Creating SSL Certificates for CRM Test Environment

When working on a CRM Test environment there are many scenarios where I need to add SSL to the CRM web site such as testing Claims Authentication. Instead of getting a certificate from a 3rd party certification authority I will just use IIS to generate my own certificates. This allows me to quickly create certificates for my testing that will valid on other test machines. Below are the steps to configure the Active Directory Certificate Service so that you can easily test SSL in your CRM environment. I will also include steps on how to install the root certification on other machine so that the certificates are valid for test clients.

Install Active Directory Certificate Services Role

Before a certificate can be created for CRM the Active Directory Certificate Services Role must be installed on the IIS Server. In these steps I am installing the role directly on the CRM Server.

a. Open Server Manager from within Administrative Tools.


b. Within Server Manager Click on Roles – Add Roles.


c. Click Next to get to the “Server Roles” page within the Add Roles Wizard.


d. Select the “Active Directory Certificate Services” Role and Click Next twice to get to the Roles Services window.


e. Select Certification Authority on the Role Services Window and Click Next.


f. Choose Enterprise for the Setup Type and Click Next.


g. Choose Root CA for the CA Type and Click Next.


h. Select Create a new private key, Click Next until the confirmation screen.


i. Click Install on the Confirmation window.


Create the Domain SSL Certificate

Now that the Active Directory Certificate Services role is installed you can generate a domain certificate for the CRM website. These steps show how to generate a wildcard certificate for the awc.local test domain that I am using. This wildcard certificate will then work with the various test orgs on this environment.

a. Open IIS Manager on the CRM Server that the Active Directory Certificate Services role was installed.


b. Open Server Certificates from the IIS Manager Home Page.


c. Click Create Domain Certificate with in the Server Certificates window.


d. Enter the Certificate Properties. Common name is for the name of the certificate. Since I am creating a wildcard I will enter *.awc.local for the Common name. Once all data is populated, Click Next.


e. Select the Online Certification Authority. The Certification Authority that was created should be displayed when you choose the Select button. Enter a Friendly name to identify the certificate and click Finish.


Add SSL Certificate to the CRM Website

Now that the certificate is created a SSL binding can be created for the CRM Web Site. Since this will be the only SSL site within IIS we will use the default port 443.

a. Open IIS Manager on the CRM Server.


b. Navigate to Microsoft Dynamics CRM from the list of Web Sites and Click Bindings within Actions on the upper right side of the window.


c. Click Add on the Site Bindings Window.


d. Select HTTPS from the Type drop down menu and then Select the Wildcard certificate from the SSL Certificate menu, Click OK and Close.


At this point the certificate is bound to the CRM website and you can open CRM to test the new SSL binding. Open a browser and enter the CRM URL. In this case I will enter the Fully Qualified Domain Name (FQDN) for my server (https://crmsql.awc.local/CRM). If you are using an alias you will need to create the necessary entries in DNS. CRM should open properly with the SSL URL. The SSL certificate will show up as valid. When clicking on the certificate information I can see the wildcard cert that was issued by my server.


Install CA Root Certificate on Test Client Machine

This binding will work from other test machines, but will initially be prompted because the CA Root Certificate is not trusted. clip_image036


The following steps will show how to install the CA root certificate so that it’s trusted and the CRM site opens without any prompts. Opening CRM without any prompts will be needed to successfully test SSL for components on other machines such as the Outlook Client or Email Router.

a. First we need to export the CA Root Certificate.

i. Open CRM using the SSL URL on the Server that the certificate is working properly.

ii. Click on the SSL Icon and choose View certificates.


iii. Click the Certification Path on the Certificate window. Select the Root Certificate tab and Click View Certificate.


iv. Click the Details Tab for the Root Certificate and Click Copy to File. This will allow you to export the root certificate so that it can be copied and installed on another machine.


v. On the Certificate Export Wizard, Click Next.


vi. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), Click Next.


vii. Specify a name/location to save the exported certificate, Click Next.


viii. Click Finish to complete the export of the Root Certificate. The certificate is now ready to install on other machines.


b. The following steps explain how to install the root certificate on another machine.

i. Copy the certificate file to the test machine that was receiving the certificate error. Right click on the certificate and choose Install Certificate.


ii. Click Next on the Certificate Import Wizard.


iii. Select Place all certificates in the following store and Click Browse.


iv. Select the Trusted Root Certification Authorities Store and Click OK.


v. Click Next and Finish on the Import Wizard.

vi. Click Yes on the Security Warning asking if you want to install the certificate.


vii. Click OK on the prompt stating that the Import was successful.


v. Open the CRM website using the SSL address and now the site should open without any certificate warnings.


Hopefully this will help out if you ever need to test SSL for your environment without wanting to spend money on a 3rd party certificate.


Jeremy Morlock

Microsoft Premier Field Engineer

Comments (8)

  1. Zoran_Ivanov says:

    Hi Jeremy,

    Thank you for the good article.

    Did you manage to make the E-mail router work with this configuration ?


  2. JMorlock says:

    Hello Zoran,

    This is the procedure I have used in the past to test the email router against CRM using SSL. I've seen issues with email router when using the self signed certificate route which is why I use domain certificates instead.  So there should not be any issues using this with the email router as long as the root certificate is added to the Email Router Machine and CRM opens without any SSL prompts.



  3. Friedhelm_Wolf says:

    Hi Jeremy,

    this is a great summary. We have to do this from time to time and I will Keep this as a reference link. 🙂

  4. Peter says:

    Hi Jeremy,

    Very helpful article, however whould it be possible to update its content into Windows 2012 / 2012 R2 OS ?

    Kind regards.

  5. Zoran_Ivanov says:

    Thank you for the replay Jeremy, I haven't tried this on an on-premise deployment.

    What I have discovered is that if you deploy an IFD environment with a self signed certificate the Email router doesn't work even if the root certificate is added to the Email Router Machine and CRM opens without any SSL prompts via IE.

    Kind regards,


  6. Sean McNellis says:

    Hi @Zoran, you may need to load the trusted root cert under the service account of the email router to get it to function.  This can be done via the certificate manager MMC.

  7. Rey Galvez says:


    I am having connection issues with outlook, I can't connect my outlook 2010 on my crm 2013, All works well both internal and extenal access via web browser.  I also use wild card certificate generated by IIS on windows 2012. Any idea. Thanks.

  8. I dont understand says:

    What exactly is a certificate? What is it used for? What would cause me to make one? I would like to configure my CRM to the app on my ipad and technet is taking me through it and I understand HOW to do it because I'm a pretty tech-savvy person. I just need to know the reason why I need to do this.