Before I proceed with the post. let me clear this out. There is nothing special about IIS server where CRM is installed. It applies to all IIS servers. However being a devotee of Dynamics for quite sometime now, can’t write any post without tagging CRM to it.
So here I was working for a client with on-premise 2016 version. And their certificate is about to expire. They needed to generate a CSR for a SAN Certificate as wildcard certificates are not allowed by most of company policies.
So they used Open SSL to generate the CSR. For reader’s who might be interested in knowing how to generate SAN Certificate using Open SSL, https://geekflare.com/san-ssl-certificate/ provides a good example. And they got the certificate back from the Network team.
Now the D-day. They imported the certificate in Personal store and also imported the certificate in IIS using ‘Complete Certificate Request’ option. All set and good.
But the moment they try to bind the certificate to dynamics CRM site, they could not find the certificate. Repeated this process. However the same behavior every time.
A bit of research and this is what comes up – “Certificate without private Key Information in it, cannot be binded to a IIS website.”
But how to do it?
When you generate a CSR request using Open SSL, the private key is output to a file. Usually the name is “Private.Key”, unless you specified something else.
So you have the private key and the certificate separately. But how to bind the certificate with the Private key?
Follow the below steps
- Copy the Private Key file and the certificate to the Open SSL bin folder. Usually is it C:\OpenSSL-Win64 for 64 bit machines and C:\OpenSSL-Win32 for 32 bit machines
- Open command prompt as administrator and navigate to the bin folder in the command prompt.
- Run the below command
openssl pkcs12 -export -out certificate.pfx –inkey private.key -in certificate.crt –certfile
Here Certificate.pfx in the output certificate with the private key information and certificate.crt is the certificate you received from Network team.
Once the command completed successfully, you should be able to view Certificate.pfx in the bin folder.
Now all set and done. You will now just need to import this certificate to the IIS. But remember to use the “Import” option in the certificate window.
A rather off topic but hope it makes an interesting read.
(Business Solutions MVP)