Hi
We need to implement NavUserPassword authentication for both Windows clients and Web clients, on BC14 on-prem. The Windows client was tested with self-signed certificates and worked. We created these certificates based on older documentation, which created a Root CA, a certificate revocation list, and a Service certificate.
Microsoft recommends buying a certificate for a production environment, and this is where the wheels come off a bit. We have been unable to find adequate information on what type of certificate to buy, or how to buy. Yes, one can google and come across multiple vendors. But the confusion comes in with the Microsoft documentation.
You implement chain trust by obtaining X.509 service certificates from a trusted provider. These certificates and their root certification authority (CA) certificates must be installed in the certificates store on the computer that is running Business Central Server. The CA certificate must also be installed in the certificate store on computers that are running the Business Central Web Server and Dynamics NAV Client connected to Business Central so that clients can validate the server.
You install the security certificates on the computers running Business Central Server, Business Central Web Server, and Dynamics NAV Client connected to Business Central. The root CA certificate and the service certificate are used in the configuration, but client certificates are not.
My first question is this ... The documentation refers to certificates, not certificate. Does that mean we need 2? Or do we buy the Root CA, and then create the Service Certificate based on that? Or does the Root CA also include the service Certificate? We have searched google and the only sites that ever refer to 'service' certificate is Microsoft.
Now to the second question. When one looks at the sites, you can buy certificates for a Single Domain, Multi Domains, and Single Domains with sub-domains. Am I correct in assuming the Single Domain will be adequate?
And to the last question. Microsoft recommends using a purchased certificate as opposed to a self-signed one. Is this really necessary considering it is only internal users ? Is it any more secure than a self-signed one? Or are they simply more trusted and therefore better for commercial websites.
All inputs appreciated.
Regards - Noeline
0
Answers
If you buy a certificate, it should contain the complete chain of certificates needed. So, no need to buy multiple.
Single domain certificate should be sufficient
A self-signed certificate does exactly the same as a purchased certificate. However, with a purchased certificate, the client can be sure that the server can be trusted, as the issuer is trusted. When using a self-signed certificate, that trust is not there, and you will have to install that self-signed certificate on every client.
What you need to understand is that there are certificates in two places. There is one which you use in the Dynamics NAV environment, which is identified using the certificate thumbprint. This is used for the communication between IIS (Internet Information Server) and the Dynamics NAV Server. This is mandatory when using NavUserPassword authentication. It is also used for encrypting communication between the RoleTailored clients and the NAV server.
The second place you might use a certificate is in IIS. IIS is hosting the webclient, and users are connecting to IIS. So, if you want that secured, you need a certificate for that. Also, if you want to use the universal app, SSL is mandatory.
What I usually do is that the server certificate (so, the one identified using the Certificate Thumbprint in the Dynamics NAV Administration) is a self-signed certificate. If the NAV server and the IIS server are on the same machine, this should work immediately. If not, you should export the self-signed certificate you created on the NAV server, and import it on the server running IIS. I assume you got this working
If my IIS server is available from the outside, I use a wildcard certificate (*.domain.com) and install that on IIS.
That 's the webclient covered: You don't need to install the "real" certificate on the clients, as it should already be trusted by the browser.
For the RoleTailored clients I would not bother with "real" certificates if they are only used internally. Also, you cannot purchase certificates for your servers if there are no official Top Level Domain (TLD) names used. You cannot buy a certificate for your company.local domain, for example, so you can only use self-signed certificates. That means you have to install that self-signed certificate on every computer
However, when you set the ServicesCertificateValidationEnabled to false in the client's config file, no validation is done on the certificate, and you don't need to install the certificate on the local client either.
However, do remember that not using a certificate poses a security risk, as traffic between client and server is not encrypted.
I hope this makes it somewhat more clear for you.