Microsoft Dynamics NAV 2017 tablet client testing using OpenSSL certificates

Recently I had to test Microsoft Dynamics NAV 2017 tablet client on IPad. For this, Microsoft Dynamics NAV web client should be running on https. So you need SSL certificate to make the web client running over the https protocol. You could do this by using the self-singed certificates for older versions of IOS as explained by navteam blog, but when I tried these steps, it did not work for me for IOS 10 or later versions as I got the error "Could not connect to the server". I thought to create the signed certificate for my testing rather using at self-signed certificate, because some people recommended to use the commercial SSL certificate to resolve the issue, but I wanted to do it with no cost solution. So I started finding some solutions around and I found that the openssl can help you to create the signed certificate by creating your own certificate authority (CA). So I wanted to give it a try.

Pre-requisites:

  • Microsoft Dynamics NAV 2017 web client installed running on localhost (I used azure VM for hosting Dynamics NAV 2017).
  • Downloaded installation source for OpenSSL. I found it easy rather downloading the openssl binaries which I had to compile.
  • Microsoft Dynamics NAV app installed on IPad available on app store.

High Level Steps:

  • Create root certificate authority (CA).
  • Create certificate request for Intermediate Certificate.
  • Sign the Intermediate Certificate by CA.
  • Generate .pfx for IIS from Intermediate Certificate.
  • Import the .pfx file on IIS and bind Microsoft Dynamics NAV web client website with it.
  • Import root CA certificate and Intermediate certificate on the your clients like windows machine and IPad.

Detailed Steps:

1. Verify that Microsoft Dynamics NAV 2017 web client is accessible using the default URL as below:

2. On your Microsoft Dynamics NAV machine, run downloaded .EXE file to install the OpenSSL. Follow the steps as given below:

OpenSSL folder is created in C drive and also I have created an additional folder called "MyCerts" in the same directory. I will use this folder to keep my stuff separate and organized.

3. Next you can following two commands to get started with the openssl:

 4. Now we are ready to create certificates. First, we will create a key for the root certificate by running the following command:

genrsa -out rootCA.key 4096

5. Next we will create rootCA by using the key created in the above step by using the following command:

req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

It will ask to provide some information as shown below. The root certificate created in this step will be used to sign the certificate request that we will create for different clients. So this certificate plays the role of master certificate.

At this stage we have two files created in "MyCerts" folder.

So now we have certificate authority (CA) created successfully. We will use this CA to sign certificates that will be created in the next steps.

6. Next we will create the device (client) certificate request. For this, we will first to create the certificate key and certificate request as given below:

genrsa -out NavClient.key 4096

req -new -key NavClient.key -out NavClient.csr

The certificate request created at this stage is not signed yet from the rootCA. Now, we will sign it in next step.

7. Sign the certificate request (i.e. NavClient.csr) by following the command below:

x509 -req -in NavClient.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out NavClient.crt -days 500 -sha256

Now we have a signed certificate from a certificate authority (CA), we will use this certificate on Ipad for testing NAV Ipad app. This is same as if you buy a commercial SSL certificate from a service provider.

We also need this certificate to deploy on the IIS for the binding the NAV web client application with this certificate. Since IIS prefers to have the .pfx file format for the certificates. So in the next step, we will create .pfx format using the intermediate certificate created in the last step.

8. Now by using the following command, we will create .pfx file that will be used to install the certificate on IIS and will be associated with Dynamics NAV web client. It will ask you for the password which will be used while importing the certificate in IIS.

pkcs12 -export -out NavClient.pfx -inkey NavClient.key -in NavClient.crt

.pfx file is created as shown below:

Now we have all the required certificates created for us to use on the different clients. Next we will deploy these certificates on the Microsoft Dynamics NAV server and on the IPad.

9. In this step we will import the rootCA.pem and NavClient.crt certificates in the NAV server certificate store. 

Click start and click on run, then type mmc.exe command in the run. Once console is open, click file, and the select add/remove snap-in. Select Certificate from the available snap-in and click Add. Click OK select computer account from the next screen. Click Next, click finish and finally click the OK button to complete the steps. It will load the certificate snap-in in the console. All the steps are shown below:

Repeat the process for NavClient.crt file and it should look like as shown below:

10. Now we are ready to import the .pfx file in IIS on the server where my NAV web client is deployed. For this, go the IIS manager, click on server certificate. Click on import certificate, it will ask for the password that was assigned while creating and exporting .pfx certificate in step 8.

11. Once the certificate is imported successfully. Go to the NAV web client site and click on binding. Select type as https and assigned appropriate port. Next select the SSL from the options and click OK. It will look like as shown below:

 

Just for testing purpose if you run the NAV web client on windows machine or IPad where certificates are not imported, you will get the following error messages respectively.

To overcome the issue on windows machine, follow the step 9 which we did for the NAV server. For Ipad, see next step.

12. So the next step is to move the .pem and .crt files on you IPad. I did it by using the gmail. Open your gmail account and click on the .pem and .crt file from your email. This will install the both certificates on the IPad. After installation, you will see that both certificates will be shown as below:

13. There is one more step before you can try the Microsoft Dynamics NAV on IPad app. Go the general->about->Certificate Trust Settings and enable full trust for the root certificate as shown below:

14. Now lets try to connect the IPad app with the web client service URL and this time, I don't see any error. After passing the user ID and password, it works fine for me as shown in the steps below:

After successful login, you can see the working NAV Ipad app :)   

Hope this will help to test the Microsoft Dynamics NAV tablet client for IPad.

 

Thanks and cheers !!

 

 

 

 

 

 

comments powered by Disqus