While creating a certificate with the MakeCert utility you might face this Error: Save encoded certificate to store failed => 0x5 (5) as I did, dont be worried its not about your command the solution to this is to simply start your command prompt or powershell as an administrator and then run the command; the certificate will be created successfully.
Us ISVs( Independent Software Vendors) want to make our own customized Ax solutions to run on predefined licenses so we can better monetize our solutions, well thanks to Microsoft we now have an ISV licensing feature to do this and do not need to create our own licensing mechanisms. The ISV licensing feature includes the following key capabilities:
- ISVs can generate their own Boolean licenses.
- A run-time check that ensures an ISV-generated license key exists.
You can read more about ISV licensing here. In this post I will be showing you step by step how you can create your own ISV licence against a model. Before you can create a license you also need to have certificates in order to sign that license so here are the complete steps from start to end:
- First and foremost make sure you implement the desired roles and security in your code and tie all objects in your solution to it.
- Create a configuration key (or a parent-child configuration key hierarchy) for the solution.
- All code elements must bind to a proper configuration key or a hierarchy of configuration keys.
- Make sure all code written for this solution has been moved to ISV layer and to a particular model.
- Create a license code in the AOT.
- Set the Authenticode (x.509 Certificate) to the license file. Go to the license code properties and find the ‘CertificateName’ item and provide ‘cer’ file (the public part of the certificate, You will use the SPC.cer file for this). Keep the private key (.pfx) part secure as it will be used to generate license file. Here are some details on how to do this:
- Locate windows SDK on your machine, usually comes with .Net Framework, in my case I found it at following location
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin
- Copy following files from above folder to a new folder D:\Certificate folder, this would avoid wasting your time trying to run command on C:\ with no rights
- To create a test certificate you can use the makecert utility, this will give you the .cer and .pvk file; as some of you faced problems with certificates I would like to add something here that I previously missed to mention. To use our own certificate we first need to create a CA(Certificate Authority) and then publish a code signing certificate through that authority. Creating a certificate authority is done through makecert as follows on power shell run the following command to create a CA:
- .\makecert -r -pe -n “CN=CompanyName O=CompanyName” -ss CA -sr LocalMachine -a sha256 -len 2048 -cy authority -sky signature -sv CA.pvk CA.cer
- Now to publish a code signing certificate from our created authority; on powershell run the following command:
- .\makecert -pe -n “CN=CompanyName O=CompanyName” -ss ISVStore -sr LocalMachine -a sha256 -len 2048 -cy end -sky signature -eku 18.104.22.168.22.214.171.124.3 -ic CA.cer -iv CA.pvk -sv SPC.pvk SPC.cer
- To create the .pfx file you will need to convert the pvk to pfx; run the following command:
- pvk2pfx.exe -pvk SPC.pvk -spc SPC.cer -pfx FileName.pfx -po password
- Assign the license code to the configuration key. In the parent configuration key, select the license code in the properties. This locks everything together if hierarchy is maintained among other configuration keys.
- Generate a FULL CIL.
- Export the model by going to Start > Administrative Tools > Microsoft Dynamics AX 2012 Management Shell. Enter following command: axutil export /model:[ModelName] /file:[modelfilename] /key:[keyfilename]
- [ModelName] is the name of the model
- [modelfilename] is the path with filename to export the model to.
- [keyfilename] is the strong name key generated using SN.EXE tool, in the case you want to sign the model with a strong named key. You can skip this part if you apply next step, which is to sign the model using a certificate.
- Sign the model with certificate
- You need a tool ‘SignTool’. You can get by installing Windows SDK.
- Run following command:
- signtool sign /f “[PFX file]” /p [PFX password] “[Path to the model file]”
Once you have implemented the code with the above approach, you can then generate a license for your solution as explained below:
- Axutil genlicense /file:licensefile /certificatepath:filepath /licensecode:name /customer:name /serialnumber:number /password:value /expirationdate:date /usercount:count
- /file:licensefile specifies the name of the generated license file
- /certificatepath:filepath specifies the path to the certificate used to generate the license file. It is the private part of the X.509 certificate used on the licensed Code within AOT; basically the .pfx file.
- /licensecode:name specifies the name of the license code used to generate the license file.
- /customer:name specifies the customer name used to generate the license file. This will be provided by the Customer, it will be the Customer name on the AX license they have on their installation.
- /serialnumber:number specifies the serial number used to generate the license file. This will be provided by the Customer, it will be the serial number of AX license they have on their installation.
- /password:value is the value that must match the password of the certificate used to generate the license file.
- /expirationdate:date specifies expiration date of the generated license. This parameter is optional.
- /usercount:count specifies the number of simultaneous users for the generated license. This parameter is optional. (This is not supported anymore, so you can skip this)
- After running this command you can write “type [licensefilename]” to see the content if the license file.
- After you have your license you will share the model file and license file with the customer, also if you have created a self signed certificate(as we did with the makecert utility) then your customer needs to trust your Certificate Authority before they import the model and license. To do this simply run the command below on your customers environment:
- certutil -addstore Root CA.cer
- This adds it into the Windows certificate store.
- certutil -addstore Root CA.cer
Hope this post was helpful, for any questions feel free to leave a comment. Here are some good resources that helped me understand ISV licensing.
- Implementing ISV Licensing in Microsoft Dynamics AX 2012 White Paper
- License file creation in AX 2012 using AXUtil
- Creating a self-signed certificate for AX2012 model signing and ISV licensing
- Licensing Framework for ISVs of Microsoft Dynamics AX [AX 2012]
UPDATED: To overcome the “Certificate associated with license XXX is not a trusted certificate.” Error while importing license file the complete steps for creating our own certificate have been update, please find the updates in blue text.