Skip to content

Microsoft CRM IFD SSL Certificate Renewal

Following on from our very popular IFD configuration for Microsoft CRM.
The time will come around where you need to renew the SSL certificate for your CRM IFD configuration.
This will include the renewal of the SSL certificate as used by IIS and and ADFS. Couple of steps we followed based exactly on the configuration outlined in our above linked blog post.

Generate a new SSL Request.

1. Open IIS Manager and click on server certificates.
2. Create certificate request
3. Fill in the data:
image Next
4. Change to 2048 Bit
5. Give it a name:
Finish and you are done.
Now Open the certificate text file and copy the text to your clip board, or use this with your certificate authority to issue you a new Wild Card Certificate. * is what we use.
To get the certificate we use a service called “” who allow you to issue certificates like this for 2 years for free once you are validated as a user.

Complete the Certificate Request

Once the new certificate has been issued to you you need to complete the request on IIS.
1. In IIS Manager click on Complete Certificate Request
2. Browse to the certificate from your issuer provider and give it a friendly name. We like to use a year in the name to help distinguish from the old one.
Finish the import.

Change the certificate used by IIS

1. Expand the two sites on the CRM server and click on Default Website first then Bindings / https
2. Select the new certificate that you just imported and click on OK
3. Repeat this process fro the Microsoft Dynamics CRM website
selecting the new certificate here and OK.
4. Restart IIS

Set Permissions on SSL Certificate

1.  Click Start, and then click Run.
2.  Type MMC.
3.  On the File menu, click  Add/Remove Snap-in.
4.  In the Available snap-ins list, select Certificates, and then click Add. The Certificates Snap-in Wizard starts.
5.  Select Computer account, and then click Next.
6.  Select Local computer: (the computer this console is running on), and then click Finish.
7.  Click OK.
8.  Expand Console Root\Certificates (Local Computer)\Personal\Certificates.
9.  Right-click Certificates, click All Tasks, and then click Import.

Step 2: Add to the ADFS service account the permissions to access the private key of the new certificate. To do this, follow these steps:

1.  With the local computer certificate store still open, select the certificate that was just imported.
2.  Right-click the certificate, click All Tasks, and then  click Manage Private Keys.
3.  Add the account that is running the ADFS Service, and then give the account at least read permissions. (for us this is the Network Service)

Run the Deployment Manager with new Certificate

1. Run the CRM deployment manager:
2. Run the Configure Claims-based Authentication
Select the default settings.
Which should be the default from your IFD setup
But when you get to the Certificate, you need to select the new certificate.
Which should be visible from the list after importing it in the steps above.
3. Run the Configure Internet Facing Deployment action and just step though it with the default settings.
4. Restart the AD FS 2.0 Windows Service
Configure AD

Set the Service Communication Certificate

1. Start AD FS 2.0 Management
2. Expand certificates and select Set Service Communications Certificate
3. Select the new certificate that will be listed here.
Update Relying Party Trusts
1. From the AD FS 2.0 Management, Select your replying party trusts and update from the federation metadata one by one.
Update both listed. They will likely have a red cross before you do this.
Restart Services
Restart AD FS Service:
and restart IIS the usual way.
And you should be done. Login to your CRM IFD again and enjoy.
Please feel free to link to / reference this blog. Comments welcome below.


14 thoughts on “Microsoft CRM IFD SSL Certificate Renewal”

  1. Nice one. One thing that happened to me though : if you leave the old certificate on the CRM server, you’ll get an error when trying to configure claim-based authentication. Just export the expiring certificate with private key (for contingency purpose only) then delete it before configuring claim-based authentication.

    1. I did not find that problem. Just configured the new cert for the authentication, the old one remained but was no longer referenced and did not experience the problem you describe.

    2. Didier T – so pleased you reported this. Took me a while to work out what was happening. Removing the old cert corrected the issue instantly.

Leave a Reply

Your email address will not be published. Required fields are marked *