How to Update SSL Certificates for AD FS 3.0 in CRM IFD
Microsoft Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.
Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.
This article describes the process to update the certificate for Microsoft Dynamics CRM
Installing the new certificate
You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.
Instructions on how to import a certificate can be obtained from your certificate provider.
Note: Problems may occur if you do not remove the old certificate.
Add permission to the certificate
It is necessary to grant specific permissions to the certificate to allow service accounts access.
The following steps show how to add permissions to the certificate.
Open the Certificate Console on the server.
Check out the
Microsoft Wiki for help Navigate to (Local Computer) > Personal > Certificates
Right click the new certificate. Go to All Tasks > Manage Private Keys
Add following permissions
AD FS Server: CRMAppPool Account = “Read”
AD FS Server: ADFSAppPool Account = “Full”
CRM Server: CRMAppPool Account = “Read”
In our case we were using the NETWORK SERVICE account and need to add the Read permissions
Update IIS (Internet Information Services) to use the new certificate
On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.
The following steps show how to bind the new certificate using IIS 8.
Log on to the Microsoft Dynamics CRM Server.
Locate the Microsoft Dynamics CRM website.
Right click the website and click
Edit Bindings. Select
HTTPS and click Edit…. Select the new certificate and click OK to save the settings.
Close all open windows.
Reconfigure Claims-Based Authentication
The Microsoft Dynamics CRM application will need to be updated to use the new certificate.
The following steps show how to reconfigure claims-based authentication.
Open Deployment Manager
Click Configure Claims-Based Authentication to open the wizard
Click Next on the Welcome page
Click Next on the Token Service page
Select the new certificate on the Select Certificate page
Click Next to complete the configuration
Update AD FS (Active Directory Federation Services)
In AD FS, the Service Communication certificate will need to be updated.
The following steps show how to update the Service Communication certificate in AD FS 2.0.
Open AD FS 2.0
Navigate to AD FS 2.0 > Service > Certificates
Click Set Service Communications Certificate
Select the certificate and click OK
Update Relying Party Trusts
The Relying Party Trusts in the AD FS Management needs to be checked that the Relying Party Trusts are not showing an ! next to the listed Claims Relying Party Trust and the IFD Relying Party.
If they are, or even just to be safe. Click on each separately and the “Update from Federation Meta Data”
Once these have both been updated you can move onto the last task.
To finish the process, all affected services will need to be restarted.
The following steps should be completed once the certificate has been updated. It may also be necessary to follow these steps if problems occur during any of the previous tasks.
Perform an IISRESET on each server
Restart the AD FS service on AD FS server
Update Relying Party metadata
Open AD FS 2.0
Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts
Right click each relying party and select Update from Federation Metadata