Us ISVs( Independent Software Vendors) want to make our own customized Ax solutions to run on predefined licenses so we can better monetize our solutions, well thanks to Microsoft we now have an ISV licensing feature to do this and do not need to create our own licensing mechanisms. The ISV licensing feature includes the following key capabilities:
- ISVs can generate their own Boolean licenses.
- A run-time check that ensures an ISV-generated license key exists.
You can read more about ISV licensing here. In this post I will be showing you step by step how you can create your own ISV licence against a model. Before you can create a license you also need to have certificates in order to sign that license so here are the complete steps from start to end:
- First and foremost make sure you implement the desired roles and security in your code and tie all objects in your solution to it.
- Create a configuration key (or a parent-child configuration key hierarchy) for the solution.
- All code elements must bind to a proper configuration key or a hierarchy of configuration keys.
- Make sure all code written for this solution has been moved to ISV layer and to a particular model.
- Create a license code in the AOT.
- Set the Authenticode (x.509 Certificate) to the license file. Go to the license code properties and find the ‘CertificateName’ item and provide ‘cer’ file (the public part of the certificate, You will use the SPC.cer file for this). Keep the private key (.pfx) part secure as it will be used to generate license file. Here are some details on how to do this:
- Locate windows SDK on your machine, usually comes with .Net Framework, in my case I found it at following location
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin
- Copy following files from above folder to a new folder D:\Certificate folder, this would avoid wasting your time trying to run command on C:\ with no rights
- To create a test certificate you can use the makecert utility, this will give you the .cer and .pvk file; as some of you faced problems with certificates I would like to add something here that I previously missed to mention. To use our own certificate we first need to create a CA(Certificate Authority) and then publish a code signing certificate through that authority. Creating a certificate authority is done through makecert as follows on power shell run the following command to create a CA:
- .\makecert -r -pe -n “CN=CompanyName O=CompanyName” -ss CA -sr LocalMachine -a sha256 -len 2048 -cy authority -sky signature -sv CA.pvk CA.cer
- Now to publish a code signing certificate from our created authority; on powershell run the following command:
- .\makecert -pe -n “CN=CompanyName O=CompanyName” -ss ISVStore -sr LocalMachine -a sha256 -len 2048 -cy end -sky signature -eku 18.104.22.168.22.214.171.124.3 -ic CA.cer -iv CA.pvk -sv SPC.pvk SPC.cer
- To create the .pfx file you will need to convert the pvk to pfx; run the following command:
- pvk2pfx.exe -pvk SPC.pvk -spc SPC.cer -pfx FileName.pfx -po password
- Assign the license code to the configuration key. In the parent configuration key, select the license code in the properties. This locks everything together if hierarchy is maintained among other configuration keys.
- Generate a FULL CIL.
- Export the model by going to Start > Administrative Tools > Microsoft Dynamics AX 2012 Management Shell. Enter following command: axutil export /model:[ModelName] /file:[modelfilename] /key:[keyfilename]
- [ModelName] is the name of the model
- [modelfilename] is the path with filename to export the model to.
- [keyfilename] is the strong name key generated using SN.EXE tool, in the case you want to sign the model with a strong named key. You can skip this part if you apply next step, which is to sign the model using a certificate.
- Sign the model with certificate
- You need a tool ‘SignTool’. You can get by installing Windows SDK.
- Run following command:
- signtool sign /f “[PFX file]” /p [PFX password] “[Path to the model file]”
Once you have implemented the code with the above approach, you can then generate a license for your solution as explained below:
- Axutil genlicense /file:licensefile /certificatepath:filepath /licensecode:name /customer:name /serialnumber:number /password:value /expirationdate:date /usercount:count
- /file:licensefile specifies the name of the generated license file
- /certificatepath:filepath specifies the path to the certificate used to generate the license file. It is the private part of the X.509 certificate used on the licensed Code within AOT; basically the .pfx file.
- /licensecode:name specifies the name of the license code used to generate the license file.
- /customer:name specifies the customer name used to generate the license file. This will be provided by the Customer, it will be the Customer name on the AX license they have on their installation.
- /serialnumber:number specifies the serial number used to generate the license file. This will be provided by the Customer, it will be the serial number of AX license they have on their installation.
- /password:value is the value that must match the password of the certificate used to generate the license file.
- /expirationdate:date specifies expiration date of the generated license. This parameter is optional.
- /usercount:count specifies the number of simultaneous users for the generated license. This parameter is optional. (This is not supported anymore, so you can skip this)
- After running this command you can write “type [licensefilename]” to see the content if the license file.
- After you have your license you will share the model file and license file with the customer, also if you have created a self signed certificate(as we did with the makecert utility) then your customer needs to trust your Certificate Authority before they import the model and license. To do this simply run the command below on your customers environment:
- certutil -addstore Root CA.cer
- This adds it into the Windows certificate store.
- certutil -addstore Root CA.cer
Hope this post was helpful, for any questions feel free to leave a comment. Here are some good resources that helped me understand ISV licensing.
- Implementing ISV Licensing in Microsoft Dynamics AX 2012 White Paper
- License file creation in AX 2012 using AXUtil
- Creating a self-signed certificate for AX2012 model signing and ISV licensing
- Licensing Framework for ISVs of Microsoft Dynamics AX [AX 2012]
UPDATED: To overcome the “Certificate associated with license XXX is not a trusted certificate.” Error while importing license file the complete steps for creating our own certificate have been update, please find the updates in blue text.
24 thoughts on “Creating an ISV License File from MS Dynamics AX 2012 Model using AxUtil”
I am with error that you solved, “The certificate associated with license XXX is not a trusted certificate”, did you create a new snk file? and export the model with it? i tried it , but the same issue…
Additionally if i ignore the message during the import, and when i try to load the license file in AX i receive the following warning:
License value for *LicenseCode* is incorrect.
Any help i will appreciate.Thanks.
I signed the model and create a license file using the axutil genlicense tool. However when importing the model and entering the license it is giving error:
“The certificate associated with license XXX is not a trusted certificate.”
I made sure that both the CA and code signing certificates are installed on the machine in the Trusted Root but still no avail.
@Evgenii how did you solve this?
Ok managed to make this to work.
My problem was that I didn’t export the model with the /key option. As soon as I re-exported the model with the /key option, signed it, transferred to another PC, imported and load the license, it worked absolutely fine.
Thanks for this great article.
@Mohsin: When wouldn’t you use a self-signed certificate?
That’s great, you are most welcome.
I wouldn’t use a self signed certificate when I am making a one time deliverable or publishing a small add on based on my ISV license. As when you create your own CA you are responsible for maintaining it, and using the same for reissuing licenses.
Hi Kevin, did you create a strong name key pair (.snk) ? I tried it but no luck, the same error that you solved, additionally if i ignore and when I try to instal the model and load the license file i received the following error in AX: “License value for *LicenseCode* is incorrect.”
I created both certificates and imported them in certmgr – both the CA and ISV. I managed to sign the model (increased size by 2kb).
But when I imported the signed model, axutil is saying: “The certificate for the model was not recognized.”. What did I do wrong?
On the system I’m trying to import, I also imported the CA certificate in the Root.
It seems to be a problem with your model not the certificates. Check if you exported the model correctly; also are you you doing this on the same machine?
My bad. I created the certificates on machine A, then moved them on machine B to do the signing and it failed. How can I create the CA and Signing Certificate cross domain instead of that local machine? Would it work?
I’m asking because we would need to sign on 2 different machines.
As you are signing with the certificate you will need to install your certificates on the other machine too or to make it simpler you can sign your model using the signtool.
So can anyone create an ISV model or do you have to be a licensed ISV and receive some sort of ISV-Key provided by Microsoft?
Good question Alex. You need this license from Microsoft https://technet.microsoft.com/en-us/library/hh456312.aspx
Issue fixed after model signing with the same certificate.
Great! I’m glad I could help.
Yes, CA installed at the AOS server. So if AOS is in domain then we need set up these settings on the domain level or they can be setup on the computer level?
Domain level if your domain policy is preventing CA from becoming a trusted certificate.
Ok, thanks so match, I’ll try.
Yes, I did run full cycle again. I did that at our AOS server and tried to load license file into our DEV application.
CA added to the Trusted root certificate authorities (local computer) but code signing sertificate added only to the ISVStore(local computer).
I found an article
do you know these settings influence or not?
I see, did you install the CA at the server machine?
Yes those settings can influence if your machine is on a domain and a group policy only allows certain certificates to be trusted.
I have been repeat as you wrote above but unfortunately I have the same error:(
That’s unfortunate, did you run the complete cycle again? Also where are you installing the license, is it at the machine you are creating it on or it is a client environment?
P.s Make sure you add the Certificate Authority to your trusted root certificate before applying it on the license.
Thanks a lot for your comment. I made everything as you wrote, but I still have the same error…May be a problem in some windows security settings?
Did you start powershell as an administrator before generating your certificates? Also are you generating the license on a fresh ManagementShell window. Axutil genlicne command should be executed in a new session, so before you generate your license close all other sessions of management shell and open a new one as an administrator.
Hi Mohsin Khalid.
I receive an error when trying to load license file:
The certificate associated with license XXX is not a trusted certificate.
Self signed certificate placed in the Trasted root certification authorities.
Could you help me with this?
Did you use the makecert utility to create your certificate or you are using a third party certificate? If you are using your own certificate then you first need to create a certificate authority of your own and then publish the certificate from it to assign on your license; using this certificate should solve the problem you are facing. Please find the complete information for creating a CA in the article with blue text. My apologies for not mentioning it earlier.
Feel free to ask me if you face any other issue.