My organization has a Microsoft Dynamics PowerApps-based website to allow a subset of our customers to manage their applications to us. It’s secured using HTTPS, as all good website should be. That means I need to update the certificate annually, and it’s a time-consuming process because we don’t actually own the domain that our PowerApps site is listening on. Here’s a high-level overview of what a renewal entails:

• Generate a CSR
• Complete paperwork for our parent organization’s certificate management department:
  • Information about the requested certificate type, my contact information, my manager
  • Send this to our parent company for signoff from our representative
  • Attach the CSR to the form and send it to our parent company’s certificate management department. I don’t know why our rep. cannot sign this after we’ve submitted it to the certificate management department.
• Get the new certificate
• Merge the CSR with the private KEY and create a PFX
• Upload the PFX to Netscaler
  • Bind to the VSRV object
• Upload to PowerApps
  • Bind to the proper portal
• Confirm that the certificate is now in use and working

Honestly, getting the paperwork filled out is the hardest part of the whole process because it gets bounced around and needs to be escalated a certain way (politics). Documenting that hassle isn’t going to be useful for anyone else, so let’s focus on the technical parts.

Generate a CSR

I’ve used the CertificateTools.com X509 Certificate Generator site in the past because it can handle SANs (Subject Alternative Name). This particular site needs 4 domains:

• company.com
• company.ca
• www.company.com
• www.company.ca I enter all of the required information and then a Certificate Request (CSR) is generated, along with the Private Key. This can also be done in openssl, if you’re worried about having the private key for your certificate generated by a server outside your control.

Let’s walk through generating this with openssl! First, let’s generate the random file and set the config file:

D:\>set OPENSSL_CONF=d:\apps\OpenSSL\bin\openssl.cfg
D:\>set RANDFILE=.rnd

Now, enable support for SAN in your request. Edit the config file d:\apps\OpenSSL\bin\openssl.cfg to add the requirement for req_ext, and add SAN/DNS names to the req_ext section.

[ req_ext ]
subjectAltName = DNS: www.company.com, DNS: company.com, DNS: www.company.ca

Let’s generate the private key for this request:

D:\Apps\OpenSSL\bin>openssl genrsa -out rsa.private 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................................
...........................................................+++++
..........................................+++++
e is 65537 (0x010001)

Then, we generate the CSR:

D:\Apps\OpenSSL\bin>openssl req -new -key rsa.private -out company.csr.txt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Ontario]:
Locality Name (eg, city) [Port Colbourne]:
Organization Name (eg, company) [Company]:
Organizational Unit Name (eg, section) [IT-CNS]:
Common Name (e.g. server FQDN or YOUR name) []:company.com
Email Address [helpdesk@company.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D:\Apps\OpenSSL\bin>openssl.exe req -noout -text -in company.csr.txt
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CA, ST = Ontario, L = Port Colbourne, O = company, OU = IT-CNS, CN = company.com, emailAddress = helpdesk@company.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e8:cb:2a:71:99:b1:5f:17:fd:c7:db:7e:82:f9:
                    1a:a4:fc:7b:ae:d8:2b:1c:e6:06:96:8b:13:e8:77:
                    6d:28:ed:ba:5a:09:79:7b:58:32:7d:97:05:51:8c:
                    eb:ea:63:c3:c8:11:15:ce:3c:b5:6d:e3:12:22:cb:
                    8e:1d:c9:0a:01:12:2c:1a:34:59:f1:fc:48:c5:32:
                    9a:5c:93:85:e8:75:33:c2:fc:b6:3a:37:71:85:9a:
                    e7:b3:b4:f0:9c:86:b2:a1:d6:3f:49:c3:05:9c:ab:
                    1b:6b:94:f7:66:90:69:48:40:dc:cb:2e:f1:04:8a:
                    b9:4b:da:7c:34:f1:a2:a9:9b:a5:4e:41:47:0a:f9:
                    63:ff:f3:23:c0:be:01:45:92:57:48:6b:27:40:e5:
                    af:a0:fd:b1:80:5c:a4:6e:26:34:a1:1b:4e:10:c0:
                    de:3b:0e:1d:0c:48:e6:4f:0c:3a:2b:92:9c:60:6a:
                    20:35:8a:b0:c1:af:81:ae:3f:fe:c6:90:25:7d:b6:
                    09:a6:9e:47:88:dc:68:72:fe:7f:2d:4d:0f:95:77:
                    00:bf:7f:a0:8e:aa:00:98:90:32:93:ae:da:54:52:
                    79:6d:6c:d0:4e:63:fb:93:e3:c8:a9:3f:17:29:33:
                    56:1c:3c:3c:0e:29:99:23:ff:44:ac:03:de:c9:eb:
                    16:73
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:company.com, DNS:www.company.com, DNS:www.company.ca, DNS:company.ca
    Signature Algorithm: sha256WithRSAEncryption
         cd:39:8f:f7:9d:30:84:ab:0f:7e:60:a1:ee:bd:78:a8:ad:95:
         b0:cc:a4:df:64:8c:ec:94:9f:a1:79:36:ed:b9:74:00:8c:29:
         9b:72:d8:4b:5a:24:0a:c5:65:36:6b:8a:0d:80:24:7b:6f:f7:
         65:08:f9:60:6c:d8:58:3a:62:cd:df:e7:00:2a:7c:13:41:df:
         51:e8:32:3a:c4:55:ca:2d:1d:fb:ed:f4:43:e4:55:0a:b4:f0:
         cc:3a:ca:6d:42:70:c9:03:f5:83:b4:be:6e:e5:ce:06:70:ea:
         99:3c:59:cd:6e:75:ce:c2:c6:7b:20:32:62:3c:63:12:03:e3:
         69:5d:ab:9c:9c:be:c1:4c:be:9e:98:63:a9:5a:b0:75:25:c3:
         17:0a:47:e7:91:c4:10:01:5f:13:8f:7b:96:e1:cf:63:39:87:
         8f:e4:2f:92:02:b6:68:9a:cb:d8:aa:28:8f:b4:e7:fe:4e:18:
         83:cb:a8:9e:1e:46:72:bb:b6:f6:f1:9e:3a:b6:f9:f6:07:b6:
         69:92:0e:18:35:d4:00:48:5a:71:21:9f:61:ae:69:4d:34:d2:
         dd:d7:24:1d:7f:e9:2b:cd:a4:9b:70:82:8f:ee:8e:1a:49:43:
         a3:54:b2:e7:78:4d:47:5e:f3:08:71:d7:07:a5:af:9e:89:e0:
         bb:50:1a:1f

Merging the CER and KEY to create a PFX

After sending off the CSR, I received back a certificate (CER) file from the certificate management department. This is the certificate I need, but it does not have the private key attached. If I were to import this, I’d get a notice saying that it’s missing the private key (“You do not have the private key for this certificate”). Let’s merge the KEY with the CER and generate a PFX, with everything nicely bundled together and protected by a password. Back to openssl:

D:\Apps\OpenSSL\bin>openssl pkcs12 -export -out company.pfx -inkey rsa.private -in ServerCertificate.crt
Enter Export Password:
Verifying - Enter Export Password:

Now that I have the PFX, I can import into Netscaler and bind it to my VSRV.

Bind to PowerApps

I also have to upload this to PowerApps and bind it to the proper portal:

• Launch the PowerApps Portals Admin Centre in a browser
• Click “Manage SSL Certificates”. You’ll see a list of certificates that PowerApps knows about.
  • Click “Add New”. Browse to the PFX you’d generated and upload it, along with the password.
  • Verify your new certificate is now listed with the proper expiry date and SAN. Make a note of the Thumbprint!
• Click “Setup Custom Domains and SSL”. Under SSL Bindings, you’ll see the currently bound certificate.
  • Delete the currently bound certificate
  • Click “Add New” and add the certificate you’d previously uploaded.
  • Verify the bound certificate’s Thumbprint matches what you’d previously recorded (above)

Now use a tool like Qualys’ SSL Server Test to make sure that the new certificate is actually in use.