Creating SSL Certificates for CRM Test Environment

When working on a CRM Test environment there are many scenarios where I need to add SSL to the CRM web site such as testing Claims Authentication. Instead of getting a certificate from a 3rd party certification authority I will just use IIS to generate my own certificates. This allows me to quickly create certificates for my testing that will valid on other test machines. Below are the steps to configure the Active Directory Certificate Service so that you can easily test SSL in your CRM environment. I will also include steps on how to install the root certification on other machine so that the certificates are valid for test clients.

Install Active Directory Certificate Services Role

Before a certificate can be created for CRM the Active Directory Certificate Services Role must be installed on the IIS Server. In these steps I am installing the role directly on the CRM Server.

a. Open Server Manager from within Administrative Tools.


b. Within Server Manager Click on Roles – Add Roles.


c. Click Next to get to the “Server Roles” page within the Add Roles Wizard.


d. Select the “Active Directory Certificate Services” Role and Click Next twice to get to the Roles Services window.


e. Select Certification Authority on the Role Services Window and Click Next.


f. Choose Enterprise for the Setup Type and Click Next.


g. Choose Root CA for the CA Type and Click Next.


h. Select Create a new private keyClick Next until the confirmation screen.


i. Click Install on the Confirmation window.


Create the Domain SSL Certificate

Now that the Active Directory Certificate Services role is installed you can generate a domain certificate for the CRM website. These steps show how to generate a wildcard certificate for the awc.local test domain that I am using. This wildcard certificate will then work with the various test orgs on this environment.

a. Open IIS Manager on the CRM Server that the Active Directory Certificate Services role was installed.


b. Open Server Certificates from the IIS Manager Home Page.


c. Click Create Domain Certificate with in the Server Certificates window.


d. Enter the Certificate Properties. Common name is for the name of the certificate. Since I am creating a wildcard I will enter *.awc.local for the Common name. Once all data is populated, Click Next.


e. Select the Online Certification Authority. The Certification Authority that was created should be displayed when you choose the Select button. Enter a Friendly name to identify the certificate and click Finish.


Add SSL Certificate to the CRM Website

Now that the certificate is created a SSL binding can be created for the CRM Web Site. Since this will be the only SSL site within IIS we will use the default port 443.

a. Open IIS Manager on the CRM Server.


b. Navigate to Microsoft Dynamics CRM from the list of Web Sites and Click Bindings within Actions on the upper right side of the window.


c. Click Add on the Site Bindings Window.


d. Select HTTPS from the Type drop down menu and then Select the Wildcard certificate from the SSL Certificate menu, Click OK and Close.


At this point the certificate is bound to the CRM website and you can open CRM to test the new SSL binding. Open a browser and enter the CRM URL. In this case I will enter the Fully Qualified Domain Name (FQDN) for my server (https://crmsql.awc.local/CRM). If you are using an alias you will need to create the necessary entries in DNS. CRM should open properly with the SSL URL. The SSL certificate will show up as valid. When clicking on the certificate information I can see the wildcard cert that was issued by my server.


Install CA Root Certificate on Test Client Machine

This binding will work from other test machines, but will initially be prompted because the CA Root Certificate is not trusted. clip_image036


The following steps will show how to install the CA root certificate so that it’s trusted and the CRM site opens without any prompts. Opening CRM without any prompts will be needed to successfully test SSL for components on other machines such as the Outlook Client or Email Router.

a. First we need to export the CA Root Certificate.

i. Open CRM using the SSL URL on the Server that the certificate is working properly.

ii. Click on the SSL Icon and choose View certificates.


iii. Click the Certification Path on the Certificate window. Select the Root Certificate tab and Click View Certificate.


iv. Click the Details Tab for the Root Certificate and Click Copy to File. This will allow you to export the root certificate so that it can be copied and installed on another machine.


v. On the Certificate Export Wizard, Click Next.


vi. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), Click Next.


vii. Specify a name/location to save the exported certificate, Click Next.


viii. Click Finish to complete the export of the Root Certificate. The certificate is now ready to install on other machines.


b. The following steps explain how to install the root certificate on another machine.

i. Copy the certificate file to the test machine that was receiving the certificate error. Right click on the certificate and choose Install Certificate.


ii. Click Next on the Certificate Import Wizard.


iii. Select Place all certificates in the following store and Click Browse.


iv. Select the Trusted Root Certification Authorities Store and Click OK.


v. Click Next and Finish on the Import Wizard.

vi. Click Yes on the Security Warning asking if you want to install the certificate.


vii. Click OK on the prompt stating that the Import was successful.


v. Open the CRM website using the SSL address and now the site should open without any certificate warnings.


Hopefully this will help out if you ever need to test SSL for your environment without wanting to spend money on a 3rd party certificate.


Syed Jaffri


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s