locked
CRM Mobile App does not work for my Organisation - if need be - how to change self-signed certificates to trusted? RRS feed

  • Question

  • Hi

    I have successfully deployed an internet facing CRM 2015, using ADFS 3.0 and ADFS Proxy.   I have also deployed it using self-signed SSL certificates from internal CA. Argument in-house is that if it is only for internal staff then a self-signed certificate is adequate for trust purposes.  Our ADFS server had already been set up a few months ago for a SharePoint site and it has a Standard certificate with subject name = adfs.mydomain.com . 

    My CRM 2015 uses a wildcard certificate *.mydomain.com.  We are on version 7.0.2.53. When I try and run the Dynamics CRM app from my Android Huawei device I get error "Your server is not available or does not support this application". I have Googled this and understand that if you are using an untrusted certificate this error will occur.  I have added the two certificates to my phone and it still produces the same error.  Or another reason could be that Dynamics is on the wrong version for the App which it is not.  Can anyone shed some light on this?

    My alternative is to now go and purchase a wildcard certificate - but I have a few questions on that -

    1.  I would like to buy ONE Wildcard certificate for ALL sites.  Can I do this if ADFS requires a certificate whose subject name is the same as the federation name .e.g sts.mydomain.com.??  If I have used a standard SSL certificate for this server in the past can I change this to a wildcard certificate?  How do I go about doing this changover? - are there any shell scripts/outlines/steps to change to different certificates? I cannot find any links on how to change from one type of certificate to another.

    2.  I also need to know how to change from self-signed SSL certificate on Dynamics CRM server to a trusted CA's Wildcard Certificate?  I am presuming that on this server I just make the request from IIS, use * as the subject/common name(?) and then import it when I receive it from the CA and then bind the site to the new certificate?  Is that it?

    Thanking you in advance for your help!

    Monday, September 19, 2016 1:03 PM

All replies

  • Your issue with the self-signed certificate on a mobile app is likely to relate to the trust path for the certificate. However, I don't know whether that helps, and whether you can do anything about it - it is probably easier to purchase a certificate

    To change the certificates used, for CRM, change the certificate on the site binding in IIS. If you've used the same certificate for encryption with claims authentication, rerun the claims authentication wizard in CRM Deployment Manager to change the encryption certificate. Providing the relying party trust in ADFS is set to monitor the federation metadata (it is by default), then ADFS will pickup this change.

    Also remember to grant the CRM AppPool account permission on the new certificate 


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Monday, September 19, 2016 1:25 PM
    Moderator
  • Thank you very much for getting back to me.  Your points are noted! :) 

    • Edited by Ar Dee Monday, September 26, 2016 12:34 PM
    Tuesday, September 20, 2016 6:06 AM