Administration, Dynamics CRM

SSL-Certificate replacement on CRM on-premise

Last week, I had to replace the existing ssl-certificate on our crm on premise systems. I installed the ssl-certificates in the IIS certificate store and also installed the corresponding root certificates. I changed the binding in IIS and checked the certificate in the browser, everything was working fine. But after abound 1 hour, the whole crm system was gone offline.

I checked the systems and found an error in the event log with the following message:

Based on the message “The certificate’s private key could not be accessed” I assumed, that this is connected to my certificate replacement. Therefore I switched back to my previous certificate, to solve the interruption and checked the system again.

After some research, I found the root cause: The certificate has to be granted to the user. Therefor I followed these steps:

  1. Open the Management Console (mmc.exe)
  2. Add the certificate snap-in based with File > Add/Remove Snap-in …

    Add snap-in
    Add snap-in
  3. Select certificates > Add > computer account > local computer > finished

    Add certificate
    Add certificate
  4. Drill down the personal folder and select the certificate on the right. Open the context menu and select All Tasks > Manage Private Keys…
    Add permission to certificate
  5. In the new property window add your users.
    1. In my case, I had to add the IIS_IUSRS and the user of, which is running the application pool.


Based on my experience, crm creates their own tokens based on the ssl certificate. This token seems to be renewed at least every hour. Therefore, an error might come up not instantly after the certificate replacement, but also after some hours.


Additionally, there are some more services, where you have to change the certificate.

Change SSL on Reporting Service

If you use the reports, don’t forget to change the SSL-Certificate and update the Bindings on the reporting service.

Update Sharepoint Integration

After changing the ssl-certificate on the crm system, don’t forget to also update the trust with your sharepoint server. Therefore open a powershell with administrative rights and run the following command:

The cmdlet is located in the toolsfolder of you crm installation. Also use the correct user in paramter serviceAccount, which has to be the user for asynchronous jobs.