We need to implement NavUserPassword authentication for both Windows clients and Web clients, on BC14 on-prem. The Windows client was tested with self-signed certificates and worked. We created these certificates based on older documentation, which created a Root CA, a certificate revocation list, and a Service certificate.
Microsoft recommends buying a certificate for a production environment, and this is where the wheels come off a bit. We have been unable to find adequate information on what type of certificate to buy, or how to buy. Yes, one can google and come across multiple vendors. But the confusion comes in with the Microsoft documentation.
You implement chain trust by obtaining X.509 service certificates from a trusted provider. These certificates and their root certification authority (CA) certificates must be installed in the certificates store on the computer that is running Business Central Server. The CA certificate must also be installed in the certificate store on computers that are running the Business Central Web Server and Dynamics NAV Client connected to Business Central so that clients can validate the server.
You install the security certificates on the computers running Business Central Server, Business Central Web Server, and Dynamics NAV Client connected to Business Central. The root CA certificate and the service certificate are used in the configuration, but client certificates are not.
My first question is this ... The documentation refers to certificates, not certificate. Does that mean we need 2? Or do we buy the Root CA, and then create the Service Certificate based on that? Or does the Root CA also include the service Certificate? We have searched google and the only sites that ever refer to 'service' certificate is Microsoft.
Now to the second question. When one looks at the sites, you can buy certificates for a Single Domain, Multi Domains, and Single Domains with sub-domains. Am I correct in assuming the Single Domain will be adequate?
And to the last question. Microsoft recommends using a purchased certificate as opposed to a self-signed one. Is this really necessary considering it is only internal users ? Is it any more secure than a self-signed one? Or are they simply more trusted and therefore better for commercial websites.
All inputs appreciated.
Regards - Noeline