Issues with self signed certificates for server-server integration between CRM and Sharepoint? Here is what you may need to know to save your day.

As promised in my last blog, I am back with one more scenario where consultants get stuck in on-premise environments. Server-server SharePoint integration with Dynamics is something we take for granted when we set up trial instances for demo in online environments. After all, entire internal plumbing is handled by Microsoft and we just need to do follow some sequential steps to accomplish the same.

However things are not so rosy for on-premise systems. You have to follow a host of steps as detailed out in this article –

One of the requirements for server based integration is Sharepoint should be SSL enabled. And many a times, you need to set this up with self signed certificates to create a working POC before customer approves it. This post specifically deals with all the problems that you might face while setting up server based integration using self signed certificates. The post will highlight some of key errors usually encountered and how to resolve the same.

Before you proceed with the below error scenarios, just make sure you followed the below prerequisite steps –

Error 1: CertificateData for CertificateType: S2STokenIssuer not found

This error is usually thrown in the after providing the Sharepoint site name and SharePoint Realm ID in the “Enable server based SharePoint integration” configuration screen.

This usually happens if you miss the step to add the server-server certificate to Microsoft Dynamics 365 configuration database as explained here –

You would need to open PowerShell in administrative mode in CRM server and then navigate to <drive>:\Program Files\Microsoft Dynamics CRM\Tools folder. Then run the below command.

.\CertificateReconfiguration.ps1 –certificateFile <certificate pfx file location> -password <private certifacte password> -updateCrm -certificateType S2STokenIssuer 

-serviceAccount <service account for CRM Async service> -storeFindType FindBySubjectDistinguishedName


Error 2: Certificate private key is not found

This error is thrown when we run “CertificateReconfiguration.ps1” power shell script as described above. But why this error?

To be honest, I am not a certificate expert and I am not sure why this happens. But after multiple trial and error I was able to workaround the problem. And I am going to share that.

There are multiple ways to create a certificate. So what options we have. I am going to discuss the commonly used one and what error you may get for each.

Option 1 – Using IIS

If you search in Google on how to create a self signed certificate, the first article that may catch your attention is to create a self signed certificate from IIS.


You create the certificate but you will find the certificate does not have a private key with it. And hence it won’t work while you run the above powershell command.

Option 2 – Using PowerShell command

The next one that is suggested for Windows 10 and above is using Powershell command – “New-SelfSignedCertificate” . The below command would create a certificate and store in Personal store.

New-SelfSignedCertificate –DnsName <You CN name for certificate> -CertStoreLocation “cert:\LocalMachine\My”

This one created has a private key associated with it but if you try to run the powershell script  – “CertificateReconfiguration.ps1” you get the error – “Certificate private key is not found”. This is surprising because the certificate has a private key associated with it.

Option 3 – Using MakeCert.exe

After much googling around, one of the community blogs suggested to use MakeCert.exe to create the self signed certificate and it might work. So tried the below commands.

makecert -r -pe -n "CN=HOSTNAME" -eku -sky exchange -sv HOSTNAME.pvk HOSTNAME.cer

The above command will create a certificate file and a private key file. Make sure to replace hostname with value for your environment. But we need a .pfx file to run our PowerShell command. To create a .pfx file out of this, please run the below command.

pvk2pfx -pvk HOSTNAME.pvk -spc HOSTNAME.cer -pfx HOSTNAME.pfx

Once the .pfx file is generated, you can import the file in personal store and use this for your SharePoint SSL binding. Once done execute the PowerShell command – “CertificateReconfiguration.ps1”  and it should work just fine.

As you can see from the above, you need couple of .exe files to make this work – makercert.exe and pvk2pfx.exe. But where do I get them?

Unlike what I thought, it was quite a hassle to get it. MakeCert.exe shipped with Visual studio till version 2013 and later it was stopped. You can get makecert.exe by installing Windows 8 SDK. But if you are using windows 10 and above, that is an issue as well. Windows 10 SDK is quite a big installation and doing that just to get a standalone makercert file is something which baffled me. After much pain, I was able to get makecert.exe from Fiddler2 installation and pvk2pfx.exe from Windows SDK. To help readers, I have put those files in the one-drive link shared through this blog.

You can just use these and everything should work fine.

Hope this helps!

Debajit Dutta

(Dynamics MVP)

For consultation/ corporate training visit or reach out to us at

Our product offerings:

Role based views for Dynamics 365 (

CRM-Sharepoint Attachment uploader and metadata manager (

Record Cloner for Dynamics 365 (

Multiselect picklist for Dynamics 365 (


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s