Dynamics 365 for Finance and Operations on a local development environment may all of the sudden start reporting problems with the server due to expired certificates.
To be sure, you should open the Event Viewer, expand Windows Logs in the left pane and click on the Application node. Look for Warning logs with source ASP.NET and inspect their content. Therefore, when you’ll see ExpiredCertificateException under Exception information, as seen in the image below, you’re dealing with expired certificates.
Following the steps below, you will identify and extend required certificates to get access to Dynamics 365 for Finance and Operations again.
Step 1: Identify Expired Certificates
Start Windows PowerShell as administrator and enter the following two commands:
cd cert:\LocalMachine\My
ls | Select-Object NotAfter,Thumbprint,Subject | Where-Object -Property Subject -like "CN=DeploymentsOnebox.*" | Sort-Object -Property Subject,NotAfter
You will get the list of certificates, required by D365FO:
The NotAfter column shows when each of them expires. The Subject column contains descriptive information about certificates. The Thumbprint column contains the key by which the certificate is recognized by the operating system.
In the image above you can see, that all four certificates have already expired.
Step 2: Clone Expired Certificates and Extend Their Validitys
For each of the four certificates repeat the following commands:
$Thumbprint = (get-childitem -Path 01F93A5974A14DC3B40F1CF0BE78127974187BE5 )
New-SelfSignedCertificate -CloneCert $Thumbprint -NotAfter (Get-Date).AddMonths(120)
Replace 01F93A5974A14DC3B40F1CF0BE78127974187BE5
with the thumbprint of the certificate you want to clone.
You’ll get a new self-signed certificate valid for 10 years, cloned from the existing one, with its new thumbprint:
Step 3: Update D365FO’s Config Files
To see the new list of certificates run the following command in PowerShell:
ls | Select-Object NotAfter,Thumbprint,Subject | Where-Object -Property Subject -like "CN=DeploymentsOnebox.*" | Sort-Object -Property Subject,NotAfter
Now you see two certificates for each of the certificate types – one with the old validity and thumbprint and one with the new validity (current date + 120 months) and thumbprint.
Now start VisualStudio as administrator and open the following three files in the C:\AOSService\webroot folder:
- web.config
- wif.config
- wif.services.config
Press Ctrl+Shift+H key combination to open Find and Replace dialog. Make sure that you select All Open Documents in the Look in drop-down selection box, so that find and replace action will be applied on all three open files.
Now you will have to repeat the following actions for each pair of certificate types:
- In the Find what box enter the thumbnail of the old (expired) certificate.
- In the Replace with box enter the thumbnail of the cloned new certificate.
- Replace all the occurrences in open files.
After you have done this for all four certificates, save the three config files and close VisualStudio.
Restart your browser and navigate to D365FO. It should start without any problems.
Step 4: Renew IIS cerfiticate (added in 2024)
The above step might not be required anymore for basic D365FO work, but you definitely need to renew the *.cloud.onebox.dynamics.com certificate that IIS is using for AOSService site on order to work with modern browsers (Edge, Chrome, .etc.).
Clone *.cloud.onebox.dynamics.com certificate:
cd cert:\LocalMachine\My
ls | Select-Object NotAfter,Thumbprint,Subject | Where-Object -Property Subject -like "CN=*cloud.onebox.dynamics.com*" | Sort-Object -Property Subject,NotAfter
Open Manage computer certificates, find new certificate in Personal\Certificates, export it and import it in Trusted Root Certification Authorities\Certificates.
Open IIS and select the new cert for AOSService page binding. Check with View that the right certificate is selected (see Valid to).
What about an on-premise production environment. Is it feasible to update a certificate without rebuilding the whole environment??
The solution from this article is not directly applicable on On-Prem environment.
The certificate setup for On-Prem is far more complicated and as far as I know officially update certificates is not supported so redeployment is the only option.
It might be possible with some hacking, but I have not found any success story on the net.
Therefore make sure during installation that certificates have sufficient lifetime.
https://community.dynamics.com/365/financeandoperations/f/765/t/281127
Hi,
I have a few things for this to work with NEW browses. There is also need to switch *.usn… certificate in IIS for AOS to new one and also copy newly created cetrificates to trusted root from local machine to current user store in mmc. With only provided steps, EDGE/Chrome still has an error.
Thank you for notice. This is now the most important part and I have added a new section for it. The cert has to be manually copied to Local Computer\Trusted Root store. In Current User\Trusted Root it will appear automatically as it is physically the same store.
Hi
I renewed the certificates and everything is working, except for the Management Report certificate (Financial Designer).
The service is active without any problems, but in the event viewer a recurring error appears about connection problems. In the message, the thumbprint of the certificate used seems to be the old one. I have already changed it everywhere and it still didn’t work.
Could you help me?
We have not tested Management Reporter, so we cannot give you specific answer. It probably has some other config file that you need to update. As you mention an old certificate thumbprint in error message, search for this thumbprint in all files you will probably find where to update it.
Hi do you find any solution for this?
Hi Dear, we are facing this issue on prem after following the above article:
Browser is working perfectly fine but when try to print any report we got this error:
Unable to find the certificate with the given thumbprint. Please use the thumbprint of an existing trusted certificate to get security token.. isLocalMode: False; useReportingCluster: False; thumbPrint:
Hi Ahmad,
I’m very sorry, but answering the question requires additional efforts on our side that I’m afraid we cannot currently afford 🙁.
Please write a comment if you managed to solve the problem. We are curious to know how! It might also help others looking for solutions for similar issues!
Many thanks 🙏🏽
Ana