairs). Only system administrators have access to the table, so it is almost as secure as using the secure config value in the plugin step, with the added benefit of being easier to manage when deploying (higher environments are managed by different teams).

    We'll revisit when the Secure Environment Variable becomes GA (we've logged it as technical debt in the backlog).

  • Suggested answer
    Kosenurm Profile Picture
    Kosenurm 85 on at
    RE: How to manage certificates when connecting to external API using mutual ssl?

    One possible solution to securely connect from a D365 plugin to an external API using certificate-based authentication is to use Azure Key Vault to store the sensitive certificate details, including the private key and password, and retrieve them securely during runtime.

    Once the "Secure environment variable" feature becomes generally available and supported from plugins, it can be used to retrieve the details from Azure Key Vault using a connection reference set up once in each environment.

    In the meantime, another option could be to encrypt the sensitive information using a symmetric encryption algorithm and store the encrypted value in the "Secure config" field, and then decrypt it during runtime in the plugin code using a shared secret key or password. However, this method requires the secure storage and management of the shared secret key or password.

Helpful resources

Quick Links

New Blog Features Released!

Check out the new community blog features for viewers and authors…

Setting Up Knowledge Sources for Copilot…

Look at how configuring a comprehensive knowledge base is crucial…

Demystifying Copilot with Georg Glantschnig…

Industry experts answer burning questions directly from our amazing Community…

Leaderboard

#1
Andre Arnaud de Calavon Profile Picture

Andre Arnaud de Cal... 283,126 Super User

#2
Martin Dráb Profile Picture

Martin Dráb 222,646 Super User

#3
nmaenpaa Profile Picture

nmaenpaa 101,138

Featured topics

Product updates

Dynamics 365 release plans