On. Premise Tutorials Part 4 Simple way to get modern Certificates and Security Correct for your Service Fabric, AX 7 Dynamics Operations installation. Contrary to popular mythology, we dont have to use outdated legacy, fully exploitable sha. Dynamics 3. 65 for operations. This is probably the single biggest gotcha to being able to successfully implement Dynamics On Premise and interface with the cloud in general. Symptoms of misconfigurations include clear text passwords, not being able to conduct development in Azure without a vpn, having to use file share locations like github to trade confidential corporate data because someone didnt configure the security correctly on the client, not being able to run Dynamics 3. Ive seen a large uptick of this sort of stuff happening lately in our Dynamics world, and it usually has to do with improper configuration of certificates. So, lets cover how to generate a certificate that actually works and I will step you through it in this exercise. No technical person reading my blog should undergo the embarrassment of something really bad happening because of a certificate configuration. Sadly, my beloved wildcard certificate is not enough. Special Mention Though completely undocumented, I learned that Service Fabric on premise has compatibility issues with wildcards. Try as I did, I couldnt get the Service Fabric DNS service to work with a wildcard. Finally, I was forced to accept the fact that I will have to use a non wildcard certificate for now. Urgghhhhhh. For production, I would have never used a wildcard certificate but it sure was convenient for Dev. We can still use our wildcard certificate for SQL Server in our Development environment and other places. Or you can use the certificate generated with this method in several different places. BusinessConnector.jpg' alt='Install Dynamics Ax 2012 On Windows 8' title='Install Dynamics Ax 2012 On Windows 8' />Fear not, Ill walk you through an easy way to get a working Certificate and properly configure it to make life easier. There are a million little gotchas when it comes to making a certificate. For example, dont copy and paste the thumbprint unless you do it from a UTF file where you manually typed it in to be safe most of the time. Lets go through the steps now with explanations to avoid the pains of doing this wrong. NOTE THIS IS THE SIMPLEST POSSIBLE WAY TO GENERATE THE CERTIFICATES THAT YOU NEED, NOT THE ONLY WAY With this process you must initially generate the CSR request and import the certificate on the same machine. You can import the completed certificates to other machines later. First, Open up Notepad and put the following Text in there. Here is the picture. I put the sections you should change in yellow if you are doing Dynamics On Premise. Special note, depending on your mobile device infrastructure you may have to change the keylength and hash algorithm to something less secure if you need to support legacy software or your hardware drivers are still on the legacy encryption model. Lets go through the relevant and important values one by one. Remember that only the yellow values need to be changed to get this working with a Test Install of Dynamics On Premise. We create a CSR request called brandonaxonpremisecsrrequest. Files/public/Images/AXIndiataxsetup.png' alt='Install Dynamics Ax 2012 On Windows 8' title='Install Dynamics Ax 2012 On Windows 8' />Notice the header. For simplicity sake, we want to name the file after the header. VersionSignatureWindows NTNew. RequestSubject CNaxonpremise. OBrandon Ahmad, OUBrandon. Ahmad. IT, LDallas, STexas, CUSExportable TRUEKey. Length 4. 09. 6Key. Spec 1 ATKEYEXCHANGEKey. Usage 0x. A0 Digital Signature, Key Encipherment. Machine. Key. Set True. Provider. Name Microsoft Enhanced RSA and AES Cryptographic ProviderProvider. Type 2. 4SMIME FALSERequest. Type PKCS1. 0Hash. Algorithm SHA2. Friendly. Name axonpremise. Requester. Name Brandon AhmadStringssz. OIDSUBJECTALTNAME2 2. Deploying and managing Windows is easier than ever before with new improvements including the support of the latest Windows 10 features, Windows inplace upgrade. Microsoft Dynamics Lifecycle Services provides a cloudbased collaborative workspace that customers and partners can use to manage Microsoft Dynamics AX projects. You. Blog about Microsoft Dynamics AX technical subjects, and related technologies. Do this for all three databases. Now we are ready to launch the Dynamics AX client. Lets try to do this. Go to Windows All programs Microsoft Dynamics AX 2012. OIDENHANCEDKEYUSAGE 2. OIDPKIXKPSERVERAUTH 1. OIDPKIXKPCLIENTAUTH 1. Extensionssz. OIDSUBJECTALTNAME2 textdnsaxonpremise. OIDENHANCEDKEYUSAGE textsz. OIDPKIXKPSERVERAUTH,sz. Install Dynamics Ax 2012 On Windows 8' title='Install Dynamics Ax 2012 On Windows 8' />OIDPKIXKPCLIENTAUTH codeNext, lets go through the values. Signature we use the special variable to tell it to work on all Windows Operating Systems. Subject this part is extremely important. In this case, I set CN to a full machine nameaxonpremise. In this case, I wouldnt set it to a machine name, I would give it some other name because it will have to be used on multiple machine. So, maybe, call it Dyna. Ops. On. Prem with nothing else there. Whats important is that the CN name actually match a DNS name on your network. You can map the dns entry to whatever server or cluster you like. Exportable this definitely needs to be set to Yes. If not, you wont be able to use the certificate on any other machines. Key. Length Big time Gotcha. Weak, fully exploitable 1. That being said, bunches of programs dont support encrypted keys with a length of 4. So, I installed one here but check. You dont want to undergo the uncomfortable situation where you have to tell some major company with a million dollars invested in hardware that they need to buy all new hardware and software to support Dynamics AX Operations AX 7. Key. Spec let the key be used for signatures as some applications require leave this at 1. Key. Usage Leave this at Encipherment only. Machinekey. Set set this to true. We want the key in the context of the machine account, not the local user. Provider. Name You want modern RSA and AES encryption. Provider. Type 2. RSA and AES Encryption Provider. SMIME Not needed for digitally signing emails. Request. Type PKCS1. Just leave it at this. Hash. Algorithm You want to use the good encryption if possible. But watch out. Sadly, many of our hardware products and old programs support weak, fully exploitable SHA1 encryption. If at all possible, push your implementations to deprecate this unless they want to end up in the news when some sort of sensitive information gets hacked. If you end having to go with Sha. Friendly. Name Make this the same as the CN for the Dynamics Operations On. Premise Install. Requester. Name Your company name. Download Scribus Comic Template. Here I just used me. For the strings section just leave the value as is. I tried to use only server based authentication and divide the certificate into 3 parts, and there were problems even though this would be ideal. So, for now, what we pass in is both client and server authentication on the certificate but later we will make sure that the private key doesnt go on the client. For the Extensions Section, we are making the extension to support both Client and Server. But there is some strange behavior around some of these applications. So, make the Subject alt name the same as your CN. Second, save the file in notepad as a. So, here I saved it as brandonaxonpremisecsrrequest. Here I saved it as brandonaxonpremisecsrrequest. Third, run the following command in the command prompt as an adminCertreq new brandonaxonpremisecsrrequest. You can name the file whatever you want. Name the inf file after what you put between the whatever you put in the inf. Fourth, open up the file and copy and paste the begin CSR Request and End CSR Request. Youll notice that the CSR request is encoded but it contains everything you need for being able to set things up the right way, including a bunch of sensitive information. Requested course not found Microsoft. The course you requested cannot be found. Please browse our index of IT training courses for an alternative course.