SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

Dynamics NAV / Business Central: automated SSL certificate

Microsoft Dynamics NAV and Business Central on-premise have two certificate touchpoints that have to be updated together: the IIS binding for Web Client, and ServicesCertificateThumbprint on every BC Service Tier instance. simple-acme handles the IIS side, and FairSSL\'s ImportDynamicsNAV.ps1 handles the Service Tier configuration.

Setup

Step 1: Install simple-acme

Grab FairSSL\'s simple-acme build (pre-configured with the right ACME settings and ships ImportDynamicsNAV.ps1 in the Scripts folder). Extract to C:\simple-acme on the BC server.

Step 2: Prepare the environment

  • The hostname matches what BC clients connect to and is not a wildcard.
  • The domain is configured for FairSSL Auto DNS.
  • Schedule a service window - the script restarts BC instances whose thumbprint changes.
  • Open a command prompt as administrator and cd to C:\simple-acme.

Step 3: Issue and deploy

Run the command as administrator. simple-acme issues the certificate via Auto DNS, installs it in the Windows Certificate Store, binds it in IIS and runs ImportDynamicsNAV.ps1 to update every running BC instance. 

wacs.exe --verbose --baseuri "https://fairssl.dk/acme" `
  --eab-key-identifier YOUR_EAB_KID --eab-key YOUR_EAB_HMAC --accepttos `
  --source manual --host "bc.example.com" --validation none `
  --certificatestore My `
  --installation iis,script --script "Scripts\ImportDynamicsNAV.ps1" `
  --scriptparameters "'{CertThumbprint}'" `
  --friendlyname "fairssl-acme-bc.example.com"

Step 4: Verify the IIS binding

Open the BC Web Client URL in a browser and confirm the new certificate is served. If the old one is still served, the IIS binding has no host header for simple-acme to match. Open IIS Manager, go to the BC Web Client site → Bindings → HTTPS → Edit, and pick the new certificate (friendly name fairssl-acme-<host>). Add a host header to the binding while you are there (e.g. *:443:bc.example.com) so future renewals bind automatically.

Step 5: Tune the simple-acme renewal window

If you used the FairSSL simple-acme build, this is already set. Otherwise edit ScheduledTask → RenewalDays to 365 in settings.json in the simple-acme folder. That lets ARI drive renewal rather than a fixed schedule.

Advanced: multiple instances with different certificates

Only if you have multiple BC instances using different certificates. Run the Step 3 command once per certificate/instance pair and extend the script parameters with the instance name: 

--scriptparameters "'{CertThumbprint}' 'BC-PROD'"

Frequently asked questions

Find answers to the most common questions about SSL certificates and FairSSL.

Dynamics NAV 2017+ and Business Central 14+ (on-premise). The ACME flow itself does not care about the BC version, but ImportDynamicsNAV.ps1 updates CustomSettings.config via the NavAdminTool/BCAdminTool PowerShell module that ships with BC. The script auto-detects which module is installed.
It updates CustomSettings.config for every running BC instance so ServicesCertificateThumbprint points at the new certificate, grants the BC service account Read on the private key (so the service can actually start with the new cert), and restarts only those instances whose thumbprint changed. Instances without a change keep running.
No, only the ones whose ServicesCertificateThumbprint changed. If you have multiple BC instances using the same certificate they all restart, but only because they all need updating. If you have different certificates per instance, see the advanced section below.
Yes. The Web Client and Service Tier endpoints must present a certificate where the common name or SAN matches what clients connect to. BC Web Client does not accept wildcards. Order a SAN certificate if you have both bc.example.com and nav.example.com.
simple-acme can only swap an IIS binding automatically when its host header matches the certificate. If the BC Web Client site runs on *:443: (no host header), the browser still serves the old certificate after the first run. Fix: open IIS Manager, add the host header (e.g. bc.example.com), select the new certificate manually once. Future renewals bind automatically.
Yes. ImportDynamicsNAV.ps1 updates the Service Tier CustomSettings.config while simple-acme also binds the certificate in IIS for the Web Client site. The same thumbprint is used both places, so renewals cover the full BC stack in one go.

Ready to automate BC certificates?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates