When
talking about SSL certificates, expiration period and certificate renewal is
something that must be managed carefully.
A few days
ago, I had the “easy task” to install a renewed certificate on the ADFS and
Dynamics CRM 2016 servers configured in Internet-Facing Deployment (IFD).
Confident,
I get the new certificate (a .cert file) from the provider and go in the
certificate MMC on Windows Server 2012 to remove the old certificate and
install the new one.
Installing
the certificate with .cer file is quite easy (right-click à
import, …) but, once installed, I do not have the options to define the
“Private Keys” for this certificate. And without private keys, the IFD
configuration for Dynamics CRM 2016 won’t work, because those keys are defining
permissions for the ADFS / CRM service accounts.
To be able
to define private keys, I needed a .pfx file, not a .cer file, and of course,
the certificate provider delivers only .cer file for Windows / IIS web servers.
The easy
way to convert a .cer file to a .pfx file is to import it in the certificate MMC
and then to export it as PFX … but in my case, the “Export as PFX” option
wasn’t there anymore, and it took me a few minutes to understand why.
Note: There
are others ways to convert certificate, some websites propose this service, but
I didn’t feel comfortable to upload my certificate on a public website.
Actually,
you can only export the certificate in the PFX format if you are located on the
server which initiated the Certificate Signing Request (CSR) … and (of course
again) this server had been deleted after a successful migration.
Fortunately,
once the source of the issue identified, the solution came quickly. The
certificate provider (GoDaddy in my case) offers an option to introduce a new
CSR online in order to generate a new .cer file, as the new CSR was then
created by the actual ADFS server, I was able to use the “easy way to convert”
the .cer file into a .pfx file.
Conclusion:
If you have to renew a certificate without having access to the server that
generated the CSR, make sure to generate a new CSR with you current web server
and to send this new CSR to you certificate provider.