Dynamics NAV and Let's Encrypt certificate

Are you using HTTPS for your Dynamics NAV? Or are you using SSL for your OData/SOAP webservices? Do you want to have trusted certificate for free? If yes, you can use the Let's Encrypt to create one. There are many ways how to use it, but mostly it is done with some human intervention. One way is e.g. described here.  

What I am using is combination of tool named AutoACME from my MVP friend Michal Altair Valášek. This tool is able to do all around generating the certificate for your web. It is using feature called Centralized SSL Certificate, which allows to have one point with the certificates for your IIS servers. How to get started is described here.

After all is configured and working, result is that in the folder we have certificate for our server. Second step is to take this certificate and use it for our NAV server. I am using this script to do it:

$NAVInstance = 'NAV'
$CertPassword = 'MyCertPassword'
$CertFile = 'C:\CertStore\PFX\mycertfilename.pfx'

#Install-Module -Name 'Carbon' -AllowClobber

import-module Carbon
import-module 'C:\Program Files\Microsoft Dynamics NAV\90\Service\Microsoft.Dynamics.Nav.Management.dll'

$cert = Install-Certificate -Path $CertFile -StoreLocation LocalMachine -StoreName My -Password (ConvertTo-SecureString -AsPlainText $CertPassword -Force)
$thumbprint = $cert.Thumbprint

#netsh http show sslcert  
netsh http delete ssl ipport=
netsh http delete ssl ipport=
netsh http add sslcert ipport= certhash=$thumbprint appid=`{00112233-4455-6677-8899-aabbccddeeff`}
netsh http add sslcert ipport= certhash=$thumbprint appid=`{00112233-4455-6677-8899-aabbccddeeff`}

Grant-Permission -Identity $NAVAccount -Permission FullControl -Path "cert:\LocalMachine\My\$thumbprint"
Set-NAVServerConfiguration -KeyName 'ServicesCertificateThumbprint' -KeyValue $cert.Thumbprint -ServerInstance $NAVInstance -Force
Set-NAVServerInstance -ServerInstance $NAVInstance -Restart -Force

It is using PowerShell module Carbon to assign the permissions for the certificate. You can install it by powershell command "Install-Module -Name 'Carbon' -AllowClobber". What this script does is:

  1. Set the variables (change values to suite your situation or put them as parameters...)
  2. Import needed modules (Carbon and Dynamics NAV management)
  3. Install the certificate into local machine store
  4. Get the thumbprint of the certificate
  5. Remove old certificate for port 7047 and 7048 (put them as parameter if you want)
  6. Add the new certificate to port 7047 and 7048
  7. Grant permissions to private key to account under which the NAV Server is running
  8. Set the ServiceCertificateThumbprint value in the Dynamics NAV Server configuration to the new thumbprint
  9. Restart the NAV Server

After that you have new certificate up and running for your server.


I know that this description is high level. My intention is not to give you full step by step how to do all, because you can be in different environment than I am, but rather show you all tools and alternative way you can use in your situation.

Because I do not have yet automation for connecting the IIS to the Centralized SSL certificate e.g. for using it in docker, I am using this only in situations, when my IIS/NAV server is accessible from internet (live/demo environments not using docker), because Let's Encrypt server need to access the Web Site to do the verification. Part of the AutoACME initial config is to create URL Rewrite rule to send all requests for the verification to your local IIS server you select and there AutoACME will handle the verification process. It means you need to configure the URL Rewrite rule on web server which will handle the URL for your address you want to have on the certificate. This is basic thing and you need to thing about it before you will use the Let's Encrypt. E.g. if I will address all my NAV servers through name like xxxx.navertica.com, I need to have IIS server which will handle all possible *.navertica.com requests (and of course you need to have correctly set the DNS entries for these names) and set the URL Rewrite rule there.

You need to be aware that the certificate have short expiration and you need to run the process again before the certificate expires. Of course, it is good to add condition to update the NAV certificate only when new one is generated ;-)