Renew or Replace a SSL Certificate in Dynamics CRM

Error Message:
“Exchange Online Security Certificate Expiration Please update your certificate or Exchange Online integration will stop functioning in $count days.”

Resolution (steps):

1. Apply the new cert on the ADFS server
a. Obtain new cert and place it into C:\certs directory
b. Install new cert to local machine certificates store using MMC: Run certlm.msc > Personal > right-click Certificates > All Tasks > Import > Next > Browse > navigate to C:\certs > select the new cert > Open > Next > Next > OK > OK
c. Set cert access permissions: Run certlm.msc > Personal > Certificates > right-click new cert > All Tasks > Manage Private Keys > Add > search and select appropriate service accounts (‘AppPool user account’: READ, ‘ADFS service user account’: FULL) > OK > put a check mark next to appropriate permissions for each account > OK > OK
d. Make a backup of the old cert ***
e. Remove old cert from local machine certificates store using MMC: Run certlm.msc > Personal > Certificates > right-click on the old cert > Delete > Yes ***
f. Set Cert using AD FS Management Console:
– Run %windir%\ADFS\Microsoft.IdentityServer.msc: AD FS > Service > right-click Certificates > Set Service Communications Certificate > select the newly imported Cert > OK
– AD FS > Trust Relationship > Relying Party Trusts > right-click CRM Claims Relying Party > Update from Federation Metadata

2. Apply the new cert on Dynamics CRM Server’s IIS
a. Obtain new cert and place it into C:\certs directory
b. Remove old cert from local machine certificates store using MMC: Run certlm.msc > Personal > Certificates > right-click on the old cert > Delete > Yes
c. Install new cert to local machine certificates store using MMC: Run certlm.msc > Personal > right-click Certificates > All Tasks > Import > Next > Browse > navigate to C:\certs > select the new cert > Open > Next > Next > OK > OK >
d. Set cert access permissions: Run certlm.msc > Personal > Certificates > right-click new cert > All Tasks > Manage Private Keys > Add > search and select appropriate service accounts (‘AppPool user account’: READ, ‘ADFS service user account’: FULL) > OK > put a check mark next to appropriate permissions for each account > OK > OK
e. Apply new cert toward IIS: Run inetmgr.exe > Sites > Microsoft Dynamics CRM > click on Bindings on the right side panel > select https > Edit > click Select > highlight the newly imported cert > OK > OK > Close
f. Reset IIS: run iisreset

3. Apply new cert within CRM using Deployment Manager
a. Run “%PROGRAMFILES%\Microsoft Dynamics CRM\tools\Microsoft.Crm.DeploymentManager.exe” > Configure Claims-Based Authentication > Next > Next > Select > highlight the new Cert > OK > Next > Next > OK
b. Reset IIS: run iisreset

4. Run this script…

4 thoughts on “Renew or Replace a SSL Certificate in Dynamics CRM”

    1. Sorry, I’ve lost the script. I could spend some time to re-write it, but it’s probably isn’t as useful since on-prem ADFS is phasing out in favor of cloud initiatives.

      1. In Case Anyone is looking for Step 4…. You can refer to the Microsoft article on Connecting Exchange Online to Dynamics 365 On Premise
        https:// docs.microsoft.com/en-us/dynamics365/customerengagement/on-premises/admin/connect-dynamics-365-on-premises-exchange-online?view=op-9-1

        Configure server-based authentication
        On the Microsoft Dynamics 365 Server where the deployment tools server role is running, start the Azure Active Directory Module for Windows PowerShell.

        Prepare the certificate.

        Change the directory to the location of the CertificateReconfiguration.ps1 file (by default it is C:\Program Files\Microsoft Dynamics CRM\Tools).

        $CertificateScriptWithCommand = '.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password personal_certfile_password -updateCrm -certificateType S2STokenIssuer -serviceAccount contoso\CRMAsyncService -storeFindType FindBySubjectDistinguishedName'
        Invoke-Expression -command $CertificateScriptWithCommand

        Prepare the Windows PowerShell session.

        The following cmdlets enable the computer to receive remote commands and add Office 365 modules to the Windows PowerShell session. For more information about these cmdlets see Windows PowerShell Core Cmdlets.

        Enable-PSRemoting -force
        New-PSSession
        Install-Module MSOnline
        Install-Module MSOnlineExt
        Import-Module MSOnline -force
        Import-Module MSOnlineExt -force

        Connect to Office 365.

        When you run the Connect-MsolService command, you must provide a valid Microsoft account that has Office 365 Global Administrator membership for the Exchange Online license that is required. For detailed information about each of the Azure Active Directory PowerShell commands listed here, see MSDN: Manage Azure AD using Windows PowerShell.

        $msolcred = get-credential
        connect-msolservice -credential $msolcred

        Set the certificate.

        $STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList c:\Personalcertfile.pfx, personal_certfile_password
        $PFXCertificateBin = $STSCertificate.GetRawCertData()
        $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
        $Certificate.Import('c:\Personalcertfile.cer')
        $CERCertificateBin = $Certificate.GetRawCertData()
        $CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)

        Set the Azure Active Directory Service Principal Name (SPN) in Exchange Online.

        Replace *.contoso.com with the domain name where Microsoft Dynamics 365 Server is located.

        $RootDomain = '*.contoso.com'
        $CRMAppId = '00000007-0000-0000-c000-000000000000'
        New-MsolServicePrincipalCredential -AppPrincipalId $CRMAppId -Type asymmetric -Usage Verify -Value $CredentialValue
        $CRM = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId
        $ServicePrincipalName = $CRM.ServicePrincipalNames
        $ServicePrincipalName.Remove("$CRMAppId/$RootDomain")
        $ServicePrincipalName.Add("$CRMAppId/$RootDomain")
        Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames $ServicePrincipalName

        Configure the Microsoft Dynamics 365 Server for server-based authentication with Exchange.

        Add-PSSnapin Microsoft.Crm.PowerShell
        $setting = New-Object 'Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity'
        $setting.LogicalName = 'ServerSettings'
        $setting.Attributes = New-Object 'Microsoft.Xrm.Sdk.Deployment.AttributeCollection'
        $attribute1 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerPrincipalId", "00000001-0000-0000-c000-000000000000")
        $setting.Attributes.Add($attribute1)
        $attribute2 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerMetadataUrl", "https://accounts.accesscontrol.windows.net/metadata/json/1")
        $setting.Attributes.Add($attribute2)
        Set-CrmAdvancedSetting -Entity $setting

        Hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *