Configure a safe connection to D365FO in OneBox

This article will tell you how to get rid of annoying “Not secure” message in the URL line when connected to Dynamics 365 for Finance and Operations in a local development environment (OneBox). You’ll learn why this happens and how to fix it!

Here’s why it happens

The reason lies in the fact that the site certificate is not compliant with the latest security standards. Chrome therefore treats it as invalid, while IE is not so strict. For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. There was a registry quick fix for that, but it worked only up to the version 65.

See this link for more details:

Here’s how to fix it

You have to issue a new self-signed certificate for * and change the web site binding settings to use it.

Step 1: Create a new self-signed certificate

Run the following Power Shell command (Run as Administrator):

New-SelfSignedCertificate -Subject "CN=*,O=Microsoft Corporation,L=Redmond,S=WA,C=US" -DnsName "*", "", "", "" -CertStoreLocation "cert:\LocalMachine\My" -KeyUsage DataEncipherment, KeyEncipherment, DigitalSignature -HashAlgorithm "SHA384" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddYears(5)

This would create a new certificate, which has been set to expire in 5 years:

For creating self-signed certificates, you can also use this free Self-Signed Certificate Generator.

Step 2: Copy the new certificate to the folder where trusted certificates are stored

Open Manage computer certificates (certlm). Newly generated certificate can be found in Personal\Certificates folder. It has the same name as the old one, but different expiration date. Now copy and paste the new certificate to the Trusted Root Certification Authorities\Certificates folder.

Step 3: Bind the new certificate with D365FO

Open Internet Information Services (IIS) Manager. Now navigate to the AOSService site (1), click the Bindigs link on the right (2) and select the host name (3) and then click the Edit button (4). The Edit Site Binding dialog opens. Open the SSL certificate drop-down selection box (5). You will see two certificates with the same name (* The one selected is probably the old one. Select the other one. Then click the View button to inspect, if you really selected the right certificate (by checking the expiry date, for example).

Click Yes if the system asks for confirmation to change the certificate for other related sites as well.

Close all open dialogs. Restart the AOSService (Click the Restart link under Manage Websites in the vertical pane on the right).

Step 4: Test if the connection to D365FO is treated as safe in Chrome

Restart Chrome and navigate to D365FO. The connection should now be safe.

How-to video

8 thoughts on “Configure a safe connection to D365FO in OneBox

  1. Hello, as of today, it seems that the certificate created by me in Step 2 is not available in the drop down list. Running FinAndOps10.0.13.vhd (PU37). Any ideas?

    1. IIS will show you all valid computer Personal certificates in the drop down list. It works also on FinAndOps 10.0.13 vhd virtual machines. Please check all the steps from the article, and if the issue persists, contact our support and we’ll try to help you!

  2. My IIs sees only private certificates, and the EDGE browser does not open my DEV D365: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY. I took a step by step as it was written. But IIis sees only certificates from private tree!

    1. IIS shows just personal (private) certificates, because just those can be used for web site authentication. If you do not find your certificate there you have probably put your certificate in the wrong folder.

      If Chrome or (Chromium) Edge returns error ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY or ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY it is a known D365FO issue on older oneboxes that should be fixed on newer ones.
      Avoid the week cipher with IISCrypto or disable HTTP2.

  3. Since Chrome version 107.0.5304.87 (Nov, 7th 2022) it has silently deprecated hash algorithms lower than SHA384 and treat older certificates with shorter hash as invalid. The article has been updated to generate a valid certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *


Docentric respects your privacy. Learn how your comment data is processed >>

Docentric respects your privacy. Learn how your comment data is processed >>