I’ve been working on the ISVLicenseGenerator open source tool for some years now, almost five. It all started when I ordered a code-signing certificate to sign ISV solutions, and I got a USB token instead of a software certificate.
Table of Contents
After many years of Microsoft not offering support for these devices to sign the license files, it looks like with the changes introduced to AXUtil in the version 10.0.37, ISVLicenseGenerator will not be needed anymore…
If you want to learn more about ISVLicenseGenerator you can read:
- Microsoft learn: Independent software vendor (ISV) licensing
- Create an ISV license from a cryptographic USB token
- ISV License Generator v0.3 with SHA-2 support
- ISV License Generator v0.6 released
- Azure Key Vault support in ISVLicenseGenerator v0.7
What’s new in ISVLicenseGenerator v0.9?
In version 10.0.38 a new parameter to the command-line version of AxUtil was added: AllowCrossDomainInstallation. From the docs:
This parameter provides ISVs (Independent Software Vendors) with the ability to generate licenses that can be used across different environments for the same tenant (customer). The default value is set to false, which means the tenant can’t use the same ISV license across different environments or reuse the same ISV license within the same environment when the admin domain name changes. When the value is set to true, the customer can install the same ISV license across different environments associated with the same tenant or when the customer changes the admin domain name of the environment. This parameter is available in Dynamics 365 Finance version 10.0.38 and higher.
This is what I’ve added, here you can see the option in the UI:
When this is selected, the string allowcrossdomaininstallation=”true” is added to the text of the license file, and it’s also added to the string that’s used to generate the signature. That’s all.
Then when the license is loaded using a deployable package, the code in the standard checks if that field is set to true and sets it in the environment. You can see this in the SysLicenseCodeReadFile class, method codeStatus.
You can download ISVLicenseGenerator v0.9 from the releases’ page on GitHub: https://github.com/aariste/ISVLicenseGenerator/releases/tag/0.9.
Why this could be the last ISVLicenseGenerator version?
If you’ve taken a look at the Microsoft learn documentation on ISV licensing lately, you maybe have noticed that there are two more optional parameters that can be used on the command line: subjectname and thumbprint.
What are they used for? First, let’s see how we use the command-line tool without them:
C:\AOSService\PackagesLocalDirectory\Bin\axutil genlicense /file:c:\templicense.txt /certificatepath:c:\tempisvcert.pfx /licensecode:ISVLicenseCode /customer:TAEOfficial.ccsctp.net /serialnumber:4dbfcf74-c5a6-4727-b638-d56e51d1f381 /password:yourPasswordHere, we’re using the certificatepath and password parameters to access the PFX file that contains the private key that’s used to generate the license file.
If we want to use the subjectname and thumbprint parameters, we must skip using certificatepath and password. The command would look like this:
C:\AOSService\PackagesLocalDirectory\Bin\axutil genlicense /file:c:\templicense.txt /licensecode:ISVLicenseCode /customer:TAEOfficial.ccsctp.net /serialnumber:4dbfcf74-c5a6-4727-b638-d56e51d1f381 /subjectName:"ISVCert" /thumbprint:certificateThumbprintWe do it like that because AxUtil will use the subjectname and thumbprint parameters to get our certificate from the certificate store in our computer. And as far as I know, because I don’t have a USB cryptographic token anymore, it should also work with it.
When you receive the USB token, you can install the public key certificate in your PC.
It’s not possible to export the private key from a USB token, because their purpose is to protect it.
Once it’s installed, go to “Manage user certificates”, and select the node under Personal, and Certificates:
Then on the right pane look for your certificate and double click it, a dialog will open, go to the details tab and scroll down:
Those are the values that will be used in the command line, and if your certificate’s in a crypto USB token, the built-in functionality on Windows should open the certificate selector and then your provider software should ask for the password to unlock the private key… I guess 🤣 because I couldn’t try. But that’s how ISVLicenseGenerator works, it lets you select the certificate from the list, then loads it, and the certificate management software from the certificate provider asks you for the password, unlocks the private key, and uses it to generate the license file.
In theory, IN THEORY, theoretically, you can also use the subjectname and thumbprint parameters with an HSM-backed certificate. Using the full address where your certificate is. But I also haven’t tested this 😝
If it’s the end, so be it!
I’m releasing this last version as some kind of farewell to it. I created it out of a mistake, order a USB certificate instead of software. I’ve enjoyed creating and maintaining it, because that’s what I like the most about this job, being able to investigate (decompile 😂) things, and understand how they work. There have been a lot of “aha moments” while I understood the code in the standard AXUtil library and the X++ classes that enable the license files.
And when I got it working the first time, I was really happy (and also relieved) to see I could keep the USB and didn’t have to order another certificate. But then, thanks to Microsoft ignoring their customer’s requests it’s been a useful tool for many other people, and I’m also happy about that.
So if I had to make a toast I’d say: to problems (that can be solved), and its solutions that make me happy!
