A while back I posted a blog on creating SSL certificates in Server 2008 for a CRM 2011 environment. I had requests on how to do this for CRM 2013 in a Windows Server 2012 environment.
When working on a CRM Test environment there are many scenarios where I need to add SSL to the CRM web site such as testing Claims Authentication. Instead of getting a certificate from a 3rd party certification authority I will just use IIS to generate my own certificates. This allows me to quickly create certificates for my testing that will valid on other test machines. Below are the steps to configure the Active Directory Certificate Service so that you can easily test SSL in your CRM environment. I will also include steps on how to install the root certification on other machine so that the certificates are valid for test clients.
Install Active Directory Certificate Services Role
Before a certificate can be created for CRM the Active Directory Certificate Services Role must be installed on the IIS Server. In these steps I am installing the role directly on the CRM Server.
a. Open Server Manager and select Add Roles and Features.
b. Within Server Manager Click on Roles – Add Roles.
c. Select the CRM server that you’d like to create the SSL certificates on and click Next.
d. Select the “Active Directory Certificate Services” Role and Click Next twice to get to the Roles Services window.
e. A new window will open with other required features. Click Add Features.
f. Leave the default features that are chosen and Click Next.
g. Choose Certificate Authority from Role Services and Click Next.
h. Click Install on the Confirmation window.
i. Click Close on the installation window and the install will complete in the background.
Configure Active Directory Certificate Services
a. Once the install is complete an alert will show in Server Manager stating Configuration required for Active Directory Certificate Services. Click More to start the configuration.
b. Click on the Post-deployment configuration Task to launch the AD CS configuration wizard.
c. Click Next past credentials screen unless your account doesn’t hold the necessary rights.
d. Click Next past Role Services Screen.
e. Select Enterprise CA and Click Next.
f. Choose Root CA and Click Next.
g. Select Create a new private key and Click Next.
h. Leave defaults on the cryptographic options and Click Next.
i. Click Next on the CA Name screen.
j. Click Next on the Validity Period screen.
k. Click Next past the Certificate Database screen.
l. Click Configure on the Confirmation screen.
m. Click Close on the Results screen to conclude the AD CS configuration.
Create the Domain SSL Certificate
Now that the Active Directory Certificate Services role is installed you can generate a domain certificate for the CRM website. These steps show how to generate a wildcard certificate for the awc.local test domain that I am using. This wildcard certificate will then work with the various test orgs on this environment.
a. Open IIS Manager on the CRM Server that the Active Directory Certificate Services role was installed.
b. Open Server Certificates from the IIS Manager Home Page.
c. Click Create Domain Certificate with in the Server Certificates window.
d. Enter the Certificate Properties. Common name is for the name of the certificate. Since I am creating a wildcard I will enter *.awc2013.local for the Common name. Once all data is populated, Click Next.
e. Select the Online Certification Authority. The Certification Authority that was created should be displayed when you choose the Select button. Enter a Friendly name to identify the certificate and click Finish.
f. The new certificate will show up in the Server Certificates list.
Add SSL Certificate to the CRM Website
Now that the certificate is created a SSL binding can be created for the CRM Web Site. Since this will be the only SSL site within IIS we will use the default port 443.
a. Open IIS Manager on the CRM Server.
b. Navigate to Microsoft Dynamics CRM from the list of Web Sites and Click Bindings within Actions on the upper right side of the window.
c. Click Add on the Site Bindings Window.
d. Select HTTPS from the Type drop down menu and then Select the Wildcard certificate from the SSL Certificate menu, Click OK and Close.
At this point the certificate is bound to the CRM website and you can open CRM to test the new SSL binding. Open a browser and enter the CRM URL. In this case I will enter the Fully Qualified Domain Name (FQDN) for my server (https://crmsql2013.awc2013.local/CRM). If you are using an alias you will need to create the necessary entries in DNS. CRM should open properly with the SSL URL. The SSL certificate will show up as valid. When clicking on the certificate information I can see the wildcard cert that was issued by my server.
Install CA Root Certificate on Test Client Machine
The following steps will show how to install the CA root certificate so that it’s trusted and the CRM site opens without any prompts. Opening CRM without any prompts will be needed to successfully test SSL for components on other machines such as the Outlook Client or Email Router.
a. First we need to export the CA Root Certificate.
i. Open CRM using the SSL URL on the Server that the certificate is working properly.
ii. Click on the SSL Icon and choose View certificates.
iii. Click the Certification Path on the Certificate window. Select the Root Certificate tab and Click View Certificate.
iv. Click the Details Tab for the Root Certificate and Click Copy to File. This will allow you to export the root certificate so that it can be copied and installed on another machine.
v. On the Certificate Export Wizard, Click Next.
vi. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), Click Next.
vii. Specify a name/location to save the exported certificate, Click Next.
viii. Click Finish to complete the export of the Root Certificate. The certificate is now ready to install on other machines.
b. The following steps explain how to install the root certificate on another machine.
i. Copy the certificate file to the test machine that was receiving the certificate error. Right click on the certificate and choose Install Certificate.
ii. Click Next on the Certificate Import Wizard.
iii. Select Place all certificates in the following store and Click Browse.
iv. Select the Trusted Root Certification Authorities Store and Click OK.
v. Click Next and Finish on the Import Wizard.
vi. Click Yes on the Security Warning asking if you want to install the certificate.
vii. Click OK on the prompt stating that the Import was successful.
Open the CRM website using the SSL address and now the site should open without any certificate warnings.
Hopefully this will help out if you ever need to test SSL for your environment without obtaining a 3rd party certificate.