Expired certificates renewal in D365FO

Dynamics 365 for Finance and Operations on a local development environment may all of the sudden start reporting problems with the server due to expired certificates.

To be sure, you should open the Event Viewer, expand Windows Logs in the left pane and click on the Application node. Look for Warning logs with source ASP.NET and inspect their content. Therefore, when you’ll see ExpiredCertificateException under Exception information, as seen in the image below, you’re dealing with expired certificates.

Following the steps below, you will identify and extend required certificates to get access to Dynamics 365 for Finance and Operations again.

Step 1: Identify Expired Certificates

Start Windows PowerShell as administrator and enter the following two commands:

cd cert:\LocalMachine\My
ls | Select-Object NotAfter,Thumbprint,Subject | Where-Object -Property Subject -like "CN=DeploymentsOnebox.*" | Sort-Object -Property Subject,NotAfter

You will get the list of certificates, required by D365FO:

The NotAfter column shows when each of them expires. The Subject column contains descriptive information about certificates. The Thumbprint column contains the key by which the certificate is recognized by the operating system.

In the image above you can see, that all four certificates have already expired.

Step 2: Clone Expired Certificates and Extend Their Validitys

For each of the four certificates repeat the following commands:

$Thumbprint = (get-childitem -Path 01F93A5974A14DC3B40F1CF0BE78127974187BE5 )
New-SelfSignedCertificate -CloneCert $Thumbprint -NotAfter (Get-Date).AddMonths(120)

Replace 01F93A5974A14DC3B40F1CF0BE78127974187BE5 with the thumbprint of the certificate you want to clone.

You’ll get a new self-signed certificate valid for 10 years, cloned from the existing one, with its new thumbprint:

Step 3: Update D365FO’s Config Files

To see the new list of certificates run the following command in PowerShell:

ls | Select-Object NotAfter,Thumbprint,Subject | Where-Object -Property Subject -like "CN=DeploymentsOnebox.*" | Sort-Object -Property Subject,NotAfter

Now you see two certificates for each of the certificate types – one with the old validity and thumbprint and one with the new validity (current date + 120 months) and thumbprint.

Now start VisualStudio as administrator and open the following three files in the C:\AOSService\webroot folder:

  1. web.config
  2. wif.config
  3. wif.services.config

Press Ctrl+Shift+H key combination to open Find and Replace dialog. Make sure that you select All Open Documents in the Look in drop-down selection box, so that find and replace action will be applied on all three open files.

Now you will have to repeat the following actions for each pair of certificate types:

  1. In the Find what box enter the thumbnail of the old (expired) certificate.
  2. In the Replace with box enter the thumbnail of the cloned new certificate.
  3. Replace all the occurrences in open files.

After you have done this for all four certificates, save the three config files and close VisualStudio.

Restart your browser and navigate to D365FO. It should start without any problems.

Step 4: Renew IIS cerfiticate (added in 2024)

The above step might not be required anymore for basic D365FO work, but you definitely need to renew the *.cloud.onebox.dynamics.com certificate that IIS is using for AOSService site on order to work with modern browsers (Edge, Chrome, .etc.).

Clone *.cloud.onebox.dynamics.com certificate:
cd cert:\LocalMachine\My
ls | Select-Object NotAfter,Thumbprint,Subject | Where-Object -Property Subject -like "CN=*cloud.onebox.dynamics.com*" | Sort-Object -Property Subject,NotAfter

Open Manage computer certificates, find new certificate in Personal\Certificates, export it and import it in Trusted Root Certification Authorities\Certificates.

Open IIS and select the new cert for AOSService page binding. Check with View that the right certificate is selected (see Valid to).

4 thoughts on “Expired certificates renewal in D365FO

  1. What about an on-premise production environment. Is it feasible to update a certificate without rebuilding the whole environment??

    1. The solution from this article is not directly applicable on On-Prem environment.
      The certificate setup for On-Prem is far more complicated and as far as I know officially update certificates is not supported so redeployment is the only option.
      It might be possible with some hacking, but I have not found any success story on the net.
      Therefore make sure during installation that certificates have sufficient lifetime.

  2. Hi,

    I have a few things for this to work with NEW browses. There is also need to switch *.usn… certificate in IIS for AOS to new one and also copy newly created cetrificates to trusted root from local machine to current user store in mmc. With only provided steps, EDGE/Chrome still has an error.

    1. Thank you for notice. This is now the most important part and I have added a new section for it. The cert has to be manually copied to Local Computer\Trusted Root store. In Current User\Trusted Root it will appear automatically as it is physically the same store.

Leave a Reply

Your email address will not be published. Required fields are marked *


Docentric respects your privacy. Learn how your comment data is processed >>

Docentric respects your privacy. Learn how your comment data is processed >>