web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / Certificate signed by ...
Small and medium business | Business Central, N...
Answered

Certificate signed by CA not working

(0) ShareShare
ReportReport
Posted on by miro.c.tr 10

Good morning,

after last update - from 16 → 17 - I have issues with running services using certs. In error is mentioned thumbprint code -its corresponding with selfcreated cert, not cert created by CA - which is mentioned in config of BC.

The certificate which is set in ServicesCertificateThumbprint key is available in:

  • Personal - certs (BC service account has full access)
  • Trusted people - certs

It seems to me, that the new version of BC is able to check other certs, than selfcreated on machine.

Any help guys please?

AD1. - on version 16 everything run as it should.

Server instance: DFDSE_BC170DE_DEV02
Tenant ID:
Environment Name:
Environment Type:
User:
Type: Microsoft.Dynamics.Nav.Types.NavConfigurationException
ErrorCode: -1
SuppressMessage: False
ContainsPersonalOrRestrictedInformation: False
DiagnosticsSuppress: True
MessageWithoutPrivateInformation:
  The security certificate that has the provided 'ServicesCertificateThumbprint' is not valid.
  Description = '[Subject]
    CN=DFCZ-BVNHDWBC01
 
  [Issuer]
    CN=DFCZ-BVNHDWBC01
 
  [Serial Number]
    2ACE01E412C4EC86472BB9C19418E8DB
 
  [Not Before]
    3/25/2020 12:41:31 PM
 
  [Not After]
    3/25/2023 12:41:31 PM
 
  [Thumbprint]
    534E48E7581155969980EB7F559A5DF04B77D52B
  '
SuppressExceptionCreatedEvent: False
FatalityScope: None
ErrorLevel: Error

I have the same question (0)
  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    If the same cert does work fine on V160 but stopped working in V170, then do raise this via a support ticket to Microsoft via your partner or CSP.

    Thanks.

  • miro.c.tr Profile Picture
    miro.c.tr 10 on at

    Unfortunatelly we dont have support paid. Hope someone else will have the same issue.

  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    Hopefully not, but let's take another approach trying to assist you further. The message does read that the thumbprint is not correct. Did you copy it manually from one administration console to the other (from v16 to v17), it may be that there are hidden chars added in front of it which you do not see in the adminisration console. You can view these via notepad++ or another tool similar to notepad++ (not notepad.exe).

    Or to get to the thumbprint via PowerShell ISE you can do this command:

    $getCert = Get-ChildItem  -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "DFCZ-BVNHDWBC01"} | Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

    $certHash = $getCert.Thumbprint

    $certHash

    Now copy the value that is shown in PowerShell in to the administration console and see if that does help you to workaround the error. You need to restart for changes to take effect.

    Thanks

  • miro.c.tr Profile Picture
    miro.c.tr 10 on at

    To be 100% sure we understand each other - your command "getcert" gets cert from MY store with CN = "DFCZ-BVNHDWBC01" and it works, it gets thumbprint of DFCZ-BVNHDWBC01 key.

    However in my cert msc is not store called MY (but i think, its same folder as Personal, isnt it?). And the CN of cert, which is signed by CA and is used on our NAV servers and now also on BC server, has CN = "*.deufol.com". So i replace -Match to this CN (deufol.com). It works as well, but after copying the Thumbprint to admin console of BC, still same issue. Its still looking for CN "DFCZ-BVNHDWBC01" not the others

  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    Thank you for the feedback. Correct, that is personal store. The only thing I can think off is that SSL is still enabled on SOAP, OData and Development. If you do replace a cert, this must be disabled, port bindings needs to be removed via netsh http delete urlacl=<<urlacl binding>> for SOAP, OData and Development. A few times a restart without SOAP, OData and Development enabled and then take the new cert in production by enabling them again. This SSL may be cached by the NST and a restart of the NST instance will not help to address that.  Hopefully that is what you are looking for.

    Thanks.

  • Verified answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    We just published a blog posting, so I did remember your posting. It may help you as well.

    community.dynamics.com/.../service-tier-might-load-a-different-certificate-since-16-4-and-log-an-error-like-configuration-setting-dnsidentity-has-an-invalid-value

    Thanks.

  • miro.c.tr Profile Picture
    miro.c.tr 10 on at

    Thanks god! This solves my problem. Thanks

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
OussamaSabbouh Profile Picture

OussamaSabbouh 3,226

#2
Jainam M. Kothari Profile Picture

Jainam M. Kothari 2,047 Super User 2025 Season 2

#3
YUN ZHU Profile Picture

YUN ZHU 1,257 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans